How to block users unenrolling from Intune on company devices: Windows 10

Written by Saajid Gangat in Microsoft,Windows,Windows Guides Last Updated July 25, 2023

For a company, the management of assets is a crucial process that involves methods to protect company information or possessions. Intune is used to help manage those devices and prevent a breach of data— thus, protecting company devices. However, a user can unenroll from a company’s Intune policy using their Windows 10 desktop to help with the process. In this blog, we will cover how to block users unenrolling from Intune on company devices: Windows 10. Read through for more information and a step-by-step guide on the process.

Below is a guide on blocking users from unenrolling from Intune; you will need to set a new device configuration policy for that user and accompanying device to prevent them from unenrolling their account off Intune. Configuration profiles help set device restrictions for account holders on certain devices; it gives the admin users complete control over imposed device restrictions.

  • Firstly, open Office 365.
  • Now use the launcher and navigate over to “Admin.”
  • Under “Admin centers,” click on “Endpoint Manager.”
  • Now click on “Devices.”
  • From there, click on “Configuration profiles.”
  • Now click on “Create a profile.”
  • Set “Platform” to “Windows 10” and “Profile type” to “Templates.”
  • Set “Template name” as “Device restrictions.”
  • Now click on “Create.”
  • Fill out the name and description categories.
  • Press “Next.”
  • For the “Configuration settings,” set it to “Control panel and Settings.”
  • Find the “Accounts” options and set that to “Block.”
  • Press “Next.”
  • Select the users who you need to set the restrictions for.
  • Now press “Next.”
  • Set the “Rule” as “Assign profile if.”
  • Now set the “Property” to “OS edition.”
  • Set “Value” to “Windows 10”.
  • Press “Next.”
  • Finally, verify the details are correct and press “Create.”

Once the profile is created, you will be able to prevent users from unenrolling devices on Windows 10 successfully. The process creates a restriction profile that prevents users from accessing the unassign section on Windows 10; when they try to unenroll a device, they will not be able to proceed. You can also set policies for entire group members within an organization or just a single member assigned to an account on an intune enrolled device. You must also ensure that the profile assignment is set to the correct device; otherwise, the process will not work for the intended user.

In-depth step by step guide [with screenshots] – How to block users unenrolling from Intune on company devices: Windows 10

Here is a much more in-depth guide on how you can block users from unenrolling devices from Intune; the guide includes a series of screenshots to allow you the opportunity to visualize the steps that will allow you to complete the process. The steps may also include some written context giving you more depth on what the step will do in the process and where certain features are located within the UI.

  • Firstly, open Office 365.

You need to open Office 365 and sign in with your regular Office credentials set to your account; use them and log in to your account.

  • Now use the launcher and navigate over to “Admin.”

Nine dots illustrate the launcher in the left corner of the display; once you have opened the launcher, select “Admin.”

  • Under “Admin centers,” click on “Endpoint Manager.”

MEM (Microsoft Endpoint Manager) is a cloud-based solution that addresses the issues of installing, monitoring, and securing devices in the enterprise. Servers, PCs, and mobile devices all fall within this category. Personal devices used to access an organization’s apps, and data can also be subject to policies set by IT managers. You can use this to help prevent a device from enrolling on Windows 10.

  • Now click on “Devices.”

There will be a left-hand menu that contains an option for “Devices” simply click on it and proceed with the steps ahead.

  • From there, click on “Configuration profiles.”

Once you have opened the device panel, a new panel will open. Here, click on “Configuration profiles,” which allows you to set profiles on different aspects of device management, such as imposed restrictions.

  • Now click on “Create a profile.”
  • Set “Platform” to “Windows 10” and “Profile type” to “Templates.”
  • Set “Template name” as “Device restrictions.”
  • Now click on “Create.”
  • Fill out the name and description categories.
  • Press “Next.”
  • For the “Configuration settings,” set it to “Control panel and Settings.”
  • Find the “Accounts” options and set that to “Block.”
  • Press “Next.”
  • Select the users who you need to set the restrictions for.
  • Now press “Next.”
  • Set the “Rule” as “Assign profile if.”
  • Now set the “Property” to “OS edition.”
  • Set “Value” to “Windows 10”.
  • Press “Next.”
  • Finally, verify the details are correct and press “Create.”

You’ll be able to successfully prohibit users from unenrolling devices on Windows 10 after the profile is built. The method generates a restriction profile that restricts users from accessing the unassigned section of Windows 10, preventing them from unenrolling a device. You can also create policies for entire groups of people inside an organization or a single person assigned to an account on an intune-enabled device. If the profile assignment is not configured to the correct device, the process will not work for the intended user.

Why may you want users to prevent a device from enrolling on Windows 10

One reason you may want to prevent users’ ability to unenroll devices on Intune is device protection. Devices are enrolled to keep devices to a secured network and prevent unauthorized activities on accounts related to the enrolled device. Also, if a device goes missing, a company can remotely disable access to the device to prevent any form of a data breach. A company can also set tracking on devices to locate missing devices, and with devices unenrolled, a company can no longer watch over their devices.

Therefore preventing users from unassigning accounts is essential in ensuring that data is protected for the company. It also helps if the device is kept out of company offices or buildings; for instance, devices given to users who need to work from home can use the process above to prevent any form of data breaches.

Conclusion

That’s it for the blog; we hope the solution has answered your question and allowed you to prevent user access to devices unenrolled. If you encounter an issue with the process above, simply drop a comment below, and we will address the situation as quickly as possible.

Saajid Gangat

Saajid Gangat has been a researcher and content writer at Business Tech Planet since 2021. Saajid is a tech-savvy writer with expertise in web and graphic design and has extensive knowledge of Microsoft 365, Adobe, Shopify, WordPress, Wix, Squarespace, and more! You can connect with Saajid on Linkedin.

Recent Posts