Allow Undocking without Logging on Security Setting Explained using Intune Policy! This policy setting determines whether a user can physically remove a laptop from its docking station without signing in to Windows.
A docking station is a device that connects a laptop to peripherals such as a monitor, keyboard, mouse, or power supply, making it function like a desktop. This policy helps IT administrators control how users interact with their docked laptops before login.
If you enable this policy, the laptop can be undocked even when no user is logged in. This means anyone can press the external hardware eject button to remove the laptop without entering credentials.
Enabling this policy is helpful in many scenarios one of them is that the conference rooms with docking stations. Users can quickly connect their laptops for presentations, and when the meeting ends, they can undock immediately without logging in. This allows the next person to connect their device easily, improving efficiency and minimizing delays between meetings.
Table of Contents
Allow Undocking without Logging on Security Setting Explained using Intune Policy
Disabling this policy helps IT administrators by adding a layer of physical security to company devices. Only users with a valid logon and the proper “Remove computer from docking station” privilege can undock a laptop. This policy helps you to reduces the risk of unauthorized removal or theft.
- Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
- Select Devices > Windows > Configuration profiles > Create a profile.
| Platform | Profile Type |
|---|---|
| Windows 10 and later | Settings Catalog |
- Create Intune Policy to Block Microsoft Accounts
- Enable or Disable the Built-in Administrator Account in Windows using Intune Policy
- Create an Accounts Enable Guest Account Status Policy with help of Intune
Basics Settings Allow Undock Without Having to Log On in Intune
The Basics tab provides the key details of the policy for easy identification and understanding. It includes:Name, Description and Policy Platform. This tab helps administrators quickly review the purpose and scope of the policy before deploying it in Intune.
- Name: Devices Allow Undock Without Having To Logon – the official name of the policy.
- Description: Allow Undocking without Logging on Security Setting Explained using Intune – a brief explanation of what the policy controls.
- Policy Platform: Windows – indicates that this policy applies to Windows devices.
Configuration Settings using the + Add Settings Option in Intune
Disabling the policy in offices, labs, or shared workspaces ensures that laptops remain physically secure, making it easier for IT to track devices, prevent tampering, and enforce compliance policies. Select the + Add settings hyperlink from the below Configuration settings tab.
In Intune, Local Policies Security Options refers to the set of security-related settings on Windows devices that are normally found in the local Group Policy under Local Policies > Security Options, but are managed remotely through Intune.
- Search the Keyword Local Policies security options
- Select the Local Policies security options setting
- Select the sub category settings that Devices Allow Undock Without Having To Logon
Default Configuration for the Devices Allow Undock Without Having To Logon policy is Set to Allow
by default, users can physically undock their laptops from a docking station without signing in to Windows. This setting is designed for convenience in environments where laptops are frequently moved or shared. The below sreenshot shows more details.
Devices Allow Undock Without Having To Logon – Block
When this policy is set to Block, it means that a laptop cannot be undocked from its docking station unless a user is logged in and has the required “Remove computer from docking station” privilege.
| Policy Name | Action |
|---|---|
| Devices Allow Undock Without Having To Logon | Block |
Scope Tag Settings
Scope tags do not affect policy functionality on devices; they only control who can access or manage them in Intune. Here, I will use the default scope tag for this policy. Seelct the Next button to proceed.
Assigning Groups – Adding Device Groups in Intune
To assign the policy, click the Add groups option under Included groups. Here, you can select the device groups that should receive the policy. In this example, two device groups are chosen, as shown in the screenshot.
Review + Create Tab – Ensuring Accuracy and Compliance in Intune
The Review + Create tab in Intune provides administrators a final overview of all settings, assignments, and configurations before deploying a policy. Administrators can verify that all settings are correctly configured, reducing the risk of misconfigurations that could impact devices or users.
Policy Created Notification
The policy “Devices Allow Undock Without Having To Logon” has been created successfully. This is the Policy notification that appear after clicking the Review + Create button. The Notification is shown on the top right corner of Intune portal.
Device and User Check-in Status
The policy “Devices Allow Undock Without Having To Logon” has been successfully checked on devices and users. Out of the total, 2 devices have successfully applied the policy. There are no errors, conflicts, or pending updates. This confirms that the policy is active and functioning as intended.
Client Side Verification
The Intune MDM PolicyManager log entry shows that the “Devices_AllowUndockWithoutHavingToLogon” policy under Local Policies Security Options was configured. This policy determines whether a portable computer can be undocked from its docking station without requiring a user to log on.
MDM PolicyManager: Set policy int, Policy: (Devices_AllowUndockWithoutHavingToLoqon), Area:
(LocalPoliciesSecurityOptions), EnrollmentID requesting merqe: (EB427D85-802F-46D9-A3E2-
D5B414587F63), Current User: (Device), Int: (0x0), Enrollment Type: (0x6), Scope: (0x0).
Devices_AllowUndockWithoutHavingToLogon – Windows CSP Details
This policy applies only at the device level. It is supported across multiple Windows editions, including Pro, Enterprise, Education, and IoT Enterprise (including LTSC). The setting is applicable for Windows 10, version 1709 (build 10.0.16299) and later.
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
Removing the Assigned Group from the Policy
When IT admins remove the assigned group from the Intune policy Devices Allow Undock Without Having To Logon, it effectively stops the policy from applying to those targeted devices. Removing old assignments ensures that only relevant devices remain targeted.
Read more – How to Remove Assigned Group from Energy Saver Battery Threshold Policy in Intune Settings Catalog.
How to Delete the Policy
Deleting an unused or outdated policy like Devices Allow Undock Without Having To Logon helps IT admins maintain a clean and efficient Intune environment. Read more – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.