The Device With The Dragon Tattoo

Last Updated on May 3, 2022 by rudyooms

Again a new day and it’s time for a new blog. This blog will be about some old-fashioned tattooing problems you could experience when deploying Microsoft Device configuration Profiles.

I will divide this blog into multiple parts

  1. The issue itself
  2. Solving the Issue
  3. Some Important notes

1. The Issue itself

A new day a new problem and again a customer called us. On some of their devices, the keyboard layout was switching each time, from NL-VS to NL-NL. Of course, having the wrong keyboard layout could be really irritating.

In a normal situation, your users have the possibility to remove the second keyboard layout when opening the language settings menu but this time it was greyed out.

No problem we thought, we could log in with a local admin account and remove the keyboard layout, but this setting was also greyed out. We quickly realized, that only “older enrolled” devices were having this issue. On new devices, the problem did not occur. Let’s start some nice troubleshooting.

We tried to focus on the problem itself first. When you could not remove the additional keyboard, use Powershell.

For now, this worked and the additional keyboard was removed but what should we do with the other devices?

Blocking or allowing this setting can be changed by configuring these settings.

But these settings were not configured (anymore?) To be sure we opened the register on the device and opened the “HKLM\Software\Microsoft\Policymanager\current\device\settings” registry key

As shown above… the settings were configured to 0 (disabled). It looks like the tattooing issue, but to my understanding, most of the tattooing issues were resolved when Windows 10 build version 1903 was released.

Before build 1903, when an Intune policy was pushed down to the device it was tattooed to the device but with 1903 the Policy CSP refresh changed!. When the device syncs, the settings that were created by the Policy CSP are refreshed instead of tattooed.

Summary: When a policy is removed or when the assignment is removed it will normally also make sure the policy on the device is removed!

Troubleshoot device profiles in Microsoft Intune | Microsoft Docs

2. Solving the Tattoo issue

But I guess it does not count for every setting, because for example changing the PageVisibilty does not result in a tattooed setting.

First, we manually changed the registry key inside the policymanager\current\device\setting key to 1 instead of 0.

After changing it manually we could change the keyboard layout without any problem. We now know when these settings are changed to not configured in Intune it would not apply to the devices, so created an additional CSP to enable it.

After some traditional waiting with some coffee, the policy was applied to the older devices.

3. Some Important Notes

Note 1:

Good to know is that when you remove or delete an old policy you will need to monitor the event log on the devices. If the device isn’t going to show you the nice Event Log 819, you have yourself a tattooing issue!

This event log will show you: MDM Policymanager: Delete Policy

Note 2:

Another possibility would be to use the SyncML viewer to determine if the policy is tattooed or not! . As shown below, when removing the assignment of a Firewall policy(Firewall Rules), the Firewall Rules are deleted on the device!


Even if it looks like settings are not configured, they could still be applied in the past. When you choose to change a setting to not configured, it’s better to create a new profile instead with these settings and make sure you change the setting to Enabled before you delete the old one.

So with the next question, I will finish my blog: To tattoo or not to tattoo, that is the question!

Leave a Reply

Your email address will not be published. Required fields are marked *

3  +  1  =