The Device With The Dragon Tattoo

The Device With The Dragon Tattoo

Again a new day and it’s time for a new blog. This blog will be about some old fashioned tattooing problems you could experience when deploying Microsoft Device configuration Profiles.

I will divide this blog into multiple parts

  1. The issue itself
  2. Solving the Issue
  3. Some Important notes

1. The Issue itself

A new day a new problem and again a customer called us. On some of their devices, the keyboard layout was switching each time, from NL-VS to NL-NL. Of course, this is really irritating.

In a normal situation, your users have the possibility to remove the second keyboard layout when opening the language settings menu but this time it was greyed out.

No problem we thought, we could log in with a local admin account and remove the keyboard layout, but this setting was also greyed out. We quickly realized, only “older enrolled” devices were having this issue. On new devices, the problem did not occur. Let’s start some nice troubleshooting.

We tried to focus on the problem itself first. When you could not remove the additional keyboard, use Powershell.

For now, this worked and the additional keyboard was removed but what should we do with the other devices?

Blocking or allowing this setting can be changed by configuring these settings.

But these settings were not configured (anymore?) To be sure we opened the register on the device and opened the “Policymanager\current\device\settings” key

As shown above… the settings were configured to 0 (disabled). It looks like the tattooing issue, but to my understanding, this was resolved some time ago.

2. Solving the Tattoo issue

But I guess it does not count for every setting, because changing the PageVisibilty does not result in a tattooed setting.

First, we manually changed the registry key to 1 instead of 0.

After changing it manually we could change the keyboard layout without any problem. We now know when these settings are changed to not configured in Intune it would not apply to the devices, so created an additional CSP to enable it.

After some traditional waiting with some coffee, the policy was applied to the older devices.

3. Some Important Notes

Note 1:

Good to know is that when you remove or delete an old policy you will need to monitor the event log on the devices. If the device isn’t going to show you the nice Event Log 819, you have yourself a tattooing issue!

This event log will show you: MDM Policymanager: Delete Policy


Even if it looks like settings are not configured, they could still be applied in the past. When you choose to change a setting to not configured, it’s better to create a new profile instead with these settings and make sure you change the setting to Enabled before you delete the old one.

So with the next question, I will finish my blog: To tattoo or not to tattoo, that is the question!

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  80  =  85