Avoiding data loss resulting from “Allow my organisation to manage this device”

Question

(I am a software developer, not a sysadmin. I was directed here by a Microsoft employee.)

When logging into Teams on my personal laptop, I inadvertently "Allowed my organisation to manage my device". I told my administrators to reverse everything that had happened as a result of this.

Unfortunately, when they tried to do that, something went wrong. I think it's something to do with an inconsistency between InTune and AAD, but the key point is that they believe that proceeding with the removal could potentially cause my PC to perform a factory reset. They called Microsoft support who confirmed that they are correct: with the state their system is in, my hard drive might be wiped. I want all trace of MDM removed from my personal hardware but I don't want my hard drive wiped. If the worst should happen I want the recovery process to be simple.

Here are my questions.

1. The ideal solution would be for me to remove the MDM from my laptop myself so that nothing can tell it to perform a factory reset. I assume the answer is no, but just in case, can I do that?
2. Should the worst happen, the simplest way to recover is to use a recovery image created with something like Macrium Reflect. My concern with that is that the reimaged OS will be identical to the one that was wiped. Would the restored OS simply contact Azure and wipe itself clean again?

Many thanks

Answer 1

@AJP_850 Thanks for your explain.

For Q1: Which account you used to login the laptop? If using the local account login, you can unenroll. It will not lose data. If using the Azure AD account login, you need to back up and then unenroll. "Unenroll" action will not delete apps that exists before the laptop enroll. We can refer to the following link to unenroll the laptop by ourselves.
https://www.tenforums.com/tutorials/105509-disconnect-windows-10-pc-azure-ad.html#:~:text=All%20software%20remains%20installed%20and,to%20disconnect%20from%20Azure%20AD.
Note: Non-Microsoft link, just for the reference.

For Q2: When you click on "Wipe", you don't need to do anything else, it will works less than 15 minutes. I don't think you need to perform wipe action because a wipe action is useful for resetting a device before you give the device to a new user.

Thanks for understanding and have a nice day.

Answer 2

@AJP_850 Thanks for posting in our Q&A.

For this issue, I would like to clarify the following points with you:

1. What does "reverse everything" mean? Does it mean that you want to unenrll the device from your organisation?
2. Did your company internally require a "wipe" action?

In our intune official article, only "wipe" action will perform a factory reset. Other remove actions will not perform a factory reset. We can read the following article as a reference.
https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

For Q1: If you want to remove the MDM in the laptop by yourself, please confirm that there is a local user account in this laptop. And don't forget to backup data.

For Q2: I'm not sure if the restored OS will connect to Azure AD.

If there is anything update, feel free to let us know.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

@Lu Dai-MSFT , thanks very much for your answer. I will also draw you attention to my reply to a post above that contains the key points from my administrator’s question to MS support that I was forwarded in case it helps.

In response to your requests for clarification:

1. I used the term “reverse everything” as a non-expert’s way to say “return everything to the state it was in before I inadvertently clicked that check box on the teams login”. If unenrolling it would do that, then yes, although I think there what they tried to do. Thanks for you patience. I hadn't even heard of MDM three weeks ago!
2. I don't think I understand this correctly because it sounds like you're asking if my company has a policy whereby people that click on that check box in Teams consent to having their personal devices wiped? Is so, no they don’t have such a policy! In fact they have been looked for ways to prevent personal machines being enrolled because of what happened to me. If that isn't what you were asking, please do feel free to come back to me.

I have 4 backups so no issue there, it's just the inconvenience of reinstalling all my applications that bothers me. I can't remember the “Administrator” password, but my own account had full admin rights. I can reset the Administrator password if necessary.

Supplemental question if that's ok:

1. If I remove the MDM myself will I definitely lose data or is it only a possibility?
2. So I know what to expect, at what point would the wipe take place? When I boot the machine, when I log in to Windows or when I log in to my organisation?

Thanks too for the honest answer on the drive image. It helps to know there are no guarantee.

Answer 4

@Lu Dai-MSFT

OK, thanks for the link.

So I log in to Windows using <My name>@Karima ben .co.uk and then I log in to Teams using <My name>@<My company name>.com. When I clicked on the check box, it created a work and school account which I removed.

I removed the work and school account a couple of weeks ago and if I understand the information in there correctly that should be sufficient?

I want to keep logging in using <My name>@Karima ben .co.uk.

Hopefully, this is my last question! Thanks so much.