Cleanup duplicated devices in Intune

In nearly every environment I detect duplicated devices which make most of the reports incorrect and it makes it hard for the support staff to find the correct device of a user. This script basically will remove all devices which have another object with the same serialNumber and are not the one which connected last to the Intune service. But what can lead to duplicated entries? This most often happens when the users reset a device and just re-enroll the device again. One option is to use the Intune Connector for Active Directory Extender which can clean up duplicated devices automatically when the user re-enrolls the Windows devices. But this works only for Hybrid Joined Windows devices, for all others it’s necessary to cleanup them in a scheduled interval.

Before executing the Cmdlet you should install the Intune PowerShell module by executing:

Install-Module Microsoft.Graph.Intune

And connect to your Intune environment:

Connect-MSGraph

Download the script from Github

Then on the first run I recommend checking first which devices would be removed by executing it with “-WhatIf”:

.\Invoke-IntuneCleanup -Whatif | Out-GridView

Now we can verify the result in the Intune console. We see that the script was correct, there are two entries for the serial Number and it returned the older device based on the last Sync information.

Next we can start the work and cleanup. There are two options, do it manually or let the Cmdlet just work.

Manual and controlled removal

Execute the following command:

.\Invoke-IntuneCleanup -Whatif | Out-GridView -OutputMode Multiple | foreach-Object { Remove-DeviceManagement_ManagedDevices -managedDnot connectedeviceId $_.id }

Then you will get a grid view where you can select the devices to remove and click on ok.

IMPORTANT: This does not the AzureAD Device Object! This is because:

  • In some conditions a device is generating a new object in Azure AD, but because Bitlocker was already enabled the Recovery Key is not written to the actual object.
  • If you are using Autopilot you should also not cleanup AzureAD Objects because they are holding the AzureAD hashes. THANKS Karsten Kleinschmidt for this feedback.
If you are not using Autopilot and would like to remove old AzureAD objects I recommend to check the existence of the Bitlocker recovery key on the new object and if necessary to trigger the backup of the recovery key by deploying a PowerShell script over Intune to your devices with a missing Bitlocker recovery key:
#Narrow scope to applicable recovery protector
$AllProtectors = (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector
$RecoveryProtector = ($AllProtectors | where-object { $_.KeyProtectorType -eq "RecoveryPassword" })

#Push Recovery Passoword AAD
BackupToAAD-BitLockerKeyProtector $env:systemdrive -KeyProtectorId $RecoveryProtector.KeyProtectorID

If you did that or are you would like to delete the according AzureAD object, then you need to Connect to Azure AD (Connect-AzureAD) and then modify the above Lines to:

$devicesToRemove = .\Invoke-IntuneCleanup -Whatif | Out-GridView -OutputMode Multiple 

foreach($deviceToRemove in $devicesToRemove) { 
    Remove-DeviceManagement_ManagedDevices -managedDnot connectedeviceId $deviceToRemove.id 
    Remove-AzureADDevice -ObjectId $deviceToRemove.azureADDeviceId
}

Automatic removal

The automatic removal is just simple, just run:

.\Invoke-IntuneCleanup

And all is done for you. In most cases I execute this scheduled on Azure automation or another schedule engine.

IMPORTANT: This does not delete the AzureAD Device Object! If you need this, then please use the manual and controlled way a explained above.

I hope this script helps you like me. If you have feedback just leave a comment :).

Thomas Kurth

Thomas Kurth

I’m a consultant, trainer and architect formodern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.
Enterprise Adminstrator ExpertMCTCMCE

1 Comment

Dowst.Dev | PowerShell Weekly – September 20, 2019 · September 20, 2019 at 13:54

[…] Cleanup duplicated devices in Intune Cleanup duplicated Windows10 devices in Intune! PowerShell ModernWorkplace WindowsAutopilot s://t.co/e98JdwhYED […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe
Hosting sponsored by:
Archive