01-17-2019 07:53 AM - edited 01-17-2019 07:56 AM
01-17-2019 07:53 AM - edited 01-17-2019 07:56 AM
We have begun down the Intune and AAD path and have encountered our first user transition situation. A new employee is replacing a former employee and inheriting the former employee's laptop. In the past, we would remove the device from Active Directory and re-image it with SCCM. However, this former employee's laptop is only managed with Intune and is only joined to Azure AD.
What is the procedure to wipe and redeploy an Intune managed AAD joined Windows 10 device? How do we ensure that the laptop is wiped clean and its ownership updated?
Following old habits, some would also like the laptop to be renamed to match its new owner. Is this possible or should this practice be given up?
Thanks in advance.
01-17-2019 09:27 AM
Hi @Nathan Hartley, we have a similar question.
More precisely 2 questions concerning company owned devices:
Preferably we'd like not to use a separate administrative account licensed for Intune/EMS for AAD joining and Intune device enrollment as each user account is already licensed individually for Intune/EMS/M365/...
01-18-2019 08:47 AM - edited 04-23-2019 08:17 AM
So, I tried the Intune "Fresh Start" action and because I did not want to keep anything, I did not check "Retain user data on this device". Once completed, the device came back to the logon screen and looked like nothing happened. Looking in Azure AD, the device could not be found, however it remained in Intune. As expected, it could no longer be managed.
Thinking that (just maybe) it would AutoPilot from the logon screen, I signed in. Without the device being in AAD, I did not expect the singon to work at all, but it did. I looked again in AAD, but the device was not recreated. Curious, I tried an Intune Sync within the Accounts settings, but this failed with an error I did not record.
As this was not the desired result and I was in a hurry, I brute forced the reassignment.
After a little more research, I discovered a new option which might work, Windows Autopilot Reset. This was not available for this particular device, though I do see it on another. Possibly, because the device was running Win 10 v1803. I will have to try this action on a test device.
03-05-2019 02:06 PM
@Erik Moreau, perhaps this is worth a small discussion through TechNine? This is up your alley, no?
04-23-2019 08:13 AM - edited 04-23-2019 08:41 AM
Had need to reassign a device to a new user and tried the "AutoPilot Reset (preview)". Unfortunately, it did not bring the device back to its AutoPilot ready state, nor remove the former owner from AAD and Intune.
Where I expected the device come up at the OOBE and no longer have an owner, the experience looked like this:
Until a better solution is found, I plan to delete these devices from AAD, then delete from Intune, re-enroll the device, then run the local system reset. This process will also handle a related problem, when we need to change the Order ID / Group Tag.
05-03-2019 12:05 AM
@Nathan Hartley would Automatic Redeployment options under device restrictions policy meet the requirement. enabling the policy allows redeployement from Windows 10 login screen wtih Ctrl + WinKey + R
this allows reassigning the device without removing the device object or full reimage
05-03-2019 12:05 PM - edited 05-03-2019 12:06 PM
"Wipe" is better anyway to really clean the PC. Per https://docs.microsoft.com/en-us/intune/device-fresh-start "If you do not retain user data, the device will be restored to its out-of-box state. BYOD devices will be unenrolled from Azure AD and mobile device management. Azure AD joined devices will be enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device." The important, and confusing, distinction is that Fresh Start without retaining user data gets it to the Out-of-the-box state, but doesn't run through the actual OOBE setup.
07-10-2019 09:00 AM - edited 07-10-2019 11:32 AM
I finally had an opportunity to perform the "Wipe, without Retain enrollment state and user account" function in Intune. In the end, I had to perform this action twice. Both times, left a the original Intune object, after changing its Azure AD Device ID to "00000000-0000-0000-0000-000000000000". The first attempt, the laptop had a Device Name template from a different Autopilot Enrollment Profile applied, though it showed as having the correct profile assigned. The second time I tried to Wipe the laptop, the device name was fine. Maybe the answer is to "Wipe" the machine through Intune and, once re-enrolled, delete the original Intune object?
09-24-2019 05:23 AM
Jeez, I got a headache just reading all of this. So is wipe the "correct" way to re-assign an AAD joined+Intune enrolled laptop to another user? Or is it the best way at the moment?
09-24-2019 11:22 AM