Imagine this: an employee returns from an extended leave only to find Intune cleaned out a device. It’s a frustrating situation that can happen more often than you’d think when automated clean-up rules in Intune kick in. In this post, I’ll dive into how Intune’s device clean-up rules work and—more importantly—how you can quickly get these devices back up and running without losing time or data. Let’s make sure unexpected clean-ups don’t turn into unexpected headaches!
Table Of Contents
The Intune Cleanup Rule
Intune’s enhanced device cleanup rules enable administrators to automatically delete devices that haven’t checked in within a specified timeframe (30 to 270 days). This feature helps organize the Intune portal by removing inactive devices and ensuring accurate compliance data.
I will have to choose my poison when defining the number of days a device can go without checking in. Setting a low number might negatively impact the environment.
An improvement to the device clean-up rules would be to have an option to add exclusions, such as a group of devices known to be offline for long periods of time. Let’s hope this will come in a future release of Microsoft Intune.
Note! Devices removed by the clean-up rule can reappear if they check in within 180 days and their Intune certificate is still valid, as Intune retains these records for auto-recovery.
Note!! It is important to know that this routine does not clean these devices from Entra ID or AutoPilot. This is due to security measures, as the Entra ID object contains both the BitLocker keys and the LAPS password for the device. The Autopilot registration ties the device to your tenant. Community solutions are available to clean these registrations, but be careful with them since these data can be vital for you. After all, Microsoft didn’t clean out devices from your Active Directory either.
The Experience When Intune Cleaned Out A Device
Extended vacations or absences due to pregnancy and childcare are often the reasons behind our discussion here. Still, it could also be devices that, for other reasons, have been without internet access for a long time. As a consultant, I have onboarded several virtual test devices in different tenants. From time to time, I experience these being cleaned out from Intune. I typically find a message in the Company Portal saying, “This device is already set up in another organization.”
When looking inside Intune, I will see the device missing.
The device will still be available in Entra ID, which is good since this object holds the Bitlocker key and the LAPS password.
As the details above show, the device is registered in Entra ID (and Autopilot), and it even says Microsoft Intune manages it.
When a device falls out of Intune management, there are many challenges. The obvious issue is the lack of proper management to keep the device updated and secure, which might not be noticeable to the user. However, the user will likely experience problems due to the device’s non-compliance status, preventing it from meeting Conditional Access policies that require a compliant device.
Manually Recover When Intune Cleaned Out A Device
A license is required for devices to be onboarded to Intune, and the licenses are user-centered.
Ensure the user of the device holds a valid license before proceeding. This can typically be a challenge if you are an external consultant at a company short of licenses.
dsregcmd /forcerecovery
The command dsregcmd /forcerecovery
will re-register Entra ID joined Windows device to Microsoft Intune. Running Windows as a standard user, I will have problems running this command.
I need to start this from a prompt running as Administrator. For this, I need to find the LAPS password from the device object in Microsoft Entra ID.
Run Terminal as Admin and use the LAPS credentials found on the device in Entra ID.
From the elevated prompt, I can run the dsregcmd /forcerecovery
command. This will open Microsoft Account.
Within the Microsoft Account, I sign in as the licensed primary user of the device. These interactions are branded, confirming I am joining the correct tenant.
Further on, I will use the LAPS account
This process in Microsoft Account now ends like this:
The device is now available in Intune.
Restarting the device and signing in with the password will help me complete the Windows Hello for Business setup.
This concludes the operation, and the user’s Entra ID joined device is now in a compliant state managed by Intune.
Get Insights Into Devices Before Cleaning Out
If you plan to implement the Intune setting to automatically clean out stale devices, it can be a good idea to get insights into devices going beyond your threshold. You can list these devices in the Intune portal by looking at the All Devices blade.
This information is also available using Microsoft Graph where we can filter and sort devices leaning towards our configured threshold.
<#
.SYNOPSIS
This script lists all devices that have not synced with Intune for the last 55 days.
Use this script in conjunction with the Intune cleanup process to identify devices that have not synced recently.
.DESCRIPTION
This script lists all devices that have not synced with Intune for the last 55 days. The script uses the Microsoft.Graph.Beta.DeviceManagement module to connect to Microsoft Graph and retrieve the devices.
The script then filters the devices based on the LastSyncDateTime property and calculates the number of days since the last sync. The script outputs the devices to an Out-GridView window.
.NOTES
Author: Simon Skotheimsvik
Version:
1.0.0 - 2024-10-29 - Initial release, Simon Skotheimsvik
#>
# Define the threshold date (55 days ago)
$thresholdDate = (Get-Date).AddDays(-55)
# Import modules and connect to Microsoft Graph
Import-Module Microsoft.Graph.Beta.DeviceManagement
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All" -NoWelcome
# Get devices from Microsoft Graph, filter by LastSyncDateTime, and add DaysSinceLastSync
Get-MgBetaDeviceManagementManagedDevice |
Where-Object { $_.LastSyncDateTime -lt $thresholdDate } |
Select-Object LastSyncDateTime,
@{Name="DaysSinceLastSync"; Expression={(Get-Date) - $_.LastSyncDateTime | Select-Object -ExpandProperty Days}},
UserPrincipalName,
DeviceName,
Manufacturer,
Model,
OperatingSystem,
OSVersion,
ComplianceState,
ManagementState,
ManagedDeviceOwnerType,
JoinType,
ManagementCertificateExpirationDate |
Sort-Object LastSyncDateTime | Out-GridView
PowerShellThe script above is available on my GitHub. It lists devices that have not contacted Intune for over 55 days.
The output from this script was sent to Out-GridView for easy sorting and filtering.
Automatic Warning Before Intune Cleaned Out a Device?
Using insights from the script above, we can develop automation routines to notify admins or end users before a device is removed from Intune management. Since Intune currently doesn’t allow excluding a group of devices from deletion based on their last check-in date, this automation can be essential to maintaining device productivity.
In a follow-up post, I’ll share more details about creating this automation routine.
Thanks amazing work as usual , this was exactly what i was searching for all last week!
Thanks for the feedback Antonino – this is fuel for my passion in sharing both in blogs and as a speaker around the world.🙏
This post has been in the drafts for a while, and I found some inspiration to finish it after our MMS Flamingo Seaside Sessions in Fort Lauderdale a couple of weeks ago.🦩🌴☀️
Brilliant article. I have been dealing with similar scenarios currently. Devices go missing from Autopilot devices in 10s currently and I am worried it may end up in 100s soon as managing an estate of 60k devices right now. Just wondering will the forcerecovery bring back the missing Autopilot device? I meant Hardware hash will come back? From Audit logs into can’t see any debice was deleted by anyone and still they just disappear. Any idea?
Thanks
Hi Zahin,
Thanks for your feedback on the article. The routine described in this blog post does *not* remove any devices from Autopilot or Entra ID.
Do you have any automated routines, like PowerShell scripts in a runbook, that manage your Autopilot devices and could potentially impact the devices registered in Autopilot?
Hey, thanks a lot! I was actually looking for this too. Do you know if there’s something similar for iPhones and Androids? Also, what if the device gets removed from Intune and I need to get it back?