βοΈπͺπ§βπΌπCP - Security - MDM Unenrollment Allow
What this page is about πβ
This policy re-enables the ability to manually remove MDM enrollment β but only for people who know what they're doing (or at least pretend to).
Itβs the counter-policy to:
Assigned only to users in a strict exception group, this config sets AllowManualMDMUnenrollment = True so they can disconnect from MDM when needed (e.g. staging, testing, lab work).
Need more context? Read the full blog to see why you probably donβt want to hand this out like candy.
π Policy detailsβ
| Field | Value |
|---|---|
| Platform | Windows 10/11 |
| Profile type | Settings catalog |
| Category | Experience > Allow manual MDM unenrollment |
| Setting name | AllowManualMDMUnenrollment |
| State | Enabled |
| CSP | Experience/AllowManualMDMUnenrollment |
π΅οΈββοΈ When to use thisβ
You only apply this when:
- A device needs to be unenrolled for staging or reprovisioning
- You're working in a test lab
- You're trying to fix something without nuking the entire environment
And yes, there should always be documentation and approval. Because βI needed to test somethingβ is not a valid excuse when the CFOβs laptop disappears from Intune.
π₯ Group Assignmentsβ
β Included:β
β Excluded:β
- (None) β this policy is not meant for the masses
π Relatedβ
- βοΈπͺπ§βπΌCP - Security - MDM Unenrollment Block
- π‘οΈπ§βπΌππGroup - MDM Unenrollment Allowed users
- π§ Blog: Wait... Standard Users Can Do WHAT Now?!
π§ Final wordsβ
This setting is your emergency override. Like the Batcave self-destruct β donβt give out the password unless you're sure.
Use sparingly. Monitor carefully. And document like your job depends on it. (Because it probably does.)