This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 80%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFE%3C/text%3E%3C/svg%3E)
Hi everyone,
I have an interesting situation. I used a Sony Xperia XA1 with Andoird 8.0 as a test device. The device was sucessfully enrolled and an administrative profile created. All device configuration policies were applied. The policies were deliberately configured to restrict the device as much as possible to test if an admin could actually render the device unusable if not knowing what they did. Lo and behold, you can totally tank the device. Now this wouldn't be a problem, even without Wifi, the posibility to reset the device or enable USB debugging for PC reset - if the device has a SIM inserted, it can get changed policies from Intune and be "unstuck".
That is, if some idiot doesn't delete the the device from intune while it's powered off. In this specific case, when the device is powered back on, it realizes it isn't managed by Intune anymore, however, all restrictions are still in place, reenrolling isn't possible and resetting the device isn't either.
So here's my question - how the hell do I get the device reset to factory settings if it's completely blocked by Intune and can't be unblocked by intune?
Cheers,
Fred
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Basically, if some one deletes the device in Intune accidentally when it's powered off. When the device is powered back on, it still will check in with Intune, and then remove the policies and company data. Please just click Delete devices from the Intune portal for more details.
In addition, the end user also can unenroll the Intune managed device. It can be performed from the Company Portal. Please refer to the following guide for more details.
Unenroll your Android device from management
If the response is helpful, please click "Accept Answer" and upvote it.
Hi Andy,
thanks for the reply and the suggested solution, however it's not quite correct.
The device does check back with Intune, yes. And it also realizes it's not managed by Intune anymore. But, what it tries to do then does not match the Docs. It does not delete company data and it does not remove the policies. It offers to reinstall the management profile, which it can't because there's already one there. The existing policies prohibit the user from removing any profiles or accounts from the device. Hence, unenrolling the device by the user in Company Portal is not possible.
Cheers,
Fred
If the profile, factory reset and USB debugging have been locked, there is no way to remove the company portal and policies from the client side. You must remove the locks from the Intune portal. However, the behavior of device is not as expected after it's deleted from the Intune portal. To take a further investigation for this issue, I would recommend to create an online support ticket.
On the other hand, to avoid this situation, you can remove the delete permission for most of the Intune administrators from the Intune Roles.