Many times administrators have come across stale device records in Azure Active Directory and Intune, because the process of removing a device from the organization’s infrastructure is not well defined or wasn’t completed successfully. In this post we will discuss two ways of removing an Azure AD joined, autopilot device from the Azure infrastructure.
Table of Contents
! For the process to be completed, we assume that the reference device is enrolled in Intune via Autopilot and is Azure AD joined. In any other case, the appropriate modifications should be made.
What records should we delete from infrastructure?
When a new device is enrolled in Intune, three records are created connected to this device:
- The uploaded hardware hash in Autopilot blade
- The Intune record in Devices Blade
- The Azure AD account for this device
As you can understand, the way to go here is to delete all these three records in order to completely remove a device.
The Manual Way
First we start by deleting the Intune record. We are unable to delete the Autopilot record as long as there is an active device in Intune with this hardware hash. Here we can proceed either to deletion (removes corporate data from the device) or wipe (resets the device). It is up to the procedure every administrator follows.
After deleting the Intune record, we proceed to the deletion of the Autopilot device (this may require some time to be completed).
Lastly, we delete the Azure AD record for this specific device by going to Azure Active Directory -> Devices -> All Devices.
Voila! The device has been removed and no stale records are present anymore.
It is really interesting here to see what will happen if we do not follow the above order.
– Let’s start by deleting the Autopilot record without deleting first the Intune record.
As we can see, Intune does not allow to delete an Autopilot device while a device record is still active.
– Let’s try to delete the Azure AD device record
It does not allow us here either since the device is Autopilot and cannot be deleted from the Azure AD portal. We have to click Manage (gear icon) and delete it from Intune first.
The “Let’s script it way”
The above process is simple and easy to delete few devices, but when happens when we have to delete many?
A script that automates this process could be handy in this situation.
An identifier for every device is needed to perform all deletion actions. For this script the serial number of the devices will be used.
# Install needed modules
Install-Module -Name Microsoft.Graph.Intune
Install-Module -Name WindowsAutopilotIntune
Install-Module -Name AzureAD
# Connect to Intune and Azure AD
Connect-MSGraph
Connect-AzureAD
# Import serials from a txt file
$importedSerials = Get-Content -Path "C:\Users\Public\serials2delete.txt"
# Iterate through every serial and delete record
foreach ($serial in $importedSerials){
# Get device info
$info = Get-IntuneManagedDevice -Filter "serialNumber eq '$serial'" | Select deviceName, serialNumber, lastSyncDateTime, complianceState, managedDeviceId
Write-Host "Starting deletion of device $($info.deviceName)"
# Delete Intune record using the Intune Device ID as identifier
Write-Host "Deleting Intune Record for $serial"
Remove-IntuneManagedDevice -managedDeviceId $info.managedDeviceId -Verbose -ErrorAction Stop
Start-Sleep -Seconds 5
# Delete Autopilot device using serial as identifier
Write-Host "Deleting Autopilot Record for $serial"
Get-AutopilotDevice | Where-Object SerialNumber -eq $serial | Remove-AutopilotDevice
Start-Sleep -Seconds 5
# Delete Azure AD record using device name as identifier
$azureADinfo = Get-AzureADDevice -Filter "DisplayName eq '$($info.deviceName)'" | select *
Write-Host "Deleting Azure AD Record for $serial"
Remove-AzureADDevice -ObjectId $azureADinfo.ObjectId
Start-Sleep -Seconds 5
}For the above script we have to create a txt file in a desired location that will have the serial numbers of the devices that we want to delete. The content of the script is read, iterated and a deletion command is sent in Intune, Autopilot and Azure AD. Consider adding logs when using this script by following this guide.
References and documentation: