You’ve issued corporate-owned laptops and want to retain control over them, so you don’t want the end-users to unenroll their Windows 10 devices from Intune (Endpoint Manager) themselves. Your firm’s data resides on that device, which might be more valuable than the device itself, so you want to be able to perform a remote wipe to the device’s factory default state. 

We can accomplish this in Intune by creating a configuration profile with the Device Restrictions template. Under the General heading, we can find ‘Manual unenrollment’ and the option to block that action.