Again, it’s a new day and time for a new blog. This blog will discuss some old-fashioned tattooing issues and problems you could experience when deploying Microsoft Device Configuration Profiles or a CSP.
1. The Issue itself
A new day, a new problem, and again, a customer called us. On some of their devices, the keyboard layout switched each time from NL-VS to NL-NL. Of course, having the wrong keyboard layout could be really irritating.
In a normal situation, your users can remove the second keyboard layout when opening the language settings menu, but this time, it was greyed out.
We thought it was no problem. We could log in with a local admin account and remove the keyboard layout, but this setting was also greyed out. We quickly realized that only “older enrolled” devices were having this issue. The problem did not occur on new devices. Let’s start some nice troubleshooting.
We tried to focus on the problem itself first. When you cannot remove the additional keyboard, use Powershell.
For now, this worked, and the additional keyboard was removed, but what should we do with the other devices?
Blocking or allowing this setting can be changed by configuring these settings.
But these settings were not configured (anymore?) To be sure we opened the register on the device and opened the “HKLM\Software\Microsoft\Policymanager\current\device\settings” registry key
As shown above… the settings were configured to 0 (disabled). It looks like the tattooing issue, but to my understanding, most of the tattooing issues were resolved when Windows 10 build version 1903 was released.
Before build 1903, when an Intune policy was pushed down to the device it was tattooed to the device but with 1903 the Policy CSP refresh changed!. When the device syncs, the settings created by the Policy CSP are refreshed instead of tattooed.
Summary: When a policy or assignment is removed, it will normally also remove the policy on the device!
Troubleshoot device profiles in Microsoft Intune | Microsoft Docs
2. Solving the Tattoo issue
But I guess it does not count for every setting because, for example, changing the PageVisibilty does not result in a tattooed setting.
First, we manually changed the registry key inside the policymanager\current\device\setting key to 1 instead of 0.
After changing it manually, we could change the keyboard layout without any problem. We now know that when these settings are changed to not configured in Intune, they do not apply to the devices, so we created an additional CSP to enable it.
After some traditional waiting with some coffee, the policy was applied to the older devices.
3. Some Important Tattooing Notes
Note 1:
It’s good to know that when you remove or delete an old policy, you will need to monitor the event log on the devices. If the device doesn’t show you the nice Event Log 819, you have yourself a tattooing issue!
This event log will show you: MDM Policymanager: Delete Policy
Note 2:
Another possibility would be to use the SyncML viewer to determine if the policy is tattooed or not! . As shown below, when removing the assignment of a Firewall policy(Firewall Rules), the Firewall Rules are deleted on the device!
4. A possible Solution
With the arrival of the highly anticipated Intune feature known as Config Refresh, we’re on the brink of eliminating the long-standing challenges associated with configuration tattooing and other related issues. This groundbreaking feature is set to revolutionize device management by automatically removing all previously applied policies from a device, ensuring a clean slate. Once these policies are deleted, Config Refresh will seamlessly reapply the necessary configurations, leaving no remnants of outdated or conflicting settings behind. This innovation promises to streamline device management and enhance the reliability of policy enforcement across your organization.
https://call4cloud.nl/2024/02/config-refresh
Conclusion:
Even if it looks like settings are not configured, they could still be applied in the past. When you choose to change a setting to not configured, it’s better to create a new profile instead with these settings and make sure you change the setting to Enabled before you delete the old one.
So with the next question, I will finish my blog: To tattoo or not to tattoo, that is the question!