Skip to content

Block un-enrollment Windows Phone devices by Microsoft Intune

With the December update of Microsoft Intune a cool feature OMA-URI support has been added. This seemingly small feature introduces ‘endless’ management capabilities and scenario’s which allows you to take full advantage of managing Windows Phone devices with Microsoft Intune. This is useful when the setting you need is not configurable in a mobile device security policy.


A good example is to block the removal of Workplace of your managed Windows Phones. By default users are able to un-enroll their devices and thus become unmanaged.  In this blog I’ll show you how to prevent un-enrollement and the ability to factory reset Windows Phone device by an OMA-URI policy template.

From the Policy pane create a new policy and select Windows Phone OMA-URI Policy template.


Provide a meaningful description for further reference as a policy can be used to configure one or more settings.


Next step is to add a OMA-URI settings, is this example we’ll add restictions for both workplace un-enrollement and factory reset. Hereby we’ll prevent the Windows Phone becomes in an unmanaged state. These device settings can be found in the Windows Phone 8.1 MDM Protocol guide.

First we disable the un-enrollment of Window Phone devices by using the following OMA-URI string:

  • ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment


Secondly we disable the ability to factory reset by using the following OMA-URI string:

  • ./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone


We configured two settings using OMA-URI. This can be extended with desired settings/restrictions.


After deploying the policy to Windows Phone devices we’ll notice that both un-enrollment of Workplace nor factory reset of your Windows Phone device is possible.

wp_ss_20150115_0001  wp_ss_20150115_0003

By using these setting you are able to prevent Windows Phones devices in one way or another and not be taken out of management. This simple example shows the power of using OMA-URI! For an overview of all OMA-URI for Windows Phone settings see PolicyManager configuration service provider and Windows Phone 8.1 MDM Protocol documentation.

3 thoughts on “Block un-enrollment Windows Phone devices by Microsoft Intune Leave a comment

  1. Thanks for writing this. I am trying to prevent user access to location settings. I have found the path to calling up the setting, but not toggling on/off condition or preventing access to entirely as desired.

    Thanks for any help.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: