As organizations adopt Microsoft Intune, tattooing hasn’t disappeared — it is simply a different behavior to get to know. The sheer number of CSPs, the uneven maturity across them, and the relative newness of cloud‑based configuration make Intune tattooing feel more opaque and harder to track down, not less, compared to Group Policy.
This post explores remediation strategies for Intune tattooing, outlines which CSPs support removal, which do not, how Intune tattooing differs from Group Policy, and why documenting your Intune settings is essential.
What is Happening with Tattooing in Intune
Intune applies configuration in Windows through Configuration Service Providers (CSPs). Each CSP defines its own behavior for writing, updating, and removing settings. If a CSP doesn’t support removal, Intune cannot force it — even if the profile is set to ‘Not Configured’ or removed entirely.
There are similarities and differences between the two models, Intune and Group Policy (GP). GP tattooing was tied to the underlying extension model. Intune tattooing is tied to the CSP’s capabilities, which vary widely. Group Policy tattooing is architectural in nature; Intune is tied to individual CSPs.
CSPs That Support Settings Removal
For example, these CSPs generally clean up after themselves when a profile is removed or reverted: All these settings should be tested and documented prior to deploying in products to ensure you validate the behavior on the individual CSPs and settings.
Policy CSP (most ADMX-backed settings)
- Supports removal for the majority of ADMX-backed settings
- Predictable behavior when toggling Enabled → Not Configured
DeviceLock CSP
- Removes PIN/lock requirements cleanly
BitLocker CSP
- Removes enforcement settings, though disk encryption state remains unchanged
WiFi CSP
- Deletes Wi-Fi profiles when the configuration profile is removed
CSPs That Do Not Support Settings Removal
These CSPs commonly leave tattooed values behind:
Accounts CSP
- Local user creation persists after profile removal
EnterpriseDesktopAppManagement CSP
- App install directives remain tattooed unless explicitly uninstalled
Browser CSP (legacy Edge)
- Older Edge settings remain in HKLM/HKCU
Custom OMA-URI Profiles
- Removal behavior depends entirely on the underlying CSP
- Common source of drift in security baselines and vendor-specific settings
Learn more about how to improve your current configuration state across Group Policy and Intune
How to Remediate Intune Tattooing
When a CSP leaves behind tattooed values, you have three realistic options:
- Use Intune Remediation Scripts (Proactive Remediations, or simply Remediations). Very high-level example. Learn remediation scripts and validate your own.
Detection script example:
$path = "HKLM:\Software\SullyZone\LegacySetting"
if (Test-Path $path) { exit 1 }
exit 0
Remediation script:
$path = "HKLM:\Software\SullyZone\LegacySetting"
if (Test-Path $path) {
Remove-Item -Path $path -Recurse -Force
}
- Deploy a temporary cleanup profile
Useful when the CSP supports writing a null or empty value.
- Rebuild or re-enroll the device
A last resort for deeply embedded or vendor-specific artifacts. This is really a last resort. This is likely not a valid approach for most customers, but for completeness, it should be considered. I have not seen a scenario where a device needed to be reset or re-enrolled due to a tattooed setting, but theoretically, it could occur.
How Tattooing in Intune Differs from Group Policy
Each model has its own challenges, so let’s explore the main differences between them.
- Intune tattooing is not inherently more intuitive. While CSPs are documented, their removal behavior often isn’t. Older IT pros have years of experience diagnosing GPO drift; Intune’s model is newer and less familiar.
- Intune tattooing is distributed across many CSPs. Group Policy has a handful of extensions. Intune has dozens of CSPs with inconsistent behaviors.
- Intune provides better visibility, but not better clarity. MDM logs and diagnostics show what was applied — but not what remains tattooed after removal.
- Neither platform is “worse,” they’re just different. Group Policy tattooing was predictable once you understood the extensions. Intune tattooing requires understanding CSP behavior, which varies and is less documented.
Why Documentation Matters
Because Microsoft does not publish a definitive source describing tattooing behavior or removal support for each CSP, the most reliable strategy is:
- Document every Intune-managed setting
- Note whether the CSP supports removal
- Track which settings require proactive remediation
- Treat removal behavior as “unknown until validated.”
Final Thoughts
Tattooing hasn’t gone away — it has evolved. Intune’s CSP-driven model introduces new complexities, especially for IT pros with years of GPO experience. Understanding CSP behavior, documenting your settings, and building remediation workflows are the keys to keeping your Intune environment healthy and drift-free.