In this post we will see an easy and convenient way to remove devices’ records from Intune, Autopilot and Entra Id using a simple PowerShell script.
Many times administrators have come across stale device records in Entra ID and Intune, because the process of removing a device from the organization’s infrastructure is not well defined or wasn’t completed successfully. In this post we will discuss two ways of removing an Entra ID joined, autopilot device from the Azure infrastructure.
Table of Contents
For the process to be completed, we assume that the reference device is enrolled in Intune via Autopilot and is Entra ID joined. In any other case, the appropriate modifications should be made.
What records should we delete from infrastructure?
When a new device is enrolled in Intune, three records are created connected to this device:
- The uploaded hardware hash in Autopilot blade
- The Intune record in Devices Blade
- The Entra ID account for this device
As you can understand, the way to go here is to delete all these three records in order to completely remove a device.
The Manual Way
First we start by deleting the Intune record. We are unable to delete the Autopilot record as long as there is an active device in Intune with this hardware hash. Here we can proceed either to deletion (removes corporate data from the device) or wipe (resets the device). It is up to the procedure every administrator follows.
After deleting the Intune record, we proceed to the deletion of the Autopilot device (this may require some time to be completed).
Lastly, we delete the Entra ID record for this specific device by going to Entra ID -> Devices -> All Devices.
Voila! The device has been removed and no stale records are present anymore.
It is really interesting here to see what will happen if we do not follow the above order.
– Let’s start by deleting the Autopilot record without deleting first the Intune record.
As we can see, Intune does not allow to delete an Autopilot device while a device record is still active.
– Let’s try to delete the Entra ID device record
It does not allow us here either since the device is Autopilot and cannot be deleted from the Entra ID portal. We have to click Manage (gear icon) and delete it from Intune first.
The “Let’s script it way”
The above process is simple and easy to delete few devices, but when happens when we have to delete many?
A script that automates this process could be handy in this situation.
An identifier for every device is needed to perform all deletion actions. For this script the serial number of the devices will be used.
You can find the script in my GitHub page here.
# Install needed modules - if required
# Install-Module -Name Microsoft.Graph
# Install-Module -Name Microsoft.Graph.Intune
# Install-Module -Name Microsoft.Graph.DeviceManagement
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Device.ReadWrite.All", "DeviceManagementManagedDevices.ReadWrite.All", "Directory.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All"
# Import serials from a txt file
$importedSerials = Get-Content -Path "C:\Temp\serials2delete.txt"
# Iterate through every serial and delete record
foreach ($serial in $importedSerials){
try {
# Get device info from Intune
$device = Get-MgDeviceManagementManagedDevice -Filter "serialNumber eq '$serial'"
if ($device) {
Write-Host "Starting deletion of device $($device.DeviceName)"
# Delete Intune record using the Intune Device ID as identifier
try {
Write-Host "Deleting Intune Record for $serial"
Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -Verbose -ErrorAction Stop
Start-Sleep -Seconds 10
} catch {
Write-Host "Error deleting Intune record for $serial : $_" -ForegroundColor Red
}
# Delete Autopilot device using serial as identifier
try {
Write-Host "Deleting Autopilot Record for $serial"
$autopilotDevice = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity | Where-Object { $_.SerialNumber -eq $serial }
if ($autopilotDevice) {
Remove-MgDeviceManagementWindowsAutopilotDeviceIdentity -WindowsAutopilotDeviceIdentityId $autopilotDevice.Id
}
Start-Sleep -Seconds 10
} catch {
Write-Host "Error deleting Autopilot record for $serial : $_" -ForegroundColor Red
}
# Delete Entra ID record using device name as identifier
try {
Write-Host "Fetching Entra ID Device for $serial"
$entraIDData = Get-MgDevice -Filter "DeviceId eq '$device.AzureAdDeviceId'"
Write-Host "Deleting Entra ID Record for $serial"
Remove-MgDevice -DeviceId $entraIDData.Id
Start-Sleep -Seconds 10
} catch {
Write-Host "Error deleting Entra ID record for $serial : $_" -ForegroundColor Red
}
} else {
Write-Host "No device found with serial number $serial"
}
} catch {
Write-Host "Error processing serial number $serial : $_" -ForegroundColor Red
}
}
This PowerShell script is designed to automate the deletion of device records across multiple Microsoft services, including Intune, Autopilot, and Entra ID (Azure AD). The script reads a list of serial numbers from a text file and iterates through each serial to remove the corresponding device from these services. First, it fetches the device information from Intune using the serial number, then proceeds to delete the device record from Intune using the device ID. It also deletes any Autopilot device record associated with the serial number and then deletes the corresponding device record from Entra ID using the Azure AD Device ID.
Consider adding logs when using this script by following this guide.
References and documentation: