AutopilotNuke

2.7

Runs from OOBE screen, connects to Azure AD, Intune and optionally to AD DS, finds all objects for the serial number of the machine it is running on, then deletes it from everywhere, then adds it to Autopilot again.
Asks for deletion of each object
Usage:
- The script can work from running Windows 10, but be careful removing native Azure AD joined Intune Devices - y
Runs from OOBE screen, connects to Azure AD, Intune and optionally to AD DS, finds all objects for the serial number of the machine it is running on, then deletes it from everywhere, then adds it to Autopilot again.
Asks for deletion of each object
Usage:
- The script can work from running Windows 10, but be careful removing native Azure AD joined Intune Devices - you can lock yourself out, if you do not know local administrator's password
- Intended usage - from OOBE (Out of Box Experience)
- While in OOBE, hits Shift+F10
- Powershell.exe
- Install-Script AutopilotNuke
- Accept all prompts
- & 'C:\Program Files\WindowsPowerShell\Scripts\AutopilotNuke.ps1'
- The script will:
       Download and install all required modules (accept all prompts)
       Show you the Serial Number of the machine
       Prompt to connect you to Azure AD and Intune Graph
       Ask you if you want to connect to local AD (ADDS, NT Domain) so it could delete old records from there. Enter the local FQDN (domain.com, contoso.local) of your AD Domain
       If you entered local AD domain, it will ask you for the username and password, for the username, use <NetbiosName>\User format
       Search in Autopilot for the serial number
       Show you all objects in Intune and AAD related to that Serial Number
       Ask if you want to delete in from Intune then deletes
       Ask if you want to delete in from Autopilot then deletes
       Loop through all AAD and AD (if it was selected) objects and ask to delete them
       Ask if you want to add it to AP then adds

Minimum security rights needed:
• To authorize Intune Graph, you will need global admin, but this is just one time. Ask your GA to run:
   Install-PackageProvider -Name NuGet
   Install-Module AzureAD
    Install-Module WindowsAutopilotIntune
   Install-Module Microsoft.Graph.Intune
   Connect-AzureAD
   Connect-MSGraph
   Accept the consent prompt
• Custom role with the following permissions required in Intune:
   Managed devices
       Read
       Delete
       Update
       Enrollment programs
       Create device
       Delete device
       Read device
       Sync device
   Assigned to All Devices (did not try scoping it with RBAC, but should work in theory)
• Cloud device administrator role required in Azure AD
• AD DS rights similar to Intune Connector rights: https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#:~:text=The%20Intune%20Connector%20for%20your,the%20rights%20to%20create%20computers.



Show more

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Script -Name AutopilotNuke -RequiredVersion 2.7

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

Alexey Semibratov

Package Details

Author(s)

  • Alexey Semibratov

Dependencies

This script has no dependencies.

Release Notes

Version 2.7: Changed Autopilot delete method
Version 2.6: Fixed mg-device command
Version 2.5: Typo
Version 2.4: Switched to MgGraph SDK and added support for app reg
Version 2.1: Bugfix
Version 2.0: Bugfix
Version 1.9: Bugfix
Version 1.8: Streamlined all logic with found Intune/AAD devices, changed output of found objects to a table
Version 1.7: Fixed a situation where there can be multiple Intune devices
Version 1.6: Added assigned user and tag - we will capture the old values, and will allow to change those if needed
Version 1.5: Some change in language around on-prem domain. Added wait for sync if it was less then 10 minutes ago. Fixed a bug when there is no AP devices, but we still want to delete Intune/AAD/AD devices.
Version 1.2: Added more documentation and set of required rights. Now if the device is not found in Autopilot, but exists in Intune (by serial number), it still cleans it from AD DS and AAD
Version 1.1: Invoke-AutopilotSync, when called too soon, error out
Version 1.0: Original public version.

FileList

Version History

Version Downloads Last updated
3.9 11,101 11/17/2023
3.8 120 11/15/2023
3.7 35 11/15/2023
3.6 297 11/3/2023
3.4 381 10/20/2023
3.3 672 9/24/2023
3.2 3,089 7/6/2023
3.1 24 7/6/2023
3.0 15 7/6/2023
2.9 1,048 6/22/2023
2.8 58 6/20/2023
2.7 (current version) 51 6/16/2023
2.6 13 6/16/2023
2.5 11 6/16/2023
2.4 14 6/16/2023
2.3 14,861 3/7/2021
Show less