Wednesday, 17 December 2025

My first look at Intune Agents (continued)

This is a continuation of the blog post I published last week. In that post I had my first look at Intune Agents and looked more closely at the Change Review Agent. This time I'll be looking at the Device Onboarding Agent. This agent identifies stale devices across Intune and Entra ID, provides actionable insights, and offboards stale devices for you.

Some things to know:

  • To run an Agent, you will need sufficient Security Compute Units (SCUs) in the tenant, as per the previous blog post.
  • The agent supports Windows, iOS/iPadOS, macOS, Android, and Linux devices.
  • The agents supports both corporate-owned and BYOD scenarios.
  • At this time, the agent doesn't support:
    • Hybrid Entra-joined Windows devices
    • Windows Autopilot devices
    • Shared devices
    • Microsoft Teams Phones
  • Once the Agent has been configured, it can be run by a Read Only Operator (Intune) and Security Reader (Entra).
  • The agent identifies devices that were retired, wiped, or deleted from Intune within the last 30 days.
  • The agent limits results to the first 10,000 devices.
Ok, so let's get started. Navigate to Agents in the Intune Admin Center.


Click View details for the Device Offboarding Agent.


Click to Run the Agent.


You are told that re-running the agent clears previous suggestions and recommendations. Click Run to start the job.


The Agent finishes and I have a result. This is my test lab where I have created a stale device for demonstration purposes. I can see Suggested next steps and one device affected. Click on Remove Windows Corporate devices.


We are presented with a Summary and associated factors. The Summary tells us that "there is one corporate Windows device that is no longer in Intune but is in other portals. This device should be removed". It would be better if I had more devices in the report but that is still pretty cool.

We also get a recommended action plan of six actions. 

Action 1: Download affected device list.
Click Download CSV


The CSV file contains the Entra device ID(s) of the stale devices.


Action 2: Back up BitLocker recovery keys
We are presented with the recommended steps to back up BitLocker recovery keys (outside the scope of the agent).


Action 3: Back up Local Admin Password Solution
We are presented with the recommended steps to export LAPS passwords (outside the scope of the agent).


Action 4: Remove devices from the Defender portal
We are presented with the recommended steps to remove devices from the Defender portal (outside the scope of the agent).


Action 5: Remove devices from Autopilot
We are presented with the recommended steps to remove devices from Autopilot (outside the scope of the agent).


Action 6: Disable devices in Microsoft Entra
The last action allows us to disable the stale devices in Microsoft Entra. Click on Disable devices.


We have to confirm that we want to Disable the devices. This action removes all the stale devices from Entra ID.


We can now see this under the Suggestions tab. These are not retained when the Agent is run again.


Note that you have to manually change the Status tab to Completed.

I hope you find this useful. Until next time......



Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)