Unenroll Windows Modern Devices Using a SOTI MobiControl Script

This article documents the process for unenrolling single or multiple Windows Modern devices by sending a PowerShell script from SOTI MobiControl. This method will remove the SOTI MobiControl agent from the device as well.

SOTI MobiControl

Windows Modern

Customers may need to unenroll multiple Windows Modern devices for various reasons. Typically, the manual approach involves navigating to Access work or school, selecting the connection labeled Connected to MobiControl MDM, and then choosing Disconnect. This method is manageable for a few devices but becomes cumbersome when dealing with a larger number.

Client: Windows Modern

Server: Any SOTI MobiControl version that supports Windows Modern.

OS: Script has been tested on Windows 10 22H2

Note:

• Ensure the script is run on the correct devices.
• After unenrollment, devices must be re-enrolled following the standard process.
• Adjust the script as needed based on the OS version and PowerShell installation location.

1. Check the provisioning package name used to enroll the Windows Modern device by doing the following:
   1. Open the Settings app on the Windows Modern device.
   2. Navigate to Accounts > Access work or school.
   3. Under Access work or school, look for Add or remove Provisioning package.
   4. Under Packages, find the SOTI MobiControl enrollment package and note the name. You will need to locate and change the name in the PowerShell script created in the next step.

2. Prepare the Script:
   Create a PowerShell script file with .ps1 extension, which contains the necessary commands for unenrollment, as shown below. Open the script and replace packagename (located near the middle of the script) with the one from your SOTI MobiControl enrollment package. Save the script as .ps1.
   
   

   ###############################################################
   # Script Name: Unenroll.ps1
   # Description: This script is used to unenroll Windows Modern devices from MobiControl.
   #              It removes associated provisioning packages, registry entries, and scheduled tasks.
   #              It includes error handling and logging to track execution progress and failures.
   #
   # Requirements: PowerShell 5.1 or later
   ###############################################################
   
   # Define log file location (same directory as the script)
   $scriptDirectory = Split-Path -Parent $MyInvocation.MyCommand.Path
   $logFile = Join-Path -Path $scriptDirectory -ChildPath "Unenroll_Log.txt"
   
   # Function to write logs
   function Write-Log {
       param (
           [string]$Message
       )
       $timeStamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
       "$timeStamp - $Message" | Out-File -FilePath $logFile -Append
   }
   
   Write-Log "Script execution started."
   
   try {
       # Extend system PATH to ensure PowerShell is accessible
       $env:Path += ";C:\Windows\System32"
       Write-Log "System PATH extended."
       
       # Configure registry keys to allow for provisioning package management
       Write-Log "Setting registry keys for provisioning package management."
       REG ADD HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Security /t REG_DWORD /v AllowRemoveProvisioningPackage /d 1 /f
       REG ADD HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Security /t REG_DWORD /v AllowAddProvisioningPackage /d 1 /f
       REG ADD HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Experience /t REG_DWORD /v AllowManualMDMUnenrollment /d 1 /f
       REG ADD HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Security /t REG_DWORD /v RequireProvisioningPackageSignature /d 0 /f
       
       # Uninstall only the MobiControl provisioning package (not all packages)
       Write-Log "Retrieving installed provisioning packages."
       $Packages = Get-ProvisioningPackage -AllInstalledPackages
       
       foreach ($Package in $Packages) {
   if ($Package.PackageName -like "*MobiControl*") {  # <<<<<<<<<<UPDATE HERE>>>>>>> Adjust this to match the actual package name
               Uninstall-ProvisioningPackage -PackageID $Package.PackageID
               Write-Log "Uninstalled provisioning package: $($Package.PackageID)"
           }
       }
       
       Start-Sleep -Seconds 10
       
       # Define registry keys related to the enrollment process for cleanup
       Write-Log "Cleaning registry keys related to enrollment."
       $RegistryKeys = @(
           "HKLM:\SOFTWARE\Microsoft\Enrollments",
           "HKLM:\SOFTWARE\Microsoft\Enrollments\Status",
           "HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked",
           "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled",
           "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers",
           "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts",
           "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger",
           "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions"
       )
       
       # Obtain enrollment GUID from Task Scheduler
       Write-Log "Retrieving enrollment GUID."
       $EnrollmentGUID = Get-ScheduledTask |
           Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} |
           Select-Object -ExpandProperty TaskPath -Unique |
           Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf
       
       if ($EnrollmentGUID) {
           Write-Log "Enrollment GUID found: $EnrollmentGUID"
           
           # Remove related scheduled tasks
           Get-ScheduledTask | Where-Object {$_.Taskpath -match $EnrollmentGUID} | Unregister-ScheduledTask -Confirm:$false
           Write-Log "Removed scheduled tasks related to enrollment."
           
           # Remove registry entries related to enrollment
           foreach ($Key in $RegistryKeys) {
               if (Test-Path -Path $Key) {
                   Get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentGUID} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
                   Write-Log "Removed registry key: $Key"
               }
           }
       } else {
           Write-Log "No enrollment GUID found."
       }
       
       Start-Sleep -Seconds 20
       
       # Delete script file after execution
       $scriptPath = $MyInvocation.MyCommand.Path
       if (Test-Path $scriptPath) {
           Remove-Item $scriptPath -Force
           Write-Log "Script deleted: $scriptPath"
       }
       
       Write-Log "Script execution completed successfully."
   } catch {
       Write-Log "Error encountered: $_"
   }
   

3. File Synchronization:
   Use SOTI MobiControl to send the PowerShell script file to the device. The recommended destination for synchronization is:
   c:\Users\Public\Documents\
   This location is present on all Microsoft Windows machines.

4. Execute the Script:
   Once the script is in place, send the following command from SOTI MobiControl using PowerShell Native to execute the script:

   c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy Bypass "c:\Users\Public\Documents\Unenroll.ps1" -exit

   This command launches the PowerShell executable, bypassing execution policy restrictions, and runs the unenrollment script found in the specified location.

5. Self-Deletion of Script:
   After successfully unenrolling the device, the script is designed to delete itself, ensuring no residual files remain, and to create a log file in the same location as the PowerShell script.

Note: It is recommended to disable the file sync rule created for this activity once unenrollment is complete.

• If the device is disconnected from the console, that is a cue that the device has been unenrolled.
• Ensure that the device has successfully disconnected from the SOTI MobiControl MDM by checking the status in Access work or school.
• Confirm that the PowerShell script has executed correctly without errors. A log file is generated at the location where the .ps1 script was stored on the device, and it can be checked by its name to identify any issues that occurred while running the script.
• Verify that the script file is no longer present in the designated path (c:\Users\Public\Documents\), indicating successful self-deletion.

This process streamlines the unenrollment of multiple devices, saving time and reducing the potential for errors when compared to manual methods.