Intune policy

Handian Sudianto 7,301 Reputation points
2026-06-26T01:55:20.02+00:00

When we remove the policy from intune then the configuration on the device will be removed or still there?

Example i create policy to deploy PCKS certificate and all devices will have this certificate , then if i remove the policy from intune then the certificate will be removed?

Microsoft Security | Intune | Configuration
0 comments No comments

1 answer

Sort by: Most helpful
  1. Marcin Policht 94,940 Reputation points MVP Volunteer Moderator
    2026-06-26T03:24:38.81+00:00

    When you remove or unassign a certificate profile policy from Microsoft Intune, the deployed PKCS certificate is automatically removed from the device.

    As per https://learn.microsoft.com/en-us/intune/device-configuration/certificates/remove-profiles

    Certificates that were provisioned by Intune are also removed when the profile that provisioned the certificate no longer targets the device or user.

    This behavior occurs because certificates maintain a direct lifecycle link with the management service. When a device synchronizes with Intune after you remove the assignment, Intune sends a direct cleanup command to the local device management client. The client then processes this command and deletes the associated certificate from the local user or computer certificate store. An exception to this rule applies to Imported PKCS certificates, which are only deleted if the device is completely unenrolled or wiped.

    Settings staying behind represent so called "policy tattooing." For standard configuration policies (such as modifying registry keys, setting power options, or changing desktop wallpapers) removing the policy merely stops Intune from enforcing it, leaving the modified settings intact. However, certificate profiles do not tattoo the device. They are cleanly wiped from the system once the policy is no longer targeted to the user or device.

    This removal process does not happen instantly upon deleting the policy in the admin center. The certificate will remain on the device until the next successful device check-in and synchronization session. Depending on the operating system and platform, this removal typically finishes within a few minutes of a manual sync, or up to 8 hours during normal automatic background sync cycles.


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.