What is the procedure to reassign an Intune managed AAD joined Windows 10 device?

Steel Contributor

We have begun down the Intune and AAD path and have encountered our first user transition situation. A new employee is replacing a former employee and inheriting the former employee's laptop. In the past, we would remove the device from Active Directory and re-image it with SCCM. However, this former employee's laptop is only managed with Intune and is only joined to Azure AD.

 

What is the procedure to wipe and redeploy an Intune managed AAD joined Windows 10 device? How do we ensure that the laptop is wiped clean and its ownership updated?

 

Following old habits, some would also like the laptop to be renamed to match its new owner. Is this possible or should this practice be given up?

 

Thanks in advance.

 

9 Replies

Hi @treestryder, we have a similar question.

 

More precisely 2 questions concerning company owned devices:

  1. If an employee leaves the company and is replaced by somebody else, we want to make sure that the device remains compliant (in Intune) even after reassigning this device to a new user (and as such a new O365/M365 Intune user account).
  2. If this device is a shared device, and the user account that was used for AAD joining and Intune enrollment is removed, how do we keep the device compliant and enrolled in Intune without the nequirement for a wipe and/or redeployment. 

Preferably we'd like not to use a separate administrative account licensed for Intune/EMS for AAD joining and Intune device enrollment as each user account is already licensed individually for Intune/EMS/M365/...

 

So, I tried the Intune "Fresh Start" action and because I did not want to keep anything, I did not check "Retain user data on this device". Once completed, the device came back to the logon screen and looked like nothing happened. Looking in Azure AD, the device could not be found, however it remained in Intune. As expected, it could no longer be managed.

 

Thinking that (just maybe) it would AutoPilot from the logon screen, I signed in. Without the device being in AAD, I did not expect the singon to work at all, but it did. I looked again in AAD, but the device was not recreated. Curious, I tried an Intune Sync within the Accounts settings, but this failed with an error I did not record.

 

As this was not the desired result and I was in a hurry, I brute forced the reassignment.

  • The device was already deleted from AAD.
  • Deleted the device from Intune.
  • Performed the "Reset this PC" action, found in Settings > Update & Recovery > Recovery
  • Collected the device ID information
  • Uploaded the device info to enroll it for AutoPilot

 

After a little more research, I discovered a new option which might work, Windows Autopilot Reset. This was not available for this particular device, though I do see it on another. Possibly, because the device was running Win 10 v1803. I will have to try this action on a test device.

 

@Erik_Moreau, perhaps this is worth a small discussion through TechNine? This is up your alley, no?

Had need to reassign a device to a new user and tried the "AutoPilot Reset (preview)". Unfortunately, it did not bring the device back to its AutoPilot ready state, nor remove the former owner from AAD and Intune.

 

Where I expected the device come up at the OOBE and no longer have an owner, the experience looked like this:

  1. I searched for the device in Intune and clicked "AutoPilot Reset (preview)". The device displayed a popup that stated that the user should restart the machine to begin the reset process that an administrator had initiated.
  2. Thinking an administrator should be able to control the whole process, in Intune I tried to force the reboot by clicking "Restart". When the reboot did not begin after nearly 10 minutes, I clicked "Sync". When still nothing happened for another 10 minutes, I manually rebooted the PC and the reset process began.
  3. When the Reset completed, the machine came back to the normal Windows 10 logon screen, without the former user profiles, but still registered to the former owner.

Until a better solution is found, I plan to delete these devices from AAD, then delete from Intune, re-enroll the device, then run the local system reset. This process will also handle a related problem, when we need to change the Order ID / Group Tag.

@treestryder  would Automatic Redeployment options under device restrictions policy meet the requirement. enabling the policy allows redeployement from Windows 10 login screen wtih Ctrl + WinKey + R

this allows reassigning the device without removing the device object or full reimage

 
 
 
 

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Use-the-Remote-Wipe-actio...

 

"Wipe" is better anyway to really clean the PC. Per https://docs.microsoft.com/en-us/intune/device-fresh-start "If you do not retain user data, the device will be restored to its out-of-box state. BYOD devices will be unenrolled from Azure AD and mobile device management. Azure AD joined devices will be enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device." The important, and confusing, distinction is that Fresh Start without retaining user data gets it to the Out-of-the-box state, but doesn't run through the actual OOBE setup.

I finally had an opportunity to perform the "Wipe, without Retain enrollment state and user account" function in Intune. In the end, I had to perform this action twice. Both times, left a the original Intune object, after changing its Azure AD Device ID to "00000000-0000-0000-0000-000000000000". The first attempt, the laptop had a Device Name template from a different Autopilot Enrollment Profile applied, though it showed as having the correct profile assigned. The second time I tried to Wipe the laptop, the device name was fine. Maybe the answer is to "Wipe" the machine through Intune and, once re-enrolled, delete the original Intune object?

Jeez, I got a headache just reading all of this. So is wipe the "correct" way to re-assign an AAD joined+Intune enrolled laptop to another user? Or is it the best way at the moment?

 

Hi Simon,

As per https://blogs.technet.microsoft.com/in-teaching-others-we-teach-ourselves/2017/10/19/windows-autopil...

Windows Automatic Redeployment

IT departments can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and keep management enrollment (Azure Active Directory and Mobile Device Management) so the devices are ready to use. With Windows Automatic Redeployment, devices are returned to a fully configured or known IT-approved state

Therefore unless you require a wipe redeployment is normally a quicker option for removing old user data and re-enrolling the device to a new owner