Intune Policy Tattooed or Not Tattooed Windows CSP Policy

Let’s quickly check whether Intune policy Tattooed or Not Tattooed? I have seen this behavior during one of the demos in the recent Namaste Techies episode. The group policy tattooing is always a headache for ConfigMgr Client Installations using the AD group policy.

Well, I don’t blame Intune for tattooing policies into your Windows 11 or Windows 10 devices. The tattooing of settings is an issue or limitation from Windows CSP (Configuration Service Provider). Microsoft has already confirmed that many Windows CSPs are having this issue.

I don’t know whether we still have Intune policy tattooed problem. I will let you see the conclusion with a small number policy test that I have done. Yes, it’s still a problem for some of the CSPs. Check out the conclusion section of this post to get more details.

Patch My PC

The good news is the new Windows CSP policies are expected to come with better management options. Ideally, they should not have Intune policy tattooing effect. Let’s check more on this with some examples in this blog post.

What is Intune Policy Tattooing?

Intune is a server-side system that helps IT admins to create and deliver the configuration settings to the client. This is the easiest way to understand Intune side of things. The Intune settings are based on the Windows configuration service provider (CSPs). The behavior of Windows CSP is something that can’t be controlled from Intune side directly.

What is Intune Policy Tattoing? Intune Policy Tattooed or Not Tattooed Windows CSP Policy
What is Intune Policy Tattooing? Intune Policy Tattooed or Not Tattooed Windows CSP Policy

The policy tattooing behavior depends on each Windows CSP. There are good and modern Windows CSPs that remove the settings from your device after removing the policy assignment from Intune (as shown in the above screen capture). However, there are some “bad” Windows CSPs, and the related settings of those CSPs won’t get removed even after the removal of the policies.

1E Nomad

This type of permanent policy settings behavior is called tattooing (for example, “bad” CSPs from the above paragram). You don’t have an out of box easy way to remove these settings (tattooed ones) from Windows 11 or Windows 10 devices. Instead, you might need to configure the policy with a new preferred value to have the desired output.

Disable Control Panel Settings App Access Intune Policy Tattooed?

As mentioned above there are some good and modern Windows CSPs that does have tattooing issue. So these policies are easy to manage, and these settings will get removed from the client device whenever you remove the policy assignment from that device using Intune.

One of the example policies is “Prohibit access to Control Panel and PC settings (User),” and this policy helps admins disable Control Panel and Settings apps access from Windows devices. I have a post that explains how to implement this policy (Disable Control Panel PC Settings Using Intune Prohibit access).

Disable Control Panel Settings App Access Intune Policy Tattooed?
Disable Control Panel Settings App Access Intune Policy Tattooed?

The Intune policy setting got applied on the device, as you can see in the above screenshot. However, when I removed the policy from the Azure AD user group (because this is a user-based policy), the settings also got removed. Let’s see more details below.

Intune Event Log ID 819 Not Tattooed Policy Removal Event

Let’s see what Event Log ID 819 means for Windows MDM and Intune Intune management is. The Event log ID 819 means the MDM policy manager deleted the policy on the Windows 10 or Windows 11 client device. So, this deletion action will happen for Intune policies or Windows CSP policies that don’t have tattooing issues.

You can navigate to the following Event log path to confirm whether the policy tattooing behavior of the policy – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Delete policy, Policy: (NoControlPanel), Area: (ADMX_ControlPanel), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (S-1-5-21-2901188661-3025291148-348095268-1124), Scope: (0x1).

 Intune Event Log ID 819 Not Tattooed Policy Removal Event
Intune Event Log ID 819 Not Tattooed Policy Removal Event

Delete policy Event Log – Registry Confirmation for Non Tattooed Policy

Now, you can head back to the registry and confirm whether the actual settings to disable the control panel or setting catalog are removed from the registry or not. If this setting is removed, that means this ControlPanel ADMX – NoControlPanel policy doesn’t have a tattooing issue.

Registry Path Example 1 – Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\S-1-5-21-2901188661-3025291148-348095268-1124\ADMX_ControlPanel

Registry Path Example 2- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\

Registry Path Example 3- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\Device

Registry Path Example 4 Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\S-1-5-21-2901188661-3025291148-348095268-1124

Delete policy Event Log - Registry Confirmation for Non Tattooed Policy
Delete policy Event Log – Registry Confirmation for Not Tattooed Policy

The NoControlPanel registry entry got removed after I removed the policy deployment or assignment from the Microsoft Intune policy (settings catalog). This confirms that there is no tattooing issue for this particular Windows CSP policy.

Example Registry Value 2 – Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\S-1-5-21-2901188661-3025291148-348095268-1124\ADMX_ControlPanel

Let’s check the before and after effects of this policy not being tattooed in Intune. This is a really good sign!

Delete policy Event Log - Registry Confirmation for Not Tattooed Policy
Delete policy Event Log – Registry Confirmation for Not Tattooed Policy

NOTE! – I tested this with Windows 10 21H1 build 19043.1348.

Prevent changing theme (User) – Intune Policy Tattooed or Not Tattooed?

Let’s now check the policy called Prevent changing theme (User) for tattooing effect. Another user-based approach to disable the theme change using Intune setting catalog. The policy is disabled from Intune and deployed to the Azure user group. The following is one of the registry keys; it shows the value as disabled.

Registry path – Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\S-1-5-21-2901188661-3025291148-348095268-1124\ADMX_ControlPanelDisplay

 Prevent changing theme (User) - Intune Policy Tattooed or Not Tattooed?
Prevent changing theme (User) – Intune Policy Tattooed or Not Tattooed?

Let’s remove the Azure AD user group from the disable the theme change Intune settings catalog policy. If the Windows CSP supports removing the policy entry, this is a good policy and doesn’t have Intune policy tattooing issues.

 Prevent changing theme (User) - Intune Policy Tattooed or Not Tattooed?
Prevent changing theme (User) – Intune Policy Tattooed or Not Tattooed?

Let’s check event log ID 819 for now and confirm whether an event has appeared on Windows 11 or Windows 10 devices. The registry values are not tattooed to the client’s devices as per the below event log.

MDM PolicyManager: Delete policy, Policy: (CPL_Personalization_DisableThemeChange), Area: (ADMX_ControlPanelDisplay), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (S-1-5-21-2901188661-3025291148-348095268-1124), Scope: (0x1).

The entire registry value and key/folder got removed from the system after removing the policy assignment. This activity proved that the registry values are not tattooed for the ADMX_ControlPanelDisplay policy.

NOTE! ADMX_ControlPanelDisplay entry is not available in the registry now!

 Prevent changing theme (User) - Intune Policy Tattooed or Not Tattooed?
Prevent changing theme (User) – Intune Policy Tattooed or Not Tattooed?

Redirection Settings Intune Policy Tattooed?

Let’s find out whether the Redirection Settings (device-based) Intune Policy Tattooed? I have explained the deployment of Cloud PC redirection policies in the previous post. Now, let’s try to remove the assignment of that Intune settings catalog policy.

To quickly check whether the policy changes are reflected on Windows 10 or Windows 11, initiate the Intune policy sync (Initiate a Manual Intune Policy Sync) from the Company Portal app. As per the event log ID 819, two settings have been removed from the Windows device.

You can check the following event logs – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Delete policy, Policy: (DoNotAllowDriveRedirection), Area: (RemoteDesktopServices), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

MDM PolicyManager: Delete policy, Policy: (TS_CLIENT_CLIPBOARD), Area: (ADMX_TerminalServer), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

You can check the registry entry changes in the below screen capture. The ADMX_TerminalServer (and RemoteDesktopServices) entry got removed. This means Redirection settings are not tattooed into the registry.

 Redirection Settings Intune Policy Tattooed?
Redirection Settings Intune Policy Tattooed?

WUfB Policies are Tattooed or Not Tattooed?

Here is the Windows Update for Busines (WUfB) last policy that I’m going to check whether it’s tattooed or not. As per my testing, these policies are not tattooed because when I removed the assignment from the Azure AD group, all these policy settings from the registry also got deleted.

As you can see in the below screenshot, there are many event log IDs with 819. All these event logs confirm that the Windows Update for Business policies are getting deleted.

 WUfB Policies are Tattooed or Not Tattooed?
WUfB Policies are Tattooed or Not Tattooed?

MDM PolicyManager: Delete policy, Policy: (ConfigureDeadlineNoAutoReboot), Area: (Update), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

MDM PolicyManager: Delete policy, Policy: (ConfigureDeadlineGracePeriod), Area: (Update), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

MDM PolicyManager: Delete policy, Policy: (ConfigureDeadlineForQualityUpdates), Area: (Update), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

MDM PolicyManager: Delete policy, Policy: (ConfigureDeadlineForFeatureUpdates), Area: (Update), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

MDM PolicyManager: Delete policy, Policy: (ConfigureDeadlineForFeatureUpdates), Area: (Update), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

The following screenshot gives you an idea about before and after removal of Windows Update for Business policies deployed using Intune. The following registry path helps you to understand whether the Update entry is there or not.

Example 1 – Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\Device

 WUfB Policies are Tattooed or Not Tattooed?
WUfB Policies are Tattooed or Not Tattooed?

Disable Removable Storage Write Access Using Intune policy Tattooed?

Let’s check whether the Disable Removable Storage Write Access Using Intune policy is Tattooed or not from event logs and registry entries.

MDM PolicyManager: Delete policy, Policy: (RemovableDiskDenyWriteAccess), Area: (Storage), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

MDM PolicyManager: Delete policy, Policy: (RemovableDiskDenyWriteAccess), Area: (Storage), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Scope: (0x1).

Disable Removable Storage Write Access Using Intune policy Tattooed?
Disable Removable Storage Write Access Using Intune policy Tattooed?

Conclusion

I have tested five (5) different Intune policies (Windows CSP policies) and I couldn’t find any of these policies are getting tattooed into the Windows devices. So, it’s safe to assume that most of the Windows CSP or Intune policies are not tattooed as before.

Let me know if you see any policies are being tattooed in Intune. This will make things difficult for admins, you will need to reconfigure the Intune policy to not configure or something else to fix this kind of tattooed entry in the registry.

NOTE! – The worst-case scenario, you will need to deploy a PowerShell remediation script using Intune to remove these tattooed entries. I don’t recommend performing this method unless and until there is no other option.

Updated on 24th Nov – I learned from Kenneth van Surksum (my MVP colleague) that the tattooed settings can’t be confirmed from the removal of the registry entries his experience. So as per him, some settings can still be tattooed even though the related entries are removed from the registry.

Updated on 3rd Dec – I learned from Jason Sandys (Microsoft Senior Program Manager, Former Microsoft MVP (12 years)) that the method of checking whether the CSP policy is tattooed or not using the registry is not valid. As per him, the best bet here is to use the WMI bridge to check actual settings to determine whether or not they are tattooed.

Author

Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.