Uninstall the Microsoft Intune client

This blog post will be relatively short, but will address a common “issue” with the Microsoft Intune client and that’s the uninstall of the client. I know it’s been addressed already in a couple of blogs, but that seems to be all outdated information. Sometimes even an old batch file with all “hard-coded” MSI GUIDs is mentioned, well that’s definitely outdated by now. In my opinion there are only two real methods to uninstall the Microsoft Intune client. The first one is via the Microsoft Intune administration console and the second one is via the ProvisioningUtil.exe on the client machine. In this blog post I’ll go through both methods.

Method 1 – Microsoft Intune administration console

The first method is, by far, the easiest. This method will simply use the method that was designed to uninstall the client, and that’s using the Microsoft Intune administration console. It will simply create a scheduled task to uninstall the Microsoft Intune client and all the related components by using ProvisioningUtil.exe. This whole process can be followed in the Enrollment.log that is located in C:\Program Files\Microsoft\OnlineManagement\Logs. As anyone can imagine, this is many times better than a batch file with hard-coded MSI GUIDs, because those MSI GUIDs happen to change a lot. To trigger the uninstall of the Microsoft Intune client simply follow the next steps:

  • Retire_WipeLogon on to the Microsoft Intune administration console;
  • Navigate to Groups > All Computers and select the Devices tab;
    • Note: This can be any other Group that contains the device;
  • Retire_Wipe_DeviceSelect the device, click  Retire/Wipe and the Retire device: <device> dialog box will show;
  • Notice that Wipe the device before retiring is grayed out and click Yes;
  • Within a couple of minutes the uninstall process will be triggered on the client.

Method 2 – ProvisioningUtil.exe

The second method is a bit more difficult. This method requires one to manually run ProvisioningUtil.exe. The good readers might notice that this is the same executable, that’s being triggered, as via the retire/wipe action of the Microsoft Intune administration console. It also works the same and also creates the same scheduled task. In previous releases the uninstall command was as simple as ProvisioningUtil.exe /UninstallAgents /WindowsIntune, but this has changed with the latest releases. To be completely sure about this statement, simply navigate to C:\Program Files\Microsoft\OnlineManagement\Common and run ProvisioningUtil.exe /?. This will provide an overview about the following possible parameters:

  • image/UninstallClient – Used to uninstall the Microsoft Intune or AIS client from the machine;
  • /ServiceId – Used to specify a specific service id to scan against;
  • /TaskName – Used to specify the task to be deleted after a successful scan/download/install;
  • /SubEventId – Used to specify the sub event Id that needs to be reported for telemetry.

The funny thing, or maybe annoying for some, is that, even though the help information about ProvisioningUtil.exe indicates that not all parameters are required, all parameters are required. What makes it even better is that it doesn’t seem to use them all, but I wouldn’t be surprised to see that change in the near future. This means that it’s simply copying the example of ProvisioningUtil.exe /UninstallClient /ServiceId {GUID} /TaskName “tempTask” /SubEventId 16 and it’s almost good to go. The only piece of missing information is the GUID of the service. Locally on the client this information can be retrieved from at least one of the following places:

1 EnrollmentLogAfter the installation of the Microsoft Intune client the service ID can be found in the Enrollment.log, by searching on the sentence Initializing for service ID. This will show the GUID of the service.
2 RegistryAfter the installation of the Microsoft Intune client the service ID can be found in the OnlineManagement key that is located at HKLM\SOFTWARE\Microsoft\. This will show a key with the GUID of the service.

This completes the required information and in my case this creates a command line like this: Uninstall_CommandProvisioningUtil.exe /UninstallClient /ServiceId “{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}” /TaskName “tempTask” /SubEventId 16. To follow the uninstallation of the Microsoft Intune client take a look again at the Enrollment.log. This will also show that it slightly changed the last two parameters of the provided command line.

Note: A manual uninstall of the Microsoft Intune client doesn’t remove the device from the Microsoft Intune administration console.

28 thoughts on “Uninstall the Microsoft Intune client

  1. Thank you – this worked for me. However, the syntax was slightly different for me:
    ProvisioningUtil.exe /UninstallClient /ServiceId {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} /TaskName “tempTask” /SubEventId 16

    For some reason it didn’t recognize the ServiceId when I had quotes around it. I saw the following error in the Enrollment.Log: “Unknown service id passed in” and kept trying slight variations until it worked.

  2. Thanks, this seems to be working well. We are having to do this for tablets that get left in a drawer for 3 months and then they seem to never connect to Intune again.

    Anyone got a clever idea on how to wrap this up in a powershell script that would find the GUID, uninstall the agent, then re-install the latest agent?

  3. Peter. What if I see 2 distinct service ID’s in the registry? One is actually the same as Zack listed in his comment ServiceId {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} listed in it’s own folder in the “OnlineManagement” folder. However, when I select that folder the AccountID lists a different ID all together. I’ve tried running the ProvisioningUtil.exe etc….with both the ID’s and the enrollment log shows “unknown service id passed in …for both ID’s. FYI, the client has not updated this particular device in over 2 years.

    Thanks for your help.

  4. Hi Jamie,

    Could it be that the agent is already that old that it still requires the old removal parameters? If I’m not mistaken that was something like: ProvisioningUtil.exe /UninstallAgents /WindowsIntune

    Regards,
    Peter

  5. Yes, yes! Now why didn’t I think of that?? It’s so much easier the old way! It’s removing the program as I type. Thank you!

  6. Hi Peter,
    Thanks very much for this info. A couple of questions:
    1. What are the implications of your comment – ‘A manual uninstall of the Microsoft Intune client doesn’t remove the device from the Microsoft Intune administration console’? What control could an admin have if the client is uninstalled?
    2. Could Intune client also be uninstalled using a System Restore to a restore point set prior to its installation?
    Thanks!

  7. Hi Nay,

    1. No implications. It will be an object in the console that will be inactive. The administrator has no control when the client is removed.
    2. I would say, yes.

    Peter

  8. Many thanks for your response Peter. Just to quickly follow up on my second question and make sure I understand – so I as an admin would be able to see in the console once one of the clients has been removed, correct? I’m just concerned that someone goes and removes their Intune client without me being able to know about it! Thanks again.

  9. When using Method 1, can I select more than just 1 device to remove the client? Or do I have to do that method 1 device at a time?

  10. Peter, good info. However, when I select Retire/Wipe for a PC. it forces me to choose Selective Wipe, which is not what we want. We want to simply remove the device from InTune management without deleting apps, data, etc. Does the manual method do this? (We’re moving to a full AD.)

  11. Actually, we have had all kinds of issues with MDM-enrolled devices that came over from Office365. Microsoft can’t get them removed from InTune, even when issuing a full wipe and delete. In this case, I’m trying to remove a PC that is showing as managed by InTune and Exchange ActiveSync, not MDM.

    FWIW, I have an open ticket with MS that, so far, doesn’t have a way to remove the device from InTune without wiping it. A little short-sighted of MS, IMO. Next step is to try a manual removal of the agent from the PC. I’m not holding my breath. :-/

  12. Hi Peter, we’re most-likely moving away from InTune. We’ve built a full on-prem AD in the cloud. I’m leaning toward another MDM system for managing phones and tablets. PCs and Macs will be managed with the AD using VPNs, though I didn’t want to have to go there, but I need full the GPO capability AD offers. InTune and MS EMS just doesn’t seem to be ready for prime time for a truly mobile workforce requiring high levels of security. To clean up the mess we’ll probably have to set up new devices, roll them out and transfer data, and bring back the InTune-enrolled devices to be wiped and redeployed. We’ve lost too much time, effort, and $$$ trying to make this work.

  13. I’m sorry to hear that Gordon. One of the most important items in adopting Intune for managing MDM is knowing what type of management you want to perform. Currently, if you want to have a GPO-type of management, you can’t use the MDM-type of management without scripting a lot. However, it’s good to mention that it’s not an Intune limitation, but simply the fact that the MDM channel of Windows 10 doesn’t support all the GPO stuff, yet.

  14. Yes, exactly. We learned as we were rolling out InTune that it does not support the granularity of security GPOs necessary for HITECH/HITRUST needs. In fact, it is extremely limited, and even adding scripting was cumbersome (some things we were never able to script). The biggest problem we are having now is that Microsoft has no way to reverse the enrollment issues with the database (cleanup) short of performing manual steps on the devices, which are often way beyond the normal end-user’s capability, and of course since the devices are all across the country, it becomes a major project to “fix” the issues and/or change the strategy. It’s particularly disconcerting when you open a support ticket with Microsoft and the tech sends you to third-party sites with instructions that “might work”. We’re slowly cleaning up the mess that is InTune! :-/

  15. The other part of the problem is that no one seems to know exactly how it all works and what steps are necessary to make it all work. I understand that the MS is constantly improving and therefore changing the way these systems work. However, when you Google or search the MS web sites for up-to-date product info, you find everything but. This is extremely frustrating to see “solutions” or “configuration steps” that no longer apply or are fractured and only supply a piece of the overall requirements. We even used a consulting group to help with our deployment – and they didn’t have up-to-date info so much of the deployment failed to meet goals. As a result, the InTune db is suspect, and compliance and other reports are not correct or don’t give us what we need. Very disappointed.

  16. There are only 2 things that I can say:
    1. It’s indeed disappointing that the engineers were not able to solve the problems with the enrollments/cleanup;
    2. As being a consultant myself, it’s also disappointing to hear that the consulting group you hired was not up-to-date with the latest information and didn’t verify the use case before starting with the implementation.

Leave a Comment