Remote actions for an end user with Intune

There are several remote actions for an end user that affect his devices and involve Intune or Azure AD. This short post will give an overview about the capabilities. Mainly there are the following portals:

My Account — Devices

Here are all devices listed where the user signed-in, which resulted in an Azure AD joined or registered state (an therefore have an AAD device object) You can perform these remote actions on all of your devices:

• Disable the device (which will prevent the device authenticating via Azure AD and revoke the Primary Refresh Token) More info
• View Bitlocker Keys of the device in case an end user needs to unlock the drive with the recovery key (Hint: you can Block users from viewing their BitLocker keys)

My Account, Devices

Company Portal Online — Devices

This is an online ‘lite’ version of the Company Portal (some features are not supported). If you are the primary user of the device (from Intune) you can:

• Rename or
• Reset a device
• Check status to verify the compliance state

Company Portal Online, remote device action

Looking into the remote reset

I found the option to remotely reset a device as “normal” user interesting and tried that out. By clicking on “Reset”:

Reset prompt

Shortly afterwards if you want to open the Company Portal on that respective device you have chosen for a remote reset:

Company portal notification/error

On the next sync schedule or when performing a manual sync, the device will approach for a reset:

Device reset

Note during this:

• The Intune object will get deleted and recreated
• The Azure AD device object will preserve
• After the reset, the user needs to authenticate in the OOBE to setup his device during an Enrollment Status Page (ESP). Sidenote: I have not tested it, but I assume with a Self-Deploying profile you might not need to authenticate.