Automating Intune Device Cleanup: PowerShell Script for Managing Inactive Devices

By /
My Intune dashboard before implementing the automated cleanup solution

Ever found yourself drowning in a sea of inactive devices in Microsoft Intune? I did too. Here’s how I built a PowerShell script with GitHub Copilot to automatically clean up my environment, with a solution that works for any OS – though I initially focused on Linux devices.

My Intune Nightmare: Inactive Linux Devices

A policy requiring all Azure VMs to be onboarded to Microsoft Defender for Endpoint, automatically enrolled them in Intune. The development team needed to test this implementation on Linux, so they spun up numerous Ubuntu, CentOS, and Debian machines in Azure.

Fast forward six months, and my Intune environment was cluttered with over Linux devices that hadn’t checked in for weeks or months. Many were one-off test machines that developers had created, used briefly for testing Defender policies, and then forgotten about.

The manual cleanup process was tedious: identify inactive devices, verify they weren’t needed, and remove them one by one.

The Real Cost of Inactive Devices

Beyond the obvious time sink, these inactive devices were causing several problems:

  • Reporting Headaches: Compliance reports were skewed by these ghost devices
  • Security Concerns: Some devices showed failed security policies, creating false alarms

My Solution: PowerShell + Azure Automation

I needed an automated solution that could:

  1. Identify inactive devices of any OS type (with my immediate focus on Linux)
  2. Generate reports so I could verify what would be removed
  3. Safely remove devices after approval
  4. Run on a schedule without human intervention
  5. Be flexible enough to handle any OS in our environment

I turned to PowerShell and Azure Automation to build a solution. With some help from GitHub Copilot (which was amazing for generating the Graph API calls), I created a script that did exactly what I needed.

Key Features I Built In

  • Safety First: A “WhatIf” mode that shows what would be removed without taking action
  • Flexible Targeting: Works with any OS – Linux, Windows, macOS, or all devices at once
  • Configurable Thresholds: You define what “inactive” means
  • Detailed Reporting: Clear output of what’s being removed
  • Secure Credential Handling: No hardcoded secrets
  • Error Handling: Robust enough for production use

OS Flexibility

While my immediate challenge was with Linux devices from Defender for Endpoint, this script works equally well for Windows and macOS devices. Simply change the OS parameter to target different device types or use “All” to process every device in your environment.

The Script (Built with GitHub Copilot)

Here’s the PowerShell script I developed with GitHub Copilot’s assistance. It’s designed to run as an Azure Automation runbook and handles the entire process from authentication to device removal.

GitHub Link

Let’s walk through how I implemented it in my environment.

How to Implement This in Your Environment

Setting this up in your own environment is straightforward. Here’s how I did it:

Step 1: Create an App Registration

First, I created an app registration in Azure AD to authenticate with the Microsoft Graph API:

  1. I went to Azure Active Directory → App registrations → New registration
  2. Named it “Intune Device Cleanup”
  3. Selected “Accounts in this organizational directory only”
  4. Clicked “Register”
  5. Made note of the Application (client) ID and Directory (tenant) ID
  6. Created a client secret (which I stored securely)

Step 2: Grant API Permissions

Next, I granted the necessary permissions to manage devices:

  1. In my app registration, I went to “API permissions”
  2. Clicked “Add a permission”
  3. Selected “Microsoft Graph” → “Application permissions”
  4. Added these specific permissions:
    • DeviceManagementManagedDevices.ReadWrite.All
  5. Clicked “Grant admin consent”

Step 3: Set Up Azure Automation

I chose Azure Automation to host and run my script:

  1. Created an Azure Automation account
  2. Added these encrypted variables:
    • ClientSecret: My app registration’s client secret
    • ConfirmDeviceRemoval: Initially set to “No” for safety
  3. Created a new PowerShell runbook with my script
  4. Published the runbook

Step 4: Test Run in WhatIf Mode

Before letting it loose on my environment, I ran it in WhatIf mode:

  1. Started the runbook with these parameters:
    • tenantId: My Azure AD tenant ID
    • clientId: My application ID
    • OS: “Linux” (my primary target, but the script supports any OS)
    • InactiveDays: 45 (I started conservative)
    • RunMode: “WhatIf”
    • Force: false
  2. Reviewed the output to verify it was identifying the correct devices

Step 5: Schedule Regular Cleanup

Once I was confident in the script, I set up a weekly schedule:

  1. Created a weekly schedule in Azure Automation
  2. Initially kept it in “WhatIf” mode and had it email me the results
  3. After a month of successful WhatIf runs, I created a second scheduled run with:
    • RunMode: “Remove”
    • Force: true

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top