With Intune and OMA-URI settings, you can disallow Windows 10 devices to unenroll from Intune.
Here follows a description on how to do it.
Navigate to Microsoft Intune via Portal.azure.com and click on Intune.
Select Device Configuration – Profiles and click on Create profile.
Enter the necessary information like name and/or description.
platform: Windows 10 and later
Profile type: Custom
Click on Settings Configure to configure the OMA-URI details.
Click on Add.
Enter the following details:
OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment
Data type: Integer
Value: 0 (0 = disallow manual unenrollment / 1 = allow manual unenrollment)
Click on OK and Create to save your changes. The rule should now be available in the profiles list:
Make sure to assign the profile to a user or computer group.
On your Windows 10 device, you can check if the policy is applied. Check the following reg key:
HKLM\Software\Microsoft\PolicyManager\Current\Device\Experience – AllowManualMDMUnenrollment.
The value should be 0.
As you can see on the screenshot, the configuration has been applied successfully.
Now, I will try to unenroll my device from MDM. (this is not the same as unenrolling from Azure AD. this will still work.)
On the Windows 10 device, navigate to Settings – Accounts – Access work or school.
Select the MDM account and click on Disconnect.
You will see the following message: This work or school account cannot be removed by system policy.
You can do the same for Windows Phone 8.1. it requires you to create a profile for Windows Phone 8.1 and use the following OMA – URI setting:
./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
An overview of URI settings for Windows 10 can be found on the link below:
https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference