Remove an Autopilot device from Entra ID

      No Comments on Remove an Autopilot device from Entra ID

In this blog post, I will show you how to remove an autopilot device from Entra ID without removing the autopilot registration. For a variety of reasons, an autopilot device may not be neatly removed from a user profile. If this has happened and the device is still registered in autopilot then you cannot delete the device. This is especially a problem if you have set a low device registration limit of say 5. This may prevent the user from registering new devices.

 

The regular way

To remove an Autopilot device from Entra ID, you must always remove it from Autopilot first. If you do not do this, you will see the message below “This device is a Windows Autopilot device. Devices deployed with Windows Autopilot cannot be deleted in the Azure AD portal.”

Why?

There is a reason for this; when registering a windows autopilot device, an Entra ID (AAD) device object is created. This device object is provided with the ZTDID tag. According to the documentation, the following problems can occur if you delete a Microsoft Entra device object that is related to an autopilot device:

These three situations can occur if you repurpose the device in the future:

  • With Windows Autopilot user-driven deployments without using pre-provisioning, a new Microsoft Entra device will be created, but it won’t be tagged with the ZTDID.
  • With Windows Autopilot self-deploying mode deployments, they’ll fail because an associate Microsoft Entra device can’t be found. (This failure is a security mechanism to make sure that no “imposter” devices try to join Microsoft Entra ID with no credentials.) The failure will indicate a ZTDID mismatch.
  • With Windows Autopilot pre-provisioning deployments, they’ll fail because an associated Microsoft Entra device can’t be found. (Behind the scenes, pre-provisioning deployments use the same self-deploying mode process, so they enforce the same security mechanisms.)

Workaround

If after the previous described disadvantages you are still looking for a workaround to remove the device registration without the autopilot registration, you can use the method below at your own risk. For this workaround, we use the graph api. By using the Graph API, you can control certain things that you cannot do through the regular interface. One of these things is removing an Entra device registration associated with an Autopilot object.

Requirements

To do this, you must have:

– A user account with sufficient permissions to remove a device from Entra ID
– The Object ID of the user account under which the device is registered
– The Object ID of the device you want to delete.

Let’s get started

1. To find the Object ID of the user account you need to go to Users in Microsoft Entra and search for the user. Then copy the Object ID.

2. Then select under “manage” -> “devices” (1) to go to the devices overview. Select the device (2) of which you want to delete the registration.

3. Copy the Object ID of the device.

4. To make the API call, I use the Microsoft Graph Explorer. Then sign in with the account (1) you want to use to perform the action. Select “Delete” (2) as action and enter the url (3):

https://graph.microsoft.com/v1.0/users/<User_Object_ID (1)>/registeredDevices/<Device_object_id (2)>
1 User Object ID c101f82b-eaa3-488b-b07e-833d63efc57c
2 Device Object ID 6e54cfd9-9ffc-4773-b687-a86d79c85bc6

In this case the URL is:

https://graph.microsoft.com/v1.0/users/c101f82b-eaa3-488b-b07e-833d63efc57c/registeredDevices/6e54cfd9-9ffc-4773-b687-a86d79c85bc6

Press (4) to execute the API Delete call. If the call is executed successfully, a message appears: “No Content – 204” (5).

5. If you check the device overview again, the device is gone. As you can see, there are now only two devices instead of three.

Leave a Reply

Your email address will not be published. Required fields are marked *