Endpoint Manager: Device Estate Cleanup

D Walsham • 6 October 2021

Upkeep of your devices within your Endpoint Manager estate

Introduction

When it comes to devices which you have enrolled into your Endpoint Manager, there can be a build up of either rogue or orphaned devices which can end up cluttering your statistics when it comes to looking into and extracting information to find out exactly what you have that is active.


This post will investigate and highlight some areas which can be useful to understand where we can help clean up these types of devices.


Though some of this information may seem obvious there is still relevance to understand what you actually have as manual tasks to clean-up these types of devices can really add onto the administrative effort which you already have. So hopefully we can identify these things and keep things tidy :)

All Devices Views & Reports

This is perhaps more of the manual side of looking at which devices are current by the last times that they have actually checked in.

Whilst helpful it may not always explain the overall reasons as to why devices haven't checked in. We have to take into account many scenarios such as devices could be perhaps turned off, not working, or even in some cases policy issues too.


The same results are provided when we look at reports. Here is a report based on Device Compliance below in Figure 1.2 detailing the compliance levels across all devices. Both options being the views and reports provide a more general information breakdown which would allow the administrator to see which are still active and not.


If connecting to the Intune DataWarehouse via PowerBI you will also get the same results.

Device Clean-up Rules

Quite similar options are seen in SCCM too where you have site maintenance tasks which can look through stale records. In this case we have a very similar option here with the device clean-up rules where we can automatically clean-up devices which are based on a number of days from the current check-in date as seen in Figure 1.3


You have a minimum of 30 days and maximum of 270 days to decide from. In my experience 30 days is normally considered orphaned, however there can be circumstances which can cause this. Lets say for example a load of devices experience issues with checking in due to issues with policies, authentication issues etc... now it may seem a stretch that someone could overlook and issue like this for 30 days..but it can happen :)


So caution should be taken when deciding this configuration. Very much so when it comes to SCCM too.

Intune Device Records/Azure Device Records Cleanup

This particular one here can be a quite overlooked bit. Especially for those who frequently provision devices when utilising Autopilot.


When removing or rebuilding devices, though you may have deleted it from places such as the Autopilot table and even the devices table, it doesn't necessarily get rid of the Azure AD device. Assuming that you are using Azure AD Domain joins in conjunction with your auto enrolment whether using Autopilot or not.


You might find that if you add a device back into Endpoint Manager in Autopilot, the device will automatically assign itself back to its original azure device record. Now if you are planning to use similar existing details this might be fine, but if not then this can lead to a mismatch on information and auditing when wanting to find out information on either record especially if different names are being used or naming convention policies are being applied in your Autopilot profile or simply added manually into the Autopilot device record.


You may even find resistance when trying to remove a device from Autopilot if the device already has an associated azure device record.


As you see in Figure 1.4 you have the Autopilot device record. If you click the Associated Azure AD device name, this will then take you to the azure device record as seen in Figure 1.5.

Once the record from Autopilot has been deleted the azure AD device would be eligible to be removed, but something to bare in mind when going through the process of reprovisioning.

Conclusion

Overall there are a few things to consider when wanting to get things tidy but also to show areas in which the clutter can indeed start to build up.

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 4 - SQL Server Requirement Analysis

by D Walsham 13 December 2021
Looking through the current SQL Server topology and how it affects our decision

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 3 - Current Branch Upgrade Approaches

by D Walsham 19 November 2021
Impact of Current Branch Upgrades

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side - Part 2 - Operating System Considerations

by D Walsham 29 October 2021
Introduction

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side

by D Walsham 7 October 2021
Introduction

Modern Workplace Management: Creating Applications Common Practices - LOB vs Win32 Package

by D Walsham 3 September 2021
Introduction

Modern Workplace Management: Build Endpoints Without SCCM Part 6

by D Walsham 12 August 2021
All the parts of the series we went into great detail about how we analyse an end to end solution and how we would design a solution in which would allow us to build endpoints without SCCM being a dependency. Whilst we did this, there is another scenario which we have not touched on yet, which is the hybrid scenarios. In a perfect world ideally you would have your Azure Active Directory within the cloud, every machine meets the recommended requirements for Windows 10, everything is imported into Intune/Autopilot and everyone is happy. But we know this isn't realistic in all cases. Many organisations cannot just simply up and go from on-premise into the cloud therefore the checkpoint here is of course getting into hybrid solutions such as; Co-Management Between Intune and SCCM Hybrid AD with Azure AD and On-Premise AD syncing together These things can play a very interesting part in how you would tackle this if you envisage the next step in the blueprint is to be in a position in which you can build and manage endpoints soley within Intune. With this final part of the series we will go in-depth in how the common hybrid setups look like and how we go about moving into the next step of being able to manage and build devices without SCCM.

Modern Workplace Management: Build Endpoints without SCCM Part 5

by D Walsham 29 July 2021
In continuation from the previous part where we had discussed how we create the "on site" piece of the solution, this was the part which would allow us to get our endpoints into a state in which they would essentially be ready to go through the Autopilot process. Which leaves our next piece of the puzzle, to begin the configuration of the actual backend side that resides within our Endpoint Management console. And you will see how everything ties up together to satisfy the full end to end process of getting an unknown (or known) device to proceed thorough the whole workflow to be finally managed by Intune without the aid of SCCM taking part in any of the prerequisites or preparation at hand.

Modern Workplace Management: Build Endpoints without SCCM Part 4

by D Walsham 15 July 2021
In this part we are now going to look into the technical step by step points on how we put everything together. In the previous part we spoke about the structure of how we would asses whether a machine was actually ready to be built with Autopilot or not with a build checklist process which would step through all areas which would cover an endpoints eligibility. Now with everything planned out we finally want to step into making things reality by putting everything together.

Endpoint Manager: Find machines not in Autopilot

by D Walsham 2 July 2021
When it comes to managing your endpoints in endpoint manager, one of the things you may be looking to do is to get all of your Intune registered machines to also be enrolled as Autopilot devices. Now we can of course just have the deployment profile deployed to all machines and then hit the "Convert targeted machines to autopilot" but this might not necessarily be feasible for every client. We may want to perform some due diligence first so we can at least understand what devices in Intune are not in Autopilot.

Modern Workplace Management - Build Endpoints without SCCM Part 3

by D Walsham 24 June 2021
So just to recap on the previous part of this series we covered a base scenario of where we would utilise other products as a dependency to provision or even pre-provision endpoints before getting them to a state where they can be auto-enrolled and then into Autopilot - in this case this would be around SCCM. We also detailed in a diagram form of where we ideally want to be, and that's to not have any dependency when it comes to the provisioning of the endpoints where its also soley performed within Intune. This part we will be going into the nitty gritty of how this works.
Show More