How to deduplicate/stale Intune devices via PowerShell?

by | Dec 19, 2018 | Workplace

Introduction

Have you ever wonder why you see more devices in the Intune console than are expecting? The answer to this question is likely yes, I do! One of the reasons why this is happens is because as soon a device is reinstalled and joins the Intune management system it creates new DeviceID. Because of this, you are seeing two device objects for only one physical machine. From a management perspective, this is not really a big deal, although any device report contains the two objects. This results in two objects in one report where it can be  designated as ‘compliant’ and not compliant.

The users are encouraged to re-install their workplaces in case they experience any abnormal behavior. The modern workplace approach. Due to this the IT department does not have the ability remove old devices. Nevertheless, usually the IT department is responsible that reports like device health, compliance and upgrade reports are accurate.  

True, you can use the Intune feature device clean-up to remove old/stale device who has not reported awhile. The current limitation of this feature is that is is only capable to remove ‘old’ stale account in case they not reported for 90 until 270 days. The majority of the Enterprise organization require more accurate reports. Luckily, Intune PowerShell CMDlets can help us to deduplicate the devices.  

Intune for PowerShell (preview)

There are several possible solution directions, I have chosen to work with the the PowerShell CMDlets (currently in public preview). Before you can run the script you need to prepare your computer. The steps below describe how you can connect to Intune.

Keep in mind:

  • A Global Admin (Azure) account is required;
  • The PowerShell script contains CMDlets available in the preview version, they can be changed when the capability status is Globally available (GA);
  • Running the script is at your own risk.

Extract zip file and copy net471 folder to a folder on you hard disk.

Tip; A Windows 10 security feature will block any script from zip files. You can unlock all files with the following command.

get-childitem C:\Temp\Intune-PowerShell\Release\net471 -Recurse | Unblock-File

 

Open PoweShell and execute the following command;

import-module C:\temp\Intune-PowerShell\Release\net471\Microsoft.Graph.Intune.psd

You can now connect to the Microsoft Graph. Keep in mind if this is the first time you are doing this, than you need to use the -adminconsent parameter. This is only required the first time.


Connect-MsGraph -AdminConsent

Sign in with your Intune Admin credentials and click on ‘Accept’ when prompted to authorise MSGraph.

You are now sucesfully connected.

#The script  – Deduplicate Intune devices



$ALLmanagedDevices  = Get-DeviceManagement_ManagedDevices  | Get-MSGraphAllPages
$managedDevices     = $ALLmanagedDevices | Where-Object {$_.operatingsystem -eq "Windows" -and $_.ManagementAgent -eq "MDM" -or $_.ManagementAgent -eq "configurationManagerClientMDM"}
$ALLDeviceSerial    = $managedDevices.SerialNumber
$UniqueSerial       = $ALLDeviceSerial | select -Unique
$DoubleSerial       = $managedDevices.Count - $UniqueSerial.Count
$CountRemovedDev    = 0

write-host Total devices                    : $managedDevices.Count
write-host Total unique devices             : $UniqueSerial.Count
write-host Count of Double serial numbers   : $DoubleSerial

$managedDevices.Count - $UniqueSerial.Count
$DoubleDevice = (Compare-Object -ReferenceObject $UniqueSerial -DifferenceObject $ALLDeviceSerial).inputobject

foreach ($device in $DoubleDevice) {
    $x = $managedDevices | Where-Object {$_.SerialNumber -eq $device} | Sort-Object lastSyncDateTime -Descending
    $KEEP = ($x[0])
    $DEL = $X | Where-Object {$_.id -ne $KEEP.id}
    write-host Checking device status serial $X.SerialNumber[0] -ForegroundColor Yellow
    write-host Keep $keep.deviceName lastSynceTime $keep.lastSyncDateTime PrimaryUser $keep.userPrincipalName  -ForegroundColor Green
    foreach ($split in $del)
    {
        $CountRemovedDev ++
        write-host Remove $split.deviceName LastSyncTime $split.lastSyncDateTime userPrincipalName $split.userPrincipalName   -ForegroundColor Yellow
        write-host $split.deviceName is removed!!! -ForegroundColor Red
        #Enable this option below to remove retired windows 10 installation
        remove-DeviceManagement_ManagedDevices -managedDeviceId $split.managedDeviceId
    }
    #Clean
    Write-Host
}
write-host Total removed devices   : $CountRemovedDev
$ALLmanagedDevices  = Get-DeviceManagement_ManagedDevices  | Get-MSGraphAllPages
$XX = $ALLmanagedDevices | Where-Object {$_.easActivated -like "$false" -and $_.ManagementAgent -eq "eas" -and $_.compliancestate -eq "unknown"}
$ALLmanagedDevices  | export-csv -Path C:\temp\Intune-Inventory.csv -NoTypeInformation -Force

pause 1

foreach ($UNdevice in $xx)
{
    remove-DeviceManagement_ManagedDevices -managedDeviceId $UNdevice.managedDeviceId
    write-host $UNdevice.managedDeviceId
}

Share This