Sep 18 2024 04:49 PM
We're currently in the middle of a quarterly equipment lease swap and have had a couple of people on our team getting the DeviceCapReached error when we go to enroll an Autopilot device. This is happening because we're enrolling the devices with our accounts, rather than having the user sign in, then taking the laptop back from them to put it in the right on prem OU, run updates and install all of the software they need. I understand this isn't how Microsoft designed Autopilot to work, but this is where we're at.
I've done research into potential resolutions, but I have a lot of questions. First, some important details
The first option seems to be creating a script that clears out stale devices from our Azure tenant. When I've spoken with our Infrastructure team about device removal in the past, they said we're using Entra Connect to sync with on prem AD, so they we're against the idea. I've found a way to convince them otherwise, but it's going to take time and scripting.
The next option is using a device enrollment manager account, but the Microsoft documentation mentions it enrolls the device in shared mode and that device limits won't work on devices enrolled this way. It also says "Do not delete accounts assigned as a Device enrollment manager if any devices were enrolled using the account. Doing so will lead to issues with these devices." but doesn't elaborate further. So, this option seems like a dead end.
Third option is to increase the device enrollment quota in Azure, but since this is a tenant wide setting, we don't necessarily want to give Rick in accounting the ability to enroll as many devices as he can carry.
I found a comment in this thread that suggested using Remove-AzureADDeviceRegisteredOwner (now Remove-MgDeviceRegisteredOwnerByRef with the graph modules). But this just change the primary user. Doing so didn't stop me from getting the error message.
So here are my questions -
If you've gone through this, how did you resolve the issue?
What exactly are the consequences of using a DEM account to enroll devices?
If I look at the devices attached to my user account, and filter by Autopilot devices, I have 42. Other offices have a single desktop person, and they have > 80 devices. What device property, in which directory, causes this error?
Do you have a stale device script you'd recommend? I'll write my own, for sure, but having something to go off of would be nice
Sep 24 2024 12:20 AM
Sep 25 2024 09:13 AM
That is the second option I mentioned in my post -
The next option is using a device enrollment manager account, but the Microsoft documentation mentions it enrolls the device in shared mode and that device limits won't work on devices enrolled this way. It also says "Do not delete accounts assigned as a Device enrollment manager if any devices were enrolled using the account. Doing so will lead to issues with these devices." but doesn't elaborate further. So, this option seems like a dead end.
According to this Q&A post , deleting the DEM account would mean re-enrolling all of the devices this account were used on. But if we've got an idle DEM account that's been used up, and sitting in our tenant without use, what are the security implications?
Sep 25 2024 11:06 PM
I would proceed as follows. I would create a 'non-personalized user' in Entra, assign an appropriate license to it, and register it as a DEM. Once all devices are deployed, and I no longer need the DEM, I would remove the user from the setting but not delete it in Entra. This way, I won’t have any issues with the devices, and if I need a DEM again, I’ll have it ready.