|
1 | 1 | --- |
2 | | -title: Factory reset protection emails not enforced in Intune for Android |
3 | | -description: Describes an issue in which an Android Enterprise device can be activated by using a Google account that isn't included in the factory reset protection email message setting. |
| 2 | +title: Factory Reset Protection Emails Not Enforced in Intune for Android |
| 3 | +description: Describes an issue in which an Android Enterprise device can be activated by using a Google account that isn't included in the "Factory reset protection emails" setting. |
4 | 4 | ms.date: 02/11/2025 |
5 | 5 | search.appverid: MET150 |
6 | 6 | ms.custom: sap:Configure Devices - Android\Device restrictions |
7 | 7 | ms.reviewer: kaushika |
8 | 8 | --- |
9 | | -# Factory reset protection emails setting isn't enforced after you reset an Android Enterprise device |
10 | 9 |
|
11 | | -This article provides a solution for the issue that the **Factory reset protection emails** setting does not work as expected for an enrolled Android Enterprise Device Owner device. |
| 10 | +# Factory reset protection (FRP) enforcement behavior for Android Enterprise |
| 11 | + |
| 12 | +> **Applies to:** Android Enterprise **corporate-owned work profile (COPE)**, **fully managed (COBO)**, **dedicated (COSU)** |
| 13 | +
|
| 14 | +Factory reset protection (FRP) helps prevent unauthorized access to your device after it's been factory reset. If the device is reset without your permission, in some situations, only the email addresses that you enter in the **Factory reset protection emails** setting can unlock the device. |
12 | 15 |
|
13 | 16 | ## Symptoms |
14 | 17 |
|
15 | 18 | Consider the following scenario: |
16 | 19 |
|
17 | 20 | - You have an Android Enterprise device that's enrolled in Microsoft Intune. |
18 | | -- The **Factory reset protection emails** setting is enabled, and an email address is provided, as shown in the following screenshot: |
| 21 | +- The **Factory reset protection emails** setting is enabled, and an email address is provided, as shown in the following screenshot. |
19 | 22 |
|
20 | 23 | :::image type="content" source="media/factory-reset-protection-emails-not-enforced/factory-reset-protection-emails.png" alt-text="Screenshot of Factory reset protection emails setting and a sample email address."::: |
21 | 24 |
|
22 | | -- You do a factory reset on the device through the **Settings** menu (for example, tap **Settings** > **General management** > **Reset** > **Factory data reset**), or you wipe the device from Intune in the Microsoft Intune admin center. |
| 25 | +After a factory reset, devices sometimes prompt for a Google account (FRP) and sometimes don’t. |
23 | 26 |
|
24 | | -In this scenario, you can activate the device by using a Google account that isn't included in the **Factory reset protection emails** setting. |
| 27 | +## Expected behavior |
25 | 28 |
|
26 | | -## Cause |
| 29 | +If the Intune setting, **Factory reset protection emails**, is configured, FRP is expected to behave as shown in the following table. |
27 | 30 |
|
28 | | -This behavior is expected. When you do a factory reset on the device through the **Settings** menu or you wipe the device from Intune in the Microsoft Intune admin center, all your data is removed. This includes the Factory Reset Protection (FRP) data. |
| 31 | + | Enrollment method | Settings > Factory data reset | Settings > Recovery/bootloader | Intune [wipe](/intune/intune-service/configuration/device-restrictions-android-for-work) | |
| 32 | + | --- | --- | --- | --- | |
| 33 | + | **Corporate-owned devices with work profile** (COPE) | ✅ factory reset protection | ✅ factory reset protection | ❌ no factory reset protection | |
| 34 | + | **Fully managed** (COBO) | ❌ no factory reset protection | ✅ factory reset protection | ❌ no factory reset protection | |
| 35 | + | **Dedicated** (COSU) | ❌ no factory reset protection | ✅ factory reset protection | ❌ no factory reset protection | |
29 | 36 |
|
30 | | -## Solution |
| 37 | +> [!NOTE] |
| 38 | +> - For the COPE method: FRP is enforced. The device requires one of the specified Google accounts to complete setup. |
| 39 | +> - For the Intune wipe method: By default, FRP isn’t enforced because Intune doesn’t preserve FRP data in this flow. |
31 | 40 |
|
32 | | -The only way to do a factory reset on the device without losing the FRP data is through Recovery Mode. |
| 41 | +If **Factory reset protection emails** is set to **Not configured** (default), Intune doesn't change or update this setting. |
| 42 | + |
| 43 | +> [!NOTE] |
| 44 | +> **Android 15** introduced FRP hardening. Some OEMs previously skipped FRP in certain paths. As of Android 15, FRP enforcement now aligns with Google’s intended design. |
33 | 45 |
|
34 | 46 | We recommend that you set the **Factory reset** value to **Block** to prevent users from using the factory reset option in the device settings. |
35 | 47 |
|
36 | 48 | :::image type="content" source="media/factory-reset-protection-emails-not-enforced/factory-reset.png" alt-text="Screenshot of Factory reset options."::: |
37 | 49 |
|
38 | 50 | Then, use one of the following methods when you reset the device to the factory settings: |
39 | 51 |
|
40 | | -- Reset the device through Recovery mode. |
41 | | -- Wipe the device from Intune when the device is in your possession and is expected to be reset for further use. |
| 52 | +- Reset the device through Recovery mode (FRP will be enforced). |
| 53 | +- Wipe the device from Intune when the device is in your possession and is expected to be reset for further use (FRP will not be enforced). |
| 54 | + |
| 55 | +For background and guidance, see [Factory reset protection (FRP) enforcement behavior for Android Enterprise](/troubleshoot/mem/intune/device-configuration/factory-reset-protection-emails-not-enforced). |
| 56 | + |
| 57 | +## References |
| 58 | + |
| 59 | +- [Device restriction settings for Android in Microsoft Intune](/intune/intune-service/configuration/device-restrictions-android-for-work?tabs=aecorporate) |
0 commit comments