Introduction
Managing devices in a large Microsoft Cloud environment can often be overwhelming, particularly when it comes to tracking Windows Autopilot identities within Microsoft Intune and at the same time manage devices through Entra ID. When I encountered similar challenges, I turned to a script inspired by Niklas Tinner‘s work, which effectively streamlines the clean-up of stale Autopilot devices. To tailor it to my specific needs, I made several modifications to the script, enabling it to delete not only disabled devices but also their Autopilot information.
In this blog post, I aim to share my insights and experiences to empower you to manage your devices like a pro.
Understanding Windows Autopilot
Windows Autopilot is a powerful service that allows IT administrators to register devices by their unique hardware hash. When a device goes through its Out-Of-the-Box Experience (short OOBE), Autopilot checks if the hardware is assigned to a tenant and what enrolment profile is associated with it. However, as time passes, certain situations can lead to stale identities, which should no longer be registered in your tenant:
- Employee Transition: An employee might take a device for personal use.
- Stolen Device: A device could be stolen, leaving its identity orphaned.
- End of Lifecycle: Devices eventually reach the end of their useful life.
- Hardware Failures: Repairs like motherboard replacements can change a device’s hardware hash.
- Total Loss: A device may be broken or destroyed beyond functionality.
Unfortunately, the deregistration of these stale identities often gets overlooked in the daily noise.
Understanding Devices in Entra ID
In Entra ID, there are instances where devices may be deactivated rather than deleted, particularly when you want to restrict the object from authenticating to Entra ID before permanently removing it. This situation can lead to an accumulation of stale devices that are no longer in use, resulting in unnecessary clutter within your device inventory.
When a device is deactivated in Entra ID, such as in cases like an employee’s departure, it remains in the system but is marked as inactive. This can create confusion and complicate device management, as IT administrators must sift through these inactive devices to identify those that are currently in use.
The Intune Device Clean-up Script
My version of the IntuneDeviceCleanUp.ps1 script is designed to manage Autopilot devices by identifying and removing stale or disabled entries in your Microsoft Intune and Entra ID. Leveraging the Microsoft Graph API, this script ensures that your device inventory remains current and functional, helping to maintain an organized cloud management system.
Key Features
- Identify Stale Devices: The script queries for Autopilot identities that have not contacted the Intune service within a specified duration, categorizing them as stale.
- Detect Never-Contacted Devices: It also filters for devices that have never communicated with the Autopilot service.
- Manage Disabled Devices: The script checks Entra ID for devices that have been disabled for a certain period, identifying those that need to be removed from the Entra ID and the Autopilot service.
- Automate Clean-up: After identifying stale and disabled devices, the script removes them from both the Autopilot service and disables or deletes them in Entra ID, helping to keep the environment clean.
- Logging and Reporting: The script provides summary outputs that detail the types and counts of devices processed, ensuring transparency in device management operations.
How the Script Works
- Connect to Microsoft Graph: The script initiates a connection to Microsoft Graph using the necessary permissions to manage devices within your tenant.
- Timeframe Specification: It defines a timeframe to identify stale devices, allowing administrators to customize the time period based on organizational needs.
- Query Devices: The script retrieves all Autopilot devices and filters them based on their last contact status. It also queries all disabled devices from Entra ID.
- Perform Clean-up: First, It iterates through the identified stale Autopilot devices, deletes the Autopilot information and deactivates them in Entra ID. Second, It iterates through the identified disabled devices and removes them from the Autopilot services and Entra ID.
- Sync Autopilot Devices: Finally, the script recommends syncing the Autopilot settings after deletions to ensure all changes are reflected.
Caution: The script performs deletions, thereby permanently removing Autopilot identities and devices from the tenant. Use it responsibly and review the identities before executing the clean-up actions.
Practical Tips for Using the Script
- Graph PowerShell Consent: Ensure you can consent to the Graph PowerShell Enterpise Application for tenant access.
- Adjust Variable “tenantid”: Modify the
$tenantid = "***"variable to look for identities in your tenant. - Adjust Time Specifications: Modify the
$minAgevariable to look for identities older than a specific timeframe. - Test Before You Act: Utilize the variables
$allAutopilot,$staleAutopilot, and$neverContactedAutopilotto preview affected devices with Out-GridView.
By leveraging the IntuneDeviceCleanup script, organizations can maintain a cleaner, more efficient Intune environment.
A special thank you to Niklas Tinner for creating the foundational script and sharing his insights! If you’re looking to streamline your device management, this script is a practical solution.
Conclusion
Regular device management is crucial for maintaining security and operational effectiveness within your organization’s infrastructure. Tools like the Intune Device Cleanup script can make this task simpler, allowing you to focus on other tasks.
Source: Autopilot cleanup script