βοΈπͺπ§βπΌCP - Security - MDM Unenrollment Block
What this page is about πβ
This policy stops users from manually removing their device from MDM β because yes, even standard users can do that by default. And no, itβs not a joke.
This sets AllowManualMDMUnenrollment = False, blocking the βDisconnectβ button under Access work or school in Settings.
No more rogue offboarding. No more accidental BYOD situations. No more drama.
If you're not sure why this exists β read this blog post for the full meltdown story.
β Why this mattersβ
By default, Windows thinks users should be trusted to manage their own MDM enrollment. Thatβs adorable.
Without this policy:
- Any standard user can click βDisconnectβ
- Compliance? Gone.
- Security baselines? Gone.
- Your grip on reality? Also gone.
Itβs like letting Deadpool run your Intune environment β chaotic, loud, and somethingβs probably on fire.
π Policy detailsβ
| Field | Value |
|---|---|
| Platform | Windows 10/11 |
| Profile type | Settings catalog |
| Category | Experience > Allow manual MDM unenrollment |
| Setting name | AllowManualMDMUnenrollment |
| State | Disabled |
| CSP | Experience/AllowManualMDMUnenrollment |
π₯ Group Assignmentsβ
β Included:β
All Users
β Excluded:β
Because some users (like staging admins or troubleshooting engineers) need a way out. But we do it cleanly, with the Allow policy, and not by letting Jan from Finance click buttons he doesn't understand.
π Relatedβ
- βοΈπͺπ§βπΌπCP - Security - MDM Unenrollment Allow
- π‘οΈπ§βπΌππGroup - MDM Unenrollment Allowed users
- π§ Blog: Wait... Standard Users Can Do WHAT Now?!
π§ Final wordsβ
This setting is like the ejector seat in a spaceship. Handy if you're an astronaut. Dangerous if you're the intern.
Block it. Document exceptions. And sleep better knowing your endpoints wonβt self-destruct mid-flight.