Tech Community Live: Microsoft Intune
Mar 20 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Intune Policy Still Showing agianst Device even though Descoped

Brass Contributor

I have an Intune device configuration that I target at an AzureAD group. I add my Windows 10 devices to this group and after some time the profile applied successfully at these devices. Under each DeviceName -> Configuration Profiles -> Profile Name I see it as successfully applied as well as under the Profile -> Device Assignment Status. I then remove the devices from these AzureAD groups. Under each DeviceName -> Configuration Profiles -> Profile Name I see it as successfully applied but now it is not listed under the Profile -> Device Assignment Status. When I check the actual setting at the device the policy is indeed descoped and the setting shave reverted to defaults.

 

So is this expected behaviour that the policy remains as applied under DeviceName -> Configuration Profiles -> Profile Name? Seems very counter intuitive!

3 Replies

Hi @shockotechcom,

Yes, it is expected behavior that the policy remains as applied under DeviceName -> Configuration Profiles -> Profile Name even after the device is removed from the AzureAD group. This is because Intune does not automatically remove security policies when you unassign the policy (stop deployment).

You may need to leave the policy assigned, and then change the security settings back to the default values.

However, if you want to completely remove the policy from the device, you can delete the Windows Device from Azure Active Directory (AAD) and Microsoft Endpoint Manager (MEM) and wait for it to re-sync.

This will clean up any MEM policies and profiles. This practice is often followed before deploying new or redeploying any Windows device.

Azure Active Directory (AAD) and Intune are different systems, so changes in one system may not automatically reflect in the other.

Troubleshoot policies and configuration profiles in Microsoft Intune - Intune | Microsoft Learn

Cleanup Intune profiles and policies - Microsoft Community Hub


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

@LeonPavesic thanks!

 

You state

 

Yes, it is expected behavior that the policy remains as applied under DeviceName -> Configuration Profiles -> Profile Name even after the device is removed from the AzureAD group. This is because Intune does not automatically remove security policies when you unassign the policy (stop deployment).

 

But the settings applied by the policy are no longer being applied at the endpoint.

Hi @shockotechcom,

I apologize for any confusion.

If the policy settings are not taking effect on the endpoint despite removing the device from the AzureAD group and unassigning the policy, it could be due to synchronization delays or an Intune service issue. To address this, try initiating a manual sync on the device and checking the Intune service status for any ongoing problems.



Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)