How to remove a policy settings from a user/device managed by Intune

As you all know, Intune can deploy all kind of settings and profiles (security settings, WiFi, Certificate, Mail and VPN profiles) to your users and devices. But what if you want to remove one of the settings/profiles.

Until now this hasn’t been possible (expect if you did a selective wipe/full wipe). With the updates delivered in the November and December release of Microsoft Intune backend, the policy will be removed when:

  • User or device leaves a collection / Group where policy was targeted to
  • Admin removes the deployment
  • Admin removes the policy itself

Note that this feature is available in both if you use Microsoft Intune Standalone and SCCM UDM with Intune.

As with all things we do with the device, we are dependent of underlying management platform. Below you see what’s can remove per platform.

Type of settings

Windows

Android

WP8.1 (There is no support for WP8)

IOS

Resource access Profiles (WiFi, VPN, Email, Certificate etc)

Yes

Yes

Yes

Yes

Configuration Items

No

No

Supported settings:
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowIdleReturnWithoutPassword
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordEnabled”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowSimpleDevicePassword”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AlphanumericDevicePasswordRequired”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordExpiration”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordHistory”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxDevicePasswordFailedAttempts”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxInactivityTimeDeviceLock”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordComplexCharacters”;
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
./Vendor/MSFT/PolicyManager/My/Camera/AllowCamera
./Vendor/MSFT/PolicyManager/My/Security/RequireDeviceEncryption
./Vendor/MSFT/PolicyManager/My/System/AllowStorageCard
./Vendor/MSFT/PolicyManager/My/Browser/AllowBrowser
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowStore
./Vendor/MSFT/PolicyManager/My/Experience/AllowScreenCapture
./Vendor/MSFT/PolicyManager/My/System/AllowTelemetry
./Vendor/MSFT/PolicyManager/My/System/AllowLocation
./Vendor/MSFT/PolicyManager/My/Accounts/AllowMicrosoftAccountConnection
./Vendor/MSFT/PolicyManager/My/Accounts/AllowAddingNonMicrosoftAccountsManually
./Vendor/MSFT/PolicyManager/My/Experience/AllowCopyPaste
./Vendor/MSFT/PolicyManager/My/WiFi/AllowInternetSharing
./Vendor/MSFT/PolicyManager/My/WiFi/AllowAutoConnectToWiFiSenseHotspots
./Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFiHotSpotReporting
./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowUSBConnection
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowBluetooth
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularDataRoaming
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowNFC
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularData
/Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFi

All settings except roaming settings

The list of policies can also be found at http://technet.microsoft.com/en-us/library/dn743712.aspx under “What happens when a policy is deleted, or no longer applicable”

To illustrate how this can look like I have recorded a short video describing how this looks like.

If you have any questions or feedback, please add into the comments below

Which hotfixes should I apply to get the most of EMS

Hotfixes includes as we all know fixes to things that doesn’t work as expected but it also sometimes includes improvements and this is why I decided to write this blog post. This list is nothing official, I will list the updates that will/can impact EMS products (stability and improvements)

Note! This post will be updated as soon as I find any new hotfixes. Last update 2015-04-08

System Center 2012 R2 + Intune (also called Intune UDM)

Hotfix

Resolves

Comments

Replace

KB3026739 (CU4)

A lot of things, please look at KB to see the whole list

All CU’s are cumulative so all fixes that were in CU1 +CU2 +CU3 is also included

This update replaces Cumulative Update 3 for System Center 2012 R2 Configuration Manager

(http://support2.microsoft.com/kb/2994331/en-us)

KB3002291

In Microsoft SystemCenter 2012 R2 Configuration Manager, when a user becomes a cloud-managed user, a settings policy may not target the assignment for the user.

The original fix for this was included in CU2+CU3 but was broken by the installer process (script was overwritten and function reverted back to original state).

The effect of this is that users that are included in an collection will get the “fast download of a polices” but for any users added after applying CU2 or CU3 will not get the policies. 
Note 1 –There is one version of the fix for a CU2 installation and one for CU3.
Note 2 – If you installed the CU2 version and then install CU3 you need to install the CU3 version of this fix
Note 3 – After installing the hotfix, please run the script (that you can copy from the KB), this script will fix all existing deployments

   This update is included in CU4

KB2990658

Greatly reduces the time that’s required to execute a successful retire or wipe of a Mobile Device Management (MDM) device. These operations now run on the device in a matter of seconds, assuming the device is reachable by Windows Intune.

To apply this hotfix, you must have Cumulative Update 3

(http://support.microsoft.com/kb/2994331/ )

   This update is included in CU4

KB2994331 (CU3)

A lot of things, please look at KB to see the whole list.

All CU’s are cumulative so all fixes that were in CU1 +CU2 is also included

This update replaces Cumulative Update 2 for System Center 2012 R2 Configuration Manager

(http://support.microsoft.com/kb/2970177/ )

.

Kb2970177 (CU2)

The main improvement in this update is Speed. If you been working with device enrollment you probably noticed that it can take a wile for the device to receive all the profiles/policies you deployed to it.With the CU2 for SCCM 2012 R2 and the May update for the Intune backend, this has been improved a lot.

See http://blog.advisec.com/?p=694 for more information and step by step how to install it

This update replaces Cumulative Update 1

(http://support.microsoft.com/kb/2938441/ )

for System Center 2012 R2 Configuration Manager.

KB2938441

Enrolling an Android device in both Exchange Active Sync (EAS) and Mobile Device Management causes a duplicate device to be created in the Administrator Console.

   

   

     

     

     

     

Windows Server 2012 R2 WAP Server role

Hotfix

Resolves

Comments

Replace

KB3011135

Large URI request in Web Application Proxy fails in Windows Server 2012 R2

For more information on how to use WAP in front of a NDES server see Pieter Wigleven blog http://aka.ms/ndes3. Note that this is still a “privat” fix and you need to call support to get it (no cost). This hotfix is now included in the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

 

     

 Windows Server – ADFS

Hotfix

Resolves

Comments

Replace

KB2989956

Issues where IOS devices can logon to Company Portal

Several issues after updating ADFS servers that have security update 2843638 or 2843639 installed in Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

 

KB2790338

A lot of things for ADFS 2.0, please look at KB to see the whole list.

Note that this update is only for ADFS 2.0 servers

2607496 Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

2681584 Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0

   
 

Windows Server 2008 R2 CA Server role

Hotfix

Resolves

Comments

Replace

KB2483564

Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES

This update is only needed if you want to implement certificate deployment with SCEP and your CA is running on Windows Server 2008R2

If it is possible, I would recommend to upgrade to a newer server OS