When attackers unenroll your devices: Intune as an attack surface

Your device management platform is also a control surface an attacker would love to own. With enough rights in Intune, an adversary does not bypass your endpoint defenses one by one. They turn them off at the source.

The technique

An attacker who compromises an account holding an Intune administrative role can bulk-unenroll devices from management, disable or weaken compliance policies, and break the connector to your endpoint detection product. With management removed, the devices stop receiving policy and stop reporting, which clears the way to deploy malware to endpoints that are no longer watched. In ATT&CK terms this is T1562, Impair Defenses, often paired with a destructive or extortion objective.

How to detect it

Intune audit logs record device and policy changes. Alert on bulk device unenrollment, on changes that disable or loosen compliance policies, and on the endpoint-detection connector being disabled. A spike of unenrollment events across many devices in a short window is the signal that this is an attack and not routine administration.

How to lock it down

Treat Intune roles as privileged. Apply least privilege and put the powerful roles behind just-in-time elevation with Privileged Identity Management, so standing admin is minimal. Scope admins to the device groups they actually manage. Alert on bulk unenrollment and connector changes as high severity. And use Conditional Access that requires a compliant, managed device, so a device that drops out of management also drops its access.

Practice it

We built an Intune unenrollment scenario in GraphLattice Range so administrators see the defenses come down, catch it in the audit log, and apply the role and alerting controls that prevent it.