Skip to content

CUT-5058: Update MDM Removal Script #721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gweinjc merged 10 commits into from
Feb 3, 2026
Merged

CUT-5058: Update MDM Removal Script #721

gweinjc merged 10 commits into from
Feb 3, 2026
+245 −189

Conversation

@gweinjc
Copy link
Contributor

@gweinjc gweinjc commented Feb 2, 2026
edited by cursor bot
Loading

Issues

What does this solve?

The purpose of this is to create parity between the MDM Removal process in ADMU and in the Support repo. Currently, there is 2 different logic patterns between the two repos and we'd like to consolidate these so it is easier to maintain in ADMU.

The script has been edited to have clear function definitions that will be used in the ADMU Actions workflows to compare the definitions declared in the Support script versus the definitions declared in ADMU. If these definitions are different, the ADMU workflow will fail and prompt to be updated.

We also needed to add a check for the MmpcEnrollmentFlag in the registry. Basically if that key's value is something other than 0, the device could still think that it is MDM enrolled. The script will now check the value and if it is not 0, it will set it 0.

Is there anything particularly tricky?

The script has been updated to have function definitions for all steps. The actual MDM removal process has been refactored to be a new function called Remove-WindowsMDMProvider

The script will still be executed the same way as it was before; the main difference is the Remove-WindowsMDMProvider function is called with the -forcePrune optional param (this won't be used in ADMU however it is needed for the Support script).

How should this be tested?

  1. Have a Windows device that is MDM enrolled in some capacity.
  2. Save a copy of the script (remove_windowsMDM.ps1) locally on the device
  3. Navigate to the directory where the script is saved and run the following:
./remove_windowsMDM.ps1
  1. Validate that the MDM entries were removed from the device

Screenshots

Screenshot of jcMDMCleanup.log file

image

Screenshot of terminal after running remove_windowsMDM.ps1

image

Note

Medium Risk
Touches a destructive Windows cleanup script that deletes registry keys, scheduled tasks, and certificates, and changes its execution flow (new ForcePrune behavior and registry flag reset). Mistakes could remove the wrong artifacts or fail to fully unenroll devices.

Overview
Refactors the Windows MDM cleanup PowerShell script into clearer, reusable functions, centered around a new Remove-WindowsMDMProvider entry point with optional -EnrollmentGUID targeted cleanup and -ForcePrune orphaned-GUID sweep.

Adds a new pre-cleanup step to reset HKLM:\SOFTWARE\Microsoft\Enrollments\MmpcEnrollmentFlag to 0 when present, and updates the script’s main execution to call Remove-WindowsMDMProvider -ForcePrune with structured error handling and final verification via Get-WindowsMDMProvider.

Written by Cursor Bugbot for commit 0502a9d. This will update automatically on new commits. Configure here.

@gweinjc gweinjc requested a review from a team as a code owner February 2, 2026 21:24
@gweinjc gweinjc requested a review from kmaranionjc February 2, 2026 21:24
cursor[bot]
cursor bot reviewed Feb 2, 2026
View reviewed changes
jworkmanjc
jworkmanjc previously approved these changes Feb 2, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Feb 3, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Feb 3, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

jworkmanjc
jworkmanjc approved these changes Feb 3, 2026
View reviewed changes
Copy link
Contributor

@jworkmanjc jworkmanjc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Retested, working for me

kmaranionjc
kmaranionjc approved these changes Feb 3, 2026
View reviewed changes
Copy link
Contributor

@kmaranionjc kmaranionjc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested good on my end

@gweinjc gweinjc merged commit f36139b into master Feb 3, 2026
3 checks passed
@gweinjc gweinjc deleted the CUT-5058_UpdateMDMRemoval branch February 3, 2026 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@jworkmanjc jworkmanjc jworkmanjc approved these changes

@kmaranionjc kmaranionjc kmaranionjc approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gweinjc @jworkmanjc @kmaranionjc