Autopilot cleanup script

Introduction

Microsoft’s Autopilot service is a service where Windows devices can be registered by their unique hardware hash and associated with your tenant. Every time a Windows device goes through its Out-Of-the-Box Experience (OOBE) it will discover a) if its hardware has assigned to a tenant, b) to which tenant and c) which enrollment profile is assigned to.

IT admins upload hardware hashes/Autopilot identities to the tenant or get them registered by their OEM/vendor. The identities are shown in Intune > Devices > Enroll Windows Devices > Devices:

Windows Autopilot devies overview

Explanation — why you should think about this

Some scenarios are likely to happen, that could lead into stale Autopilot identities = device shouldn’t be registered anymore in your tenant.

• 🙋‍♂️ Employee takes over the device for personal use.
• 🕶️ Device was stolen.
• 🔚 Device reaches end of lifecycle.
• 🛠️ Device is broken and mainboard (where the hardware hash is linked to mostly) gets replaced. Luckily, Microsoft displays that state in the Autopilot devices overview.
• 💣 Device is broken or destroyed.

Unfortunately, the deletion of the stale identity in the Autopilot service is often a part that gets forgotten.

Script

My script can be used to report and delete Autopilot identities, based on their contact status and last contact date. It queries the Autopilot service and filters devices that either did not contact since a certain amount of days ($staleAutopilot) or searches for devices that have never contacted the service ($neverContactedAutopilot).

💡 Every time an enrolled device goes online it should contact the Autopilot service and update it’s “lastContact” attribute.

Use the script to find out which devices may should get removed from your environment. It can help you for reporting as well as for the cleanup action.

Find the script source below, I am open for improvements 😉

⚠️ The script can cause the deletion of Autopilot identities, so they get permanently removed from tenant. Run on your own responsibility and check the content.

Script tips

• Ensure that you can give consent to use Graph Powershell (this is an Enterprise App in Entra) to have access to the tenant via Powershell and Graph.
• Adjust $minAge to lookup identities older than a specific amount of days.
• To get a preview of the devices affected, have a look at the variables $allAutopilot, $staleAutopilot and $neverContactedAutopilot with “| Out-Gridview”.
• If you want to proceed with the deletion on your own responsibility, remove the hashtag commentary on line 28.
• You can not delete a device in Entra which is registered for Autopilot. If you delete the Autopilot identity, the Entra device will also be deleted.