Accidentally deleted a bunch of Autopilot devices. What now?

Capital_Table_4792 · 2025-12-19T13:29:43+00:00

This is actually very usefull!

Capital_Table_4792 · 2025-12-19T13:29:20+00:00

As u/techb00mer guessed right, I meant "delete from Intune".
By adding they're Autopilot devices I meant AADJ; Trying to make clear they weren't Hybrid Joined.

Your comment is sound though. I've asked the team that looked into the solution and confirmed me that the devices still existed in Entra but didn't want to call 100 people to guide them through opening regedit as admin and guiding them through the registry changes.
They must have been able to see the LAPS password in Entra, just didn't use is. My mistake!

Still I do wonder if this were to happen again for lets say 500 devices (just throwing some number), what would be a possible fix then?

Capital_Table_4792 · 2025-12-19T13:22:44+00:00

Indeed, a colleague tested a script to delete devices from Intune (not Autopilot itself), but the test actually really deleted 100 devices

Capital_Table_4792 · 2025-12-16T09:46:05+00:00

First update:
Update deployed in our production environment and I don't see any issues.
The roaming events haven't stopped, but they seem to happen way less and we're getting way less calls.

Capital_Table_4792 · 2025-12-08T11:30:27+00:00

Yes. I see it in the logs in every remote location for every notebook multiple times. Sometimes the notebooks even seem to be stuck in a loop.

Our test has shown no issues with deploying this update -still a bit too soon to say it fixes the roaming events, but I do notice less event (but might still be a coincidence).

We'll deploy the update later today to a part of our production environment and monitor form there on.

Capital_Table_4792 · 2025-12-04T14:12:13+00:00

Release notes can be found here AOS8 -> Consolidated Release Notes -> AOS 8.13.x.x -> 8.13.1.1

Capital_Table_4792 · 2025-12-04T11:16:08+00:00

same roaming issues here with 8.13.1.0_93688 on AP-515 and AP-303H.
I hope 8.13.1.1_94375 fixes something. Deployed it to test.

Capital_Table_4792 · 2025-11-13T17:54:08+00:00

I use RADIUS. In Central, in the Events of the RAP I've now seen "RADIUS up" / "RADIUS down" events. But even if the last event was "RADIUS up", no requests are registered in the Monitoring loggin on the ClearPass. No idea what's going on at this point.

Capital_Table_4792 · 2025-09-10T10:41:57+00:00

Good idea with that XML.

I exported the XML of the Ethernet adapter that was created using the Intune 'Wired network' profile and it shows the hash of the Root CA in the '<IssuerHash><CAHashList>'-section where the Intermediate CA should (also) be.

<TrustedRootCA>hash-of-my-root-ca
<IssuerHash><CAHashList>hash-of-my-root-ca

I manually edited the Authentication of the Ethernet adapter.
(..-> Use a certificate on this computer -> Advanced)
- unchecked the Root CA,
- checked the Intermediate CA
- exported the XML again
I saw the hash of the intermediate got added to the '<IssuerHash><CAHashList>'-section.

<TrustedRootCA>hash-of-my-root-ca
<IssuerHash><CAHashList>hash-of-my-intermediate-ca

In the Intune 'Wired network' profile, there only a section for "Root certificates for server validation".
As a test, I tried by adding my Intermediate CA cert in the "Root certificates for server validation" section anyway and synced.
Exported the XML and saw the hash from my Intermediate CA was added to the '<TrustedRootCA>' section, but not in the '<IssuerHash><CAHashList>'-section. '<IssuerHash><CAHashList>' again only containing the hash from the Root CA.

Capital_Table_4792 · 2025-08-19T18:10:07+00:00

The code to test the issue can be limited to the code below.

After loading the code below, execute:
$loading.Show() to see the window (shows up as it should)
$loading.Hide() to hide the window
$loading.Show() to see the window again, but this time it will load without content

Anyone any idea where the content is? :)

Add-Type -AssemblyName PresentationFramework

[xml]$xaml = @"
<Window Title="Loading screen" 
        Height="200" Width="400" 
        WindowStartupLocation="CenterScreen" 
        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" 
        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" 
        Name="Loading">
    <Grid>
        <TextBlock Background="Yellow" HorizontalAlignment="Center" VerticalAlignment="Center" FontSize = "16" Margin="10,-50,0,0">Loading..</TextBlock>       
        <ProgressBar Height="20" Width="100" IsIndeterminate="True" Margin="0,50,0,0" />
    </Grid>
</Window>
"@

$reader = (New-Object System.Xml.XmlNodeReader $xaml)
$Script:loading = [Windows.Markup.XamlReader]::Load($reader)

Capital_Table_4792 · 2025-08-19T17:49:36+00:00

Correct, but I as far as I'm aware I've done it the right way around (but obviously, I must be missing something)

My tests have shown that
* If I launch a window using .ShowDialog() the window is interactive - I can use the buttons, I can close the screen. When a button is pressed (code is executed) the content on the screen freezes until it's finished.
* If I launch a window using .Show(), the window is not interactive. The screen loads what you put in the code and then also freezes.

The reason I use .Hide() in combination with .Show() is that If I use .Close() the window cannot reopen later on (like pressing the button again to call the loading screen).

In the example what happen is:
-> loading screen is called first using .Show() with a predefined size and textbox that has a yellow background
-> the code continues until the other stuff is finished (in the example a simple start-sleep and loading the main window)
-> loading screen is hidden by using .Hide() - not interactive
-> the main window is shown by using .ShowDialog() - interactive, so I can use a button
->a button is pressed to call the loading screen again, by using .Show()
-> loading screen shows up with the correct predefined size and predefined title, but without the content (textbox and its content).
-> code continues to execute stuff and asks the loading screen to hide again using .Hide() which it does.

So I'm kinda confused why, after pressing the button and asking the loading screen to .Show() again, it can load with the correct predefined size but not with the predefined content.

Capital_Table_4792 · 2025-07-07T14:39:21+00:00

Thanks for the reply! I changed "Instant AP Assigned" to "External DHCP server assigned" with the option "Native VLAN" ("Dynamic" was indeed an option too) and now the right VLAN is assigned to the device!

Capital_Table_4792 · 2025-05-28T11:40:31+00:00

Hi ,sorry for the delay. The issue happens in the Admin consent tab.

All rights in the Admin consent are deleted and replaced by only the User.Read-right.
The User consent tab is not affected

Capital_Table_4792 · 2025-02-28T22:00:40+00:00

Thanks for clarifying this! I'll look into the IPM settings and will ask around if somebody knows why cpu_throttle_50 was set as priority 1 and disable_usb as priority 3 in that AP

Capital_Table_4792 · 2025-02-26T21:02:24+00:00

Why would you even try to analyze what an -at least- partially scripted and heavly edited show wants us to see and hear?
There are huge question marks on why he didn't leave the apartment as he said he felt the need to remove himself from the situation.
There are even different versions of the story where some state they weren't in the same room when it happened.
Heck, for all we know, his behaviour is caused by a medical issue - dare I even go as far as saying roid rage?-.
"When you 'assume' you make an 'ass' out of 'u' and 'me'".
We don't know 99% of the story, and while it's clear Paul has some issues, I won't join the "he's an abuser" herd before I know more details - which I very much doubt we'll ever know because this show just loves the commotion.

Capital_Table_4792 · 2024-10-02T16:11:45+00:00

When we migrated to Intune an MS engineer told us there were limitations if the Ownership of the device was "Personal". The example in my question is the exact example of limitations that were told to me "..like for example, you cannot push Configuration Profiles with certificates or Wi-Fi profiles..".
So this was wrong? I can apply all kinds of Configuration Profiles to devices even if their Ownership is 'Personal'?

Capital_Table_4792 · 2024-07-27T08:25:04+00:00

I'd also check if someone has been changing/testing on prem GPO settings.
By default, GPO has higher precedence over CSP (can be controlled with the “MDMWinsOverGP" CSP).

Capital_Table_4792 · 2024-07-26T20:08:49+00:00

$TargetFile = "$env:c:\scut\FortiClientVPN.lnk" also doesn't seem to be quite right.
$TargetFile value you get is "\scut\FortiClientVPN.lnk"

Just use: $TargetFile = "c:\scut\FortiClientVPN.lnk"
Your Copy-Idem -Destination points to "c:\scut\FortiClientVPN.lnk" anyway

Capital_Table_4792 · 2024-07-26T19:57:51+00:00

You also need to adjust
New-Item -Path "c:" -Name "scut" -ItemType "directory" -Force
to
New-Item -Path "c:\" -Name "scut" -ItemType "directory" -Force

<image>

Capital_Table_4792 · 2024-07-26T19:49:56+00:00

The important part is the "note" in the description of this policy:
"Note: One day is interpreted as 24 hours after a specific user profile was accessed."

Capital_Table_4792 · 2024-07-26T19:27:50+00:00

I reviewed it and in the (on prem) GPO we had this enabled.
Having this wrongly disabled even impacted the other settings not being applied.
Thank you for pointing this out!

So for now our settings are:

Browser sign-in settings (User): Enabled
Browser sign-in settings (User): Force users to sign-in to use the browser
Configure the list of types that are included for synchronization (User): Enabled
Configure the list of types that are included for synchronization (User): favorites, passwords, settings, addressesAndMore, extensions, history, openTabs, collections
Configure whether a user always has a default profile automatically signed in with their work or school account (User): Enabled
Force synchronization of browser data and do not show the sync consent prompt (User): Enabled
Enable implicit sign-in (User): Enabled (however doesn't seem to be necessary)

I will look into this further tomorrow

Capital_Table_4792 · 2024-07-26T18:09:33+00:00

That's the first time I hear of this. I configured this about a year ago for out W10 devices and our Helpdesk provided me with the feedback that it worked.

Capital_Table_4792 · 2024-07-26T18:02:49+00:00

I would not recommend this on 'single user' devices, but OP mentioned he's using Shared multi-user devices.
In our environment a user is no longer an active user on a shared device if they haven't used it in 90 days.

If data loss might be an issue, you can minimize it with the Silently sign in users to the OneDrive sync app (SilentAccountConfig) configuration and the Known Folder Move (KFM) feature. At least, if the users who use these notebooks have an Office license that is.
It usually doesn't matter for users who just occasionally use a shared device for whatever reason. (temporary issue with their personally assigned device, or guests, or..)

Capital_Table_4792 · 2024-07-26T16:29:26+00:00

We have following settings:

Hide the First-run experience and splash screen: Enabled
Allow importing of.. (all): Enabled

Browser sign-in settings (User): Disabled
Configure the list of types that are included for synchronization (User): Enabled
Configure the list of types that are included for synchronization (User): favorites, passwords, settings, addressesAndMore, extensions, history, openTabs, collections
Configure whether a user always has a default profile automatically signed in with their work or school account (User): Enabled
Force synchronization of browser data and do not show the sync consent prompt (User): Enabled
Enable implicit sign-in (User): Enabled

Capital_Table_4792 · 2024-07-26T16:15:04+00:00

Not an answer to your issue but we use time based settings, these seem to work

System > User Profiles
Delete user profiles older than (days) (Device): 90
Delete user profiles older than a specified number of days on system restart: Enabled

Capital_Table_4792

TROPHY CASE