Remote actions for an end user with Intune
There are several remote actions for an end user that affect his devices and involve Intune or Azure AD. This short post will give an overview about the capabilities. Mainly there are the following portals:
My Account — Devices
Here are all devices listed where the user signed-in, which resulted in an Azure AD joined or registered state (an therefore have an AAD device object) You can perform these remote actions on all of your devices:
- Disable the device (which will prevent the device authenticating via Azure AD and revoke the Primary Refresh Token) More info
- View Bitlocker Keys of the device in case an end user needs to unlock the drive with the recovery key (Hint: you can Block users from viewing their BitLocker keys)
Company Portal Online — Devices
This is an online ‘lite’ version of the Company Portal (some features are not supported). If you are the primary user of the device (from Intune) you can:
- Rename or
- Reset a device
- Check status to verify the compliance state
Looking into the remote reset
I found the option to remotely reset a device as “normal” user interesting and tried that out. By clicking on “Reset”:
Shortly afterwards if you want to open the Company Portal on that respective device you have chosen for a remote reset:
On the next sync schedule or when performing a manual sync, the device will approach for a reset:
Note during this:
- The Intune object will get deleted and recreated
- The Azure AD device object will preserve
- After the reset, the user needs to authenticate in the OOBE to setup his device during an Enrollment Status Page (ESP). Sidenote: I have not tested it, but I assume with a Self-Deploying profile you might not need to authenticate.
