Cleanup Windows Autopilot registrations

Windows Autopilot is a great way of provisioning new devices. Like a new phone you just unpack the device and enroll it to the management system. Windows Autopilot will take care of all necessary configurations defined by your company. It saves time, money and users will have a great onboarding experience. In my opinion this is clearly the way forward for device provisioning. To make all this happening Windows Autopilot has a central register where all devices are getting registered by several attributes like Model, Manufacturer, Serial Number and unique Hardware Hash. This is how Windows Autopilot recognizes a device as soon as it starts and connects to the cloud service. Once identified it can be mapped to a customer tenant with specific settings for the provisioning.

That’s a great approach and so far easily accomplished by registering the devices with Windows Autopilot by your own via these PowerShell scripts:

A script to read the hardware hash and export to a .csv file:

A script to upload the hardware hashes as .csv file to Intune (function Import-AutoPilotCSV):

or the better way the OEM, reseller, distributor, or partner does the registration for you. This way you don’t have to deal with all the hashes and so on. You as a customer just receive the device and it is already registered to your tenant and it is ready for enrollment/provisioning.

That’s great and easy to utilize. The downside is the devices are registered to your tenant and if the device goes end-of-life you have to de-register the devices you are not using anymore. Imagine a leasing contract over 3 years for the devices and you have to return them after the 3 years. These devices normally have a second life and are used somewhere else for some more time. Or you just sell the devices you don’t need anymore. A lot of reasons can apply why you return, sell, re-purpose devices. In all cases you don’t want them registered to your tenant anymore. So, how do we de-register them from our tenant?

How to cleanup Windows Autopilot registrations?

Basically you have the Microsoft Endpoint Manager admin center UI (Intune) options to select the devices you don’t need and delete them:

Microsoft Endpoint Manager Windows Autopilot deletion UI

If you look at the highlighted sentence it tells us that only devices which are not enrolled can be deleted. This make totally sense, as these devices should be in production usage currently. The normal end of life scenario would be to factory reset the device and then delete the Windows Autopilot registration. This may not be possible as the device got broken and can’t be reset, then we need to delete the Intune device object by ourselves and then delete the Windows Autopilot device registration. Pretty simple but with larger amount of devices not the easiest approach. Finding all the device Serial Numbers in the admin center and selecting them for deletion. Luckily with the help of two PowerShell modules we can automate this in the same way like we can import devices defined by a .csv file. I have written a PowerShell function to cleanup the Windows Autopilot registrations based on the same .csv file you can use for importing. This way you can export your devices from any asset management system you have, construct the .csv file and delete them from Windows Autopilot.

The function uses the Intune PowerShell SDK and the PowerShell Module WindowsAutoPilotIntune:

It is easy to use by executing the function with the parameter -CsvFile and the path to the file with the device information to delete:

Start-AutopilotCleanupCSV -CsvFile C:\Devices.csv

Device Serial Number             Deletion Request Status
--------------------                          -----------------------
7243-2648-3107-2818-2556-6923-30                     200

It will read the .csv file line by line, get the serial number and delete the Windows Autopilot registration based on the serial number.

A more complete automation is the following Windows Autopilot cleanup script (optionally with the parameter to cleanup the Intune device objects as well). It runs the Autopilot cleanup function, then starts the Autopilot Sync to your tenant, and does a re-check if all the device serial numbers are deleted from your tenant.

Connect-MSGraph | Out-Null

$CsvFile = "C:\temp\autopilot-devices.csv"
Start-AutopilotCleanupCSV -CsvFile $CsvFile -IntuneCleanup

Write-Output "`nInvoking Autopilot sync..."
Start-Sleep -Seconds 15

Write-Output "`nWaiting 60 seconds to re-check if devices are deleted..."
Start-Sleep -Seconds 60

# Check if all Autopilot devices are successfully deleted
$serialNumbers = Import-Csv $CsvFile | Select-Object -Unique 'Device Serial Number' | Select-Object -ExpandProperty 'Device Serial Number'

Write-Output "`nThese devices couldn't be deleted:"
foreach ($serialNumber in $serialNumbers){
    $device = Get-AutoPilotDevice -serial $serialNumber

The output would be something similar to this:

Device Serial Number             Deletion Request Status
--------------------                          -----------------------
7243-2648-3107-2818-2556-6923-30                     200
7851-2064-8105-4061-0737-2977-27                     400

Invoking Autopilot sync...

Waiting 60 seconds to re-check if devices are deleted...

These devices couldn't be deleted:

All devices which could not be deleted, due to whatever reason are listed so you can have a look manually and resolve these errors.

The complete script can be found here:

As always, as soon as cleanup (deletion operations) are automated we need to take special care and you should test thoroughly in your lab environment first. This is not an official MS module, it is shared to the community as is. Feel free to leave comments or open issues on my GitHub for questions, enhancements. I’m using it in my environments successfully. Evaluate, test, and test again 🙂 before deleting devices in your tenant.

I hope it helps with deleting Windows Autopilot registrations or gives you a starting point for your own automation script.