New Update and Website: IntuneOffboarding.com
There will be always cases where you need to delete devices from Intune, Entra ID and / or Autopilot. This includes the exchange of devices, returns to the dealer and many more … Until now, you had to go to the different portals and delete the devices manually. With this tool, the whole thing should now be automated.
Requirements
- Microsoft PowerShell 5.1 or later
- Necessary modules:
- Microsoft.Graph.Identity.DirectoryManagement
- Microsoft.Graph.DeviceManagement
- Microsoft.Graph.DeviceManagement.Enrollment
- Permissions:
- DeviceManagementManagedDevices.ReadWrite.All,
- DeviceManagementServiceConfig.ReadWrite.All
These modules will be installed automatically if not present, but you need to have administrative permissions.
Quickstart
You can install the newest version of this tool by running the following command in PowerShell:
Install-Script -Name Get-IntuneOffboardingTool -Forceand to run the tool:
Get-IntuneOffboardingToolGitHub – Issues and new Features
Feedback, Issues, Pull Request and new Ideas can be submitted here: GitHub
How do I delete a device in Intune?
There are multiple ways to offboard a device from Intune. Depending on the usecase you can wipe a device to restart the autopilot process or you can delete the device when it will be trashed or sent back to the retailer. Here is a short summary of what the different options do:
Important: The following actions are not supported by all platforms. For example you cant wipe a Linux device in Intune.
Delete
Goal: Remove stale devices
- Apps will be uninstalled except for Win32 apps installed by Intune and the M365 Apps.
- Sign-In with AAD Account will not be possible. Only local user accounts will work.
- Entra ID Object will be deleted.
- If your device has an Autopilot hash assigned it will NOT be deleted from Entra ID.
- Delete will also issue the retire command but it will remove the device from the All devices list immediately.
Retire
Goal: Remove managed apps and configs but dont delete user data on the device.
- The Retire action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune.
- The device is removed from Intune management.
- Removal happens the next time the device checks in and receives the remote Retire action.
- The device still shows up in Intune until the device checks in. If you want to remove stale devices immediately, use the Delete action instead.
- When you use the Retire device action, the user’s personal data is not removed from the device.
Wipe
Goal: Restore a device to its default settings (OOBE, out-of-box experience).
There are two options and you have to make a choice after selecting Wipe in Intune for the specific device:
- Keep the enrollment state and associated user account:
- Will not be removed from Intune.
- Wipes all MDM Policies.
- Keeps user accounts and data (Profile).
- Resets user settings back to default.
- Removes user-installed apps.
- Resets the operating system to its default state and settings.
- Keeps AAD join, MDM policies will be reapplied the next time device connects to Intune.
- Do not keep the enrollment state and associated user account:
- Device will be removed from Intune.
- Wipes all user accounts.
- Wipes all user data and user-installed apps.
- Removes MDM policies, and non-default settings.
- Resets the operating system to its default state and settings (OOBE).
Here is a more detailed overview: Intune: What is Retire / Wipe / Delete / Fresh Start / Autopilot Reset
What happens if you delete a device?
Let´s have a look at what the different services do in regard to device offboarding:
- Intune
- Manage the devices with e. g. profiles, apps and updates.
- Autopilot, Apple Business (School) Manager and Android Enterprise
- This the place where you manage the ownership of the devices. Your device will always find its way to one of the services above unless they are deleted.
- Entra ID
- Handles the device Identity and can be used for Conditional Access. You can enforce rules or restrict access to corporate data.
Important aspects to concider before offboarding a device:
As long as the device is known and registered in Microsoft Autopilot, Apple Business (School) Manager or Android Enterprise you will have control on who can manage or access the device. This services guarantee you the ownership of the device.
I would love to hear any feedback about what happens to the device in the following chapters and scenarios. In my experience the behavior depends on many factors but the following should be a good starting point for discussion:
Windows
Assumption: Device is Entra ID joined.
Registered or enrolled in:
Entra ID + Intune + Autopilot
| Delete in | Result |
|---|---|
| Entra ID | – Cannot be deleted as long as the device is still registered in the autopilot. |
| Intune | – Device is removed from Company Portal. – Can´t install apps from the Company Portal. – Intune client software (if installed) will be removed from your computer. – Device no longer receives automatic software updates or antivirus software updates from the Intune service. |
| Microsoft Autopilot | – Device can only be deleted after the device object is deleted from the Intune portal. |
Entra ID + Intune
| Delete in | Result |
|---|---|
| Entra ID | – Prevent access to resources using device as an identity (e. g. Conditional Access). – The user will be logged out of all Microsoft 365 Apps. – User profile gets deleted when it is a AAD User. Local user account still remain usable. – Removes access to the device (works only with a seperate local admin). |
| Intune | – Unenrollment: The device will be unenrolled from Intune management. This means that Intune will no longer have any control over the device. – Removal of Managed Applications: Any applications that were installed through Intune will be removed. – Loss of Access to Corporate Data: If you were using Intune to manage access to corporate data (like email), the device will lose access to this data. |
Only in Entra ID
| Delete in | Result |
|---|---|
| Entra ID | – Prevent access to resources using device as an identity (e. g. Conditional Access). – User will be logged out from the M365 Apps on the device. |
Only in AutoPilot
| Delete in | Result |
|---|---|
| Autopilot | – Autopilot will not work in OOBE. |
Apple
Assumption: Device is Entra ID registered.
Registered or enrolled in:
Entra ID + Intune + Apple Business Manager
The device can be deleted from all services without a specific order.
| Delete in | Result |
|---|---|
| Entra ID | – Deleting an Entra ID device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access). – User will be logged out from the M365 Apps on the device. |
| Intune | – Unenrollment: The device will be unenrolled from Intune management. This means that Intune will no longer have any control over the device. – Removal of Managed Applications: Any applications that were installed through Intune will be removed. – Loss of Access to Corporate Data: If you were using Intune to manage access to corporate data (like email), the MacBook will lose access to this data. |
| Apple Business Manager | – Automatic Enrollment wont work in the Setup Assistant |
Entra ID + Intune
The device can be deleted from both services without a specific order.
| Delete in | Result |
|---|---|
| Entra ID | – Deleting an Entra ID device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access). – User will be logged out from the M365 Apps on the device. |
| Intune | – Unenrollment: The device will be unenrolled from Intune management. This means that Intune will no longer have any control over the device. – Removal of Managed Applications: Any applications that were installed through Intune will be removed. – Loss of Access to Corporate Data: If you were using Intune to manage access to corporate data (like email), the MacBook will lose access to this data. |
Only in Entra ID
| Delete in | Result |
|---|---|
| Entra ID | – Prevent access to resources using device as an identity (e.g Conditional Access). – User will be logged out from the M365 Apps on the device. |
Only in Apple Business Manager
| Delete in | Result |
|---|---|
| Apple Business Manager | – Automatic Enrollment wont work in the Setup Assistant |
Linux
Assumption: Device is Entra ID registered.
Registered or enrolled in:
Entra ID + Intune
The device can be deleted from both services without a specific order.
| Delete in | Result |
|---|---|
| Entra ID | – Prevent access to resources using device as an identity (e.g Conditional Access). – User will be logged out from the M365 Apps on the device. |
| Intune | – Unenrollment: The device will be unenrolled from Intune management. This means that Intune will no longer have any control over the device. – Removal of Managed Applications: Any applications that were installed through Intune will be removed. – Loss of Access to Corporate Data: If you were using Intune to manage access to corporate data (like email), the MacBook will lose access to this data. |
Only in Entra ID
| Delete in | Result |
|---|---|
| Entra ID | – Prevent access to resources using device as an identity (e.g Conditional Access). – User will be logged out from the M365 Apps on the device. |
Android
Assumption: Device is Entra ID registered.
Registered or enrolled in:
Entra ID + Intune + Android Enterprise
| Device in | Result |
|---|---|
| Entra ID | – Deleting an Entra ID device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access). |
| Intune | – Unenrollment: The device will be unenrolled from Intune management. This means that Intune will no longer have any control over the device. – Removal of Managed Applications: Any applications that were installed through Intune will be removed. – Loss of Access to Corporate Data: If you were using Intune to manage access to corporate data (like email), the MacBook will lose access to this data. |
| Android Enterprise | – Zero-Touch deployment will not work |
Entra ID + Intune
| Device in | Result |
|---|---|
| Entra ID | – Deleting an Entra ID device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access). |
| Intune | – Unenrollment: The device will be unenrolled from Intune management. This means that Intune will no longer have any control over the device. – Removal of Managed Applications: Any applications that were installed through Intune will be removed. – Loss of Access to Corporate Data: If you were using Intune to manage access to corporate data (like email), the MacBook will lose access to this data. |
Only in Entra ID
| Delete in | Result |
|---|---|
| Entra ID | – Prevent access to resources using device as an identity (e.g Conditional Access). |
Only in Android Enterprise
| Delete in | Result |
|---|---|
| Android Enterprise | – Zero-Touch deployment will not work |
Any suggestions or questions? Please Message me on Twitter: UgurKocDe