Share via

Ghosts in Entra ID group. Can't delete what isn't there.

Jon Resele 40 Reputation points
2024-09-12T04:43:31.04+00:00

Entra ID cannot delete devices that are Autopilot devices, and you can only delete those devices from Intune or online at https://admin.microsoft.com/Adminportal/Home?#/PrepareWindows or there-abouts.

My problem is that I have 11 devices in my Intune-Autopilot Entra group (dynamic assign using the instructions at https://learn.microsoft.com/en-us/autopilot/enrollment-autopilot) that are not available to remove via Intune or the admin.microsoft.com site.

Is there a way to delete these "ghosts" from Entra?

One of the devices is a PC that was in a room that was converted and we removed the PC from Active Directory (moved from Domain to Workgroup) but still showed up as an Autopilot device in Entra.

5 specific devices are PCs that I gathered the HWID of through the PWSH and .csv upload to Intune, but after having been deleted from the Autopilot devices in Intune, are still in Entra as "ghosts"; and to clean things up, I'd like to get rid of them.

We've encountered an "issue" where, when uploading an HWID to Autopilot, it will automatically join Entra; making it impossible to then Hybrid-join, due to being already Entra-joined. So we're trying to clean up our existing Autopilot PCs to clear out everything. (We had an Intune domain-join policy/config that was working, but that was before Autopilot uploads were automatically joining Entra)

Other than the one I've already dropped from AD, I don't know if dsregcmd /leave /debug will work if in Entra the deviceID is technically a different device than the current machine (we've seen Entra-joined, Entra-registered, and MDM-only for the same PC with different deviceIDs in Entra; same PC, same hardware, different devices in Entra)

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
473 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,248 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 49,761 Reputation points Microsoft Vendor
    2024-09-12T05:20:22.0866667+00:00

    @Jon Resele, Thanks for posting in Q&A. In general, the steps to remove Autopilot devices are as below:

    1. Remove the devices from Intune.
    2. Remove the devices from Autopilot devices.
    3. Remove the device from Microsoft Entra ID.

    https://www.prajwaldesai.com/delete-windows-autopilot-device-intune-entra/#:~:text=Delete%20Windows%20Autopilot%20Device%20From%20Intune%201%20Sign,deletion%20can%20take%20a%20few%20minutes%20to%20complete.

    Note: Non-Microsoft link, just for the reference.

    But from your description, it seems the device is still unable to delete after we remove the Autopilot device. Please ensure the devices under Devices in Intune portal is also removed. Wait for some time for sync to see if the result will be different.

    However, if it is still not working. please open case to help to remove the device records.

    https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Jon Resele 40 Reputation points
    2024-10-11T02:58:40.68+00:00

    Resolved this issue doing the following:

    1. Move the PC from the Domain to a Workgroup
    2. Delete the PC in ADDS
    3. Let our AD>AAD sync happen and that removed the PC from Entra

    The issue was that I didn't have the PC available in Intune to remove as an Autopilot device, and you can't delete an Autopilot device in Entra (it directs you to Intune). Likewise, I was unabled to use dsregcmd /leave on the actual machine, because it knew it was an Autopilot PC.

    Deleting the PC in Active Directory Users & Computers and waiting for a while got it out of Entra.

    Afterwards I went back to the PCs and added them back to the domain and they came back into Entra as Hybrid-joined and not Autopilot PCs.

    0 comments
  3. Jon Resele 40 Reputation points
    2024-10-11T03:04:25.04+00:00

    it looks like my last post didn't post?

    I resolved this by doing the following:

    • Move the PC from the Domain to a Workgroup
    • Delete the PC from ADDS (Active Directory Users & Computers)
    • Let the AD>AAD sync happen and that removed the PC from Entra
    • Put the PC back on the domain
    • Sync populated the device again but now not an Autopilot PC (about 15 minutes)

    Issue is that the PCs weren't in the Devices portion of Enrollment to remove from Intune Autopilot, and you can't delete Autopilot from Entra because it directs you to Intune. I couldn't use dsregcmd /leave either because the PC knew it was an Autopilot PC.

    But deleting from AD and letting the sync happen (that's how we Hybird-join) got rid of the troublesome PCs in Entra.

    0 comments
  4. Crystal-MSFT 49,761 Reputation points Microsoft Vendor
    2024-10-11T05:37:11.6166667+00:00

    @Jon Resele, Thanks for your update. I am glad the issue is resolved and thanks for sharing the solution. Here, please let me write a summary of the issue to help others who have the same issue:

    Issue:

    Ghosts in Entra ID group. Can't delete what isn't there.

    Resolution:

    User's image

    Thanks for your time and have a nice day!

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.