Cleaning Up Duplicated Hybrid Devices objects in Microsoft Intune…
I have seen on multiple occasions, many duplicated hybrid devices or hybrid devices sitting in a Registered:Pending state which make reports show incorrect data and it makes it vary hard for the administrators to find the correct device for a user. I found a script on GitHub that basically removes all devices which have another object with the same serialNumber and is not the one which connected last to Microsoft Intune. Why does this happens? This most likely happens when a device is reset and re-enroll back into Intune. An option to clean this up is to use the Intune Connector for Active Directory Extender which can clean up duplicated devices automatically when the user re-enrolls the Windows devices. But this works only for Hybrid Azure AD Joined Windows devices, for others device types, clean them up leveraging a scheduled task of some sort.
- Before executing the Cmdlet you should install the Intune PowerShell module by executing:
- Install-Module Microsoft.Graph.Intune
- Next connect to your Intune environment:
- Connect-MSGraph
- Download the script from Github.
- Then on the first run I recommend checking first which devices would be removed by executing it with “-WhatIf”:
- .\Invoke-IntuneCleanup -Whatif | Out-GridView
- Now we can verify the result in the Intune console.
- We see that the script was correct, there are two entries for the serial Number and it returned the older device based on the last Sync information.
- Next we can start the work and cleanup. There are two options, do it manually or let the Cmdlet just work.
Manually Control the Removal of Duplicates
- Execute the following PowerShell command:
.\Invoke-IntuneCleanup -Whatif | Out-GridView -OutputMode Multiple | foreach-Object { Remove-DeviceManagement_ManagedDevices -managedDnot connectedeviceId $_.id }
- Then you will get a grid view where you can select the devices to remove and click on ok.
IMPORTANT: This does not delete the AzureAD Device Object! This is because:
- In some conditions a device is generating a new object in Azure AD, but because Bitlocker was already enabled the Recovery Key is not written to the actual object.
- If you are using Autopilot you should also not cleanup AzureAD Objects because they are holding the AzureAD hashes. THANKS Karsten Kleinschmidt for this feedback.
- If you are not using Autopilot and would like to remove old AzureAD objects I recommend to check the existence of the Bitlocker recovery key on the new object and if necessary to trigger the backup of the recovery key by deploying a PowerShell script over Intune to your devices with a missing Bitlocker recovery key:
#Narrow scope to applicable recovery protector
$AllProtectors = (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector
$RecoveryProtector = ($AllProtectors | where-object { $_.KeyProtectorType -eq "RecoveryPassword" })
#Push Recovery Passoword AAD
BackupToAAD-BitLockerKeyProtector $env:systemdrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
-
- If you did that or are you would like to delete the according AzureAD object, then you need to Connect to Azure AD (Connect-AzureAD) and then modify the above Lines to:
$devicesToRemove = .\Invoke-IntuneCleanup -Whatif | Out-GridView -OutputMode Multiple
foreach($deviceToRemove in $devicesToRemove) {
Remove-DeviceManagement_ManagedDevices -managedDnot connectedeviceId $deviceToRemove.id
Remove-AzureADDevice -ObjectId $deviceToRemove.azureADDeviceId
}
Automatic Removal
The automatic removal is just simple, just run:
.\Invoke-IntuneCleanup
And all is done for you. In most cases I execute this scheduled on Azure automation or another schedule engine.
IMPORTANT: This does not delete the Azure AD Device Object! If you need this, then please use the manual and controlled way a explained above.