I was able to set up a lab, run several different tests, and confirm an answer. In the Intune Endpoint Protection profile document (https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control),
there is a footnote that states that deploying the policy will cause a reboot. There is no mention that a deletion of the profile will also do the same. I have been able to confirm that this is the case, if the profile is deleted, all assigned machines will
be forced to reboot. This is further stated under the Applocker csp doc (https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp).
The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
The event log for this reboot is a generic system event ID 1074:
The process C:\Windows\System32\RuntimeBroker.exe ([computername]) has initiated the restart of computer [computername] on behalf of user [domain\user] for the following reason: Other (Unplanned) Reason Code: 0x0 Shutdown Type: restart Comment:
There is also an event logged under the code integrity event section for both the removal and any subsequent start-up of app control:
Removal
code integrity will disable whql driver enforcement for this boot session. settings 0x0
Addition
Refreshed and activated Code Integrity policy {a244370e-44c9-4c06-b551-f6016e563076} DefaultWindowsAudit, id 031017. Status 0x0
I'll submit a change to the MSFT doc for endpoint protection to reflect this as well. Thank you for your time.
