question

AJP850-1314 avatar image
0 Votes"
AJP850-1314 asked LuDaiMSFT-0289 commented

Avoiding data loss resulting from “Allow my organisation to manage this device”

(I am a software developer, not a sysadmin. I was directed here by a Microsoft employee.)

When logging into Teams on my personal laptop, I inadvertently "Allowed my organisation to manage my device". I told my administrators to reverse everything that had happened as a result of this.

Unfortunately, when they tried to do that, something went wrong. I think it's something to do with an inconsistency between InTune and AAD, but the key point is that they believe that proceeding with the removal could potentially cause my PC to perform a factory reset. They called Microsoft support who confirmed that they are correct: with the state their system is in, my hard drive might be wiped. I want all trace of MDM removed from my personal hardware but I don't want my hard drive wiped. If the worst should happen I want the recovery process to be simple.

Here are my questions.

  1. The ideal solution would be for me to remove the MDM from my laptop myself so that nothing can tell it to perform a factory reset. I assume the answer is no, but just in case, can I do that?

  2. Should the worst happen, the simplest way to recover is to use a recovery image created with something like Macrium Reflect. My concern with that is that the reimaged OS will be identical to the one that was wiped. Would the restored OS simply contact Azure and wipe itself clean again?

Many thanks

azure-active-directorymem-intune-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Hello,

For your reply. Here is an excerpt from the the call they sent to MS. Maybe I should have included that before.

“intune object was removed - aad object is still present ( disabled ) and bitlocker recovery key still visible. I need you please to clarify- what will happen if i delete the AAD object.”

MS gave us something to “try” which “should” work which does not inspire confidence, especially as I was also been advised to back up all data and create a new admin account In case I am denied access to my personal MS login.

Of course the process might work but I have to prepare for the worst.

I hope this is a little clearer. Thanks again.


0 Votes 0 ·
LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@AJP850-1314 Thanks for your explain.

For Q1: Which account you used to login the laptop? If using the local account login, you can unenroll. It will not lose data. If using the Azure AD account login, you need to back up and then unenroll. "Unenroll" action will not delete apps that exists before the laptop enroll. We can refer to the following link to unenroll the laptop by ourselves.
https://www.tenforums.com/tutorials/105509-disconnect-windows-10-pc-azure-ad.html#:~:text=All%20software%20remains%20installed%20and,to%20disconnect%20from%20Azure%20AD.
Note: Non-Microsoft link, just for the reference.

For Q2: When you click on "Wipe", you don't need to do anything else, it will works less than 15 minutes. I don't think you need to perform wipe action because a wipe action is useful for resetting a device before you give the device to a new user.

Thanks for understanding and have a nice day.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@AJP850-1314 Thanks for posting in our Q&A.

For this issue, I would like to clarify the following points with you:
1.What does "reverse everything" mean? Does it mean that you want to unenrll the device from your organisation?
2.Did your company internally require a "wipe" action?

In our intune official article, only "wipe" action will perform a factory reset. Other remove actions will not perform a factory reset. We can read the following article as a reference.
https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

For Q1: If you want to remove the MDM in the laptop by yourself, please confirm that there is a local user account in this laptop. And don't forget to backup data.

For Q2: I'm not sure if the restored OS will connect to Azure AD.

If there is anything update, feel free to let us know.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJP850-1314 avatar image
0 Votes"
AJP850-1314 answered AJP850-1314 edited

@LuDaiMSFT-0289, thanks very much for your answer. I will also draw you attention to my reply to a post above that contains the key points from my administrator’s question to MS support that I was forwarded in case it helps.

In response to your requests for clarification:

  1. I used the term “reverse everything” as a non-expert’s way to say “return everything to the state it was in before I inadvertently clicked that check box on the teams login”. If unenrolling it would do that, then yes, although I think there what they tried to do. Thanks for you patience. I hadn't even heard of MDM three weeks ago!

  2. I don't think I understand this correctly because it sounds like you're asking if my company has a policy whereby people that click on that check box in Teams consent to having their personal devices wiped? Is so, no they don’t have such a policy! In fact they have been looked for ways to prevent personal machines being enrolled because of what happened to me. If that isn't what you were asking, please do feel free to come back to me.

I have 4 backups so no issue there, it's just the inconvenience of reinstalling all my applications that bothers me. I can't remember the “Administrator” password, but my own account had full admin rights. I can reset the Administrator password if necessary.

Supplemental question if that's ok:

  1. If I remove the MDM myself will I definitely lose data or is it only a possibility?

  2. So I know what to expect, at what point would the wipe take place? When I boot the machine, when I log in to Windows or when I log in to my organisation?

Thanks too for the honest answer on the drive image. It helps to know there are no guarantee.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJP850-1314 avatar image
0 Votes"
AJP850-1314 answered LuDaiMSFT-0289 commented

@LuDaiMSFT-0289

OK, thanks for the link.

So I log in to Windows using <My name>@hotmail.co.uk and then I log in to Teams using <My name>@<My company name>.com. When I clicked on the check box, it created a work and school account which I removed.

I removed the work and school account a couple of weeks ago and if I understand the information in there correctly that should be sufficient?

I want to keep logging in using <My name>@hotmail.co.uk.

Hopefully, this is my last question! Thanks so much.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AJP850-1314 From your description, I know that the accounts you login the device and the Teams app are different.
If we disconnect the Azure AD account(<My name>@<My company name>.com) in work or school account, we will keep using the account(<My name>@hotmail.co.uk) to login the device.

1 Vote 1 ·