0

After recently having the Intune Wipe action fail to Wipe PCs though it removes the PC from Intune, I worry we could have more unmanaged yet fully functional PCs in the field. Is there a way to require an Autopiloted PC to be Intune managed, either by automatically re-enrolling it in Intune (preferred) or making it painfully obvious there is a problem? And, is there a way to find PCs that have escaped from being managed?

I asked this on Reddit and the answer was to use Conditional Access. However, everything I am finding in regards to Conditional Access means using the "Require a device to be marked as compliant" policy. This will be a problem, until we have worked through bringing more than 500 computers back into compliance. These were found after creating some very reasonable compliance policies, while we slowly move Configuration Manager built and hand-crafted PCs to being fully Intune managed.

The closest I have come to finding the unmanaged was the following Powershell query. Unfortunately, a successful Intune Wipe puts a PC into the same state as those I am seeking. So most of the PCs returned are likely PCs sitting on a shelf waiting to be redeployed. As Azure AD objects created by an Autopilot import start as not being enabled, one thought I have had was to un-enable all devices returned by this query. This would put the accounts of machines sitting on a shelf into a safer position AND would break machines that have escaped management.

Get-AzureADDevice -All $true -Filter "startswith(DeviceOSType,'Windows') and DeviceTrustType eq 'AzureAd'"  | Where-Object {-not $_.IsManaged}
Nathan Hartley
  • 1,660
  • 5
  • 26
  • 40
  • Please confirm your situation: users are logging to the machines using Azure AD accounts, but machines are disconnected from Intune management. Is this correct? – J-M Nov 02 '21 at 00:30
  • Yes. A reliable way to reproduce this situation is to power off a PC during an ordinary Intune Wipe action, but we first saw it when Dell shipped us new PCs with old style hard drive drivers, which didn't survive a Wipe. To help mitigate this, we are going to try switching to using the Protected Wipe feature/check box added last year. https://deviceadvice.io/2019/12/27/another-new-intune-wipe-option-continue-even-if-the-device-losses-power/ – Nathan Hartley Nov 02 '21 at 23:51

1 Answers1

1

I had similar issue with "orphan" unmanaged devices in Azure AD. This is actually a pretty serious problem and there is no indication it exists until something weird happens, like user can't get latest policy updates or apps. In my experience we had ~3% of total PC population (out of 4000) affected by this. Btw, Microsoft Premier support was not able to identify a root cause or bring PCs back to management and proposed we do OS reinstall. But maybe your issue is different.

Anyway, back to the solution. To detect orphan devices I used analytics.

Basically, we have to do this:

  1. Get the list of active managed devices from Intune
  2. Get the list of Windows sign-ins from Azure AD
  3. Eliminate managed Intune devices (1) from the list of devices in sign-in logs (2).

Voila! Everything what is left are devices which are being signed to, but not managed

Step 1: Get managed device list from Intune:

Step 2: Extract device names from sign-in logs:

  • Go to Azure AD | Sign-in logs. Set Date to 1 month. Filter by Application = Windows Sign In.
  • Click [Download] > Download JSON and save InteractiveSignIns*.json file to disk
  • Launch Excel. Click Data (tab) - Get Data > From File > From JSON. Load your data file
  • Next, click To Table in Transform (tab) > Convert menu, leave defaults and click [OK]
  • You will get a single column named Column1, select the column, go to Transform (tab) and click [Expand]. Click [OK]
  • Scroll until you find column named Column1.deviceDetail and expand it too the same way you just did to the other one
  • Click [Close & Load]

Right now you have the list of computer names in Column1.deviceDetail.displayName column. Though using device name is not 100% reliable, we are fishing for anomalies here. So we can't rely too much on IDs or isManaged flag. Using names is a safe bet. Keep in mind that sometimes device names can change, so in the end your list might have some false positives. But this makes sure you won't miss a single orphan device

Step 3: Merge data

  • Using same Excel file you used to extract sign-ins data - click Data (tab) - [From Text/CSV]. Load CSV file Devices*.csv you got from Intune before. Click [Load]
  • Next, with one of the tables selected, go to Query (tab) and click [Merge]
  • In the Merge dialog the first table selected should be InteractiveSignins.... Select column Column1.deviceDetail.displayName
  • Pick Devices... table in the second drop-down, select Device name column
  • For Join Kind select Left Anti
  • Click [Close & Load]

Congrats! The table Merge1 will have logins from possible orphan Azure AD devices

I used Excel and manual data loading to keep things simple.
In my case I invested more time to automate data loading, do transformations and visualizations using Power BI, because the number of orphan devices was slowly growing. So it turned up to be a recurring task to identify and fix them

J-M
  • 1,930
  • 1
  • 11
  • 17
  • 1
    Nice write up. Wow. That is a lot of fiddly work. I think I will see what I can do with Powershell. Still leaning toward just disabling all unmanaged AAD objects found in Autopilot. – Nathan Hartley Nov 04 '21 at 05:29