question

JamesEdmonds-7766 avatar image
0 Votes"
JamesEdmonds-7766 asked saldana-msft edited

Intune/AutoPilot Cleanup/Fresh Start Queries

Hi,

My predecessor was toying with Intune, AutoPilot and ConfigManager. He never really followed through on any one of those things and has left a few little remnants I'd like to clean up before I finish off those projects.

I am therefore hoping someone can advise me accordingly on several queries;
1. There are two autopilot devices that are in active use. I assume I cannot delete these from being autopilot devices in endpoint manager without impacting the end users, and they would need to be returned and reset after deleting as autopilot devices?
2. I have a device that shows up in Azure AD as an autopilot device, that does not appear as an autopilot device in endpoint manager. Is there a way I can restore its status so it shows as a normal, not-autopilot device (I believe this device is in active service)?
3. As we use Azure AD Connect to sync computer objects, I am finding a handful of Azure AD devices listed, that no longer exist on premise. Does AADC not delete devices from Azure AD when they are deleted from on-prem AD? Additionally, does AADC rename computer objects in Azure if renamed on-prem?
4. I have devices listed in Azure AD with their MDM as System Center Config Manager. We do not have any existing on-prem Config Manager deployment, so can I safely delete these from Intune and will this update the MDM listed in Azure AD to "None"?
5. I have a device in Azure AD showing MDM as Config Manager, but it does not appear in Intune. How can I correct its state to be just "None"?
6. Similarly, I have multiple devices in Azure AD whose MDM show as Intune, yet they do not appear in Intune. How can I revert their MDM state to "None"
7. Lastly, for those devices in a weird state, can I simply delete them from Azure AD, and will AADC correctly recreate them during its next sync if they still exist on premise?


Sorry to put them all into one topic, but it's all part and parcel of the same cleanup exercise.

Thanks
James



mem-intune-generalmem-intune-device-configurationsmem-intune-enrollmentmem-autopilotmem-intune-admin-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered JamesEdmonds-7766 commented

@JamesEdmonds-7766 Thanks for posting in our Q&A.
From your description, I know that we are working on cleaning and resetting some autopilot devices. If there is any misunderstanding, please feel free to let us know. As far as i know, you can manage devices for your organization and apply an Autopilot deployment profile to your devices.

Fore more information about Windows AutoPilot, in combination with Microsoft Intune and the different configuration options, please refer to:

Overview of Windows AutoPilot: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot

Manage Windows device deployment with Windows AutoPilot Deployment: https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices

Delete an Azure AD device: https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#delete-an-azure-ad-device

Windows Autopilot Reset: https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-reset




If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks.

I am looking for specific answers those questions however, and I don't think most are covered by MS documentation listed.

Cheers
James

0 Votes 0 ·
JayK-4548 avatar image
0 Votes"
JayK-4548 answered JamesEdmonds-7766 commented

I'm still new to this. I don't work at MS. Here's my understanding:

  1. I think you can technically remove them from the autpilot devices list, but I air on the safe side. If it is in service, thenn I'd suggest that you just leave it in that list. It is possible to do autopilot remotely if you have the HWID, and it sounds like you're hybrid. So, you'd need VPN before Windows login to autopilot offsite. It's doable, but easier onsite.

  2. No. If it is not in the Intune Devices or Autopilot Devices lists, then the only way to get it out of that locked state is to delete it from on-prem AD and AADC will sync that change. Why worry about it though?

  3. Deletes should replicate from AD to AAD (one way). I'm pretty sure that you can delete from AAD without worry, and anything that is on-premise will re-sync with AAD... BUT, check the registration type to be sure it's a hybrid joined device, and not just a registered device. If it's the latter, then it could be a personal device and deleting it could disconnect them.

  4. I'm less sure about this one. I'm always hesitant deleting things when I don't know where it came from. Are they personal devices? Guest devices managed by config mgr at another company?

  5. I think you can safely delete it from AAD (especially after hours) and AADC will sync it back. This should probably clear the wrong MDM.

  6. Same answers apply. Again, be sure they aren't guest devices only "registered" in your tenant, but managed by another Intune MDM? If you delete, are you cutting off their access?

  7. Yes. Best to do after hours when possible.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks!

  1. I will probably look to remove them from autopilot device list, as I do not believe that has any bearing on the MDM state, and we are unlikely to utilise autopilot for the near term. This just allows us to clear things up so when we do start using it, it's a proper blank slate

  2. I ended up in a support ticket with MS on this, and after running some behind the scenes powershell commands, we got the device state rectified. The reason to worry about it, is as an identifier of the device state, if it's wrong, it's wrong, and can lead to confusion or mis management of a device. It's the same kind of principal as a devices' MDM authority showing something incorrect, it can lead you to look in the wrong place when trying to diagnose issues. These identifiers should be accurate!

  3. We will likely complete an AD cleanup, then proceed with deleting all Hybrid joined devices from AAD and resyncing them all.

  4. As there are only a small number of devices, we will just tackle any fallout of doing the deletions from above on the devices once done. At worst, we will just need to disconnect and reconnect them from AD/AAD. All devices are either registered (phones) or Hybrid joined (PCs and laptops)

  5. Will complete as part of 3

  6. As above. We are only focused on hybrid joined devices

  7. As above


Many thanks
James



0 Votes 0 ·