X LinkedIn Facebook Reddit Threads Email

How to Delete Windows Autopilot Devices from Intune, Entra ID, and M365

Learn to properly remove stale Windows Autopilot devices from Microsoft Intune, Entra ID, and Microsoft 365 portals using manual and PowerShell methods.

Evan Mael

March 27, 2026 15 min —

mediumintune 8 steps 15 min

Why Remove Windows Autopilot Devices from Microsoft Platforms?

Managing device lifecycles in modern organizations requires proper cleanup of decommissioned, replaced, or stale Windows devices across Microsoft's ecosystem. When devices are retired, sold, or replaced, their digital identities persist across Microsoft Intune, Entra ID (formerly Azure AD), and Microsoft 365 platforms, potentially creating security risks and management overhead.

Stale device records can cause several issues: they consume licensing, create confusion in device inventories, may retain access to organizational resources, and can interfere with new device enrollments if hardware is reused. Additionally, orphaned Autopilot registrations can prevent proper reprovisioning of devices with the same hardware identifiers.

Deepen your knowledge

01Remove Weather Icon from Windows 11 Taskbar using Microsoft Intune

02Configure Time Zone Settings for Windows Devices Using Microsoft Intune

03How to Configure Windows Security Updates During OOBE with Intune ESP

04How to Setup Entra User Auto-Logon in Intune Kiosk Mode

What Makes Device Deletion Complex Across Microsoft Platforms?

The challenge lies in understanding the interconnected nature of Microsoft's device management platforms. A single Windows device typically exists in multiple locations: as an Autopilot device identity for zero-touch deployment, as a managed device in Intune for policy enforcement, and as a device object in Entra ID for authentication and access control. Each platform serves different purposes and has specific deletion requirements.

The deletion sequence matters critically. Autopilot registrations block Entra ID deletions, so you must remove devices from Intune Autopilot first. Hybrid-joined devices add another layer of complexity, as they sync from on-premises Active Directory and will reappear unless deleted from the source. Understanding these dependencies and the proper deletion sequence prevents incomplete removals and recurring device records.

Implementation Guide

Full Procedure

Delete Device from Intune Autopilot Registry

Start by removing the device from the Autopilot registry in Intune. This step is crucial because Autopilot registration blocks deletion from Entra ID.

Navigate to the Microsoft Intune admin center at https://endpoint.microsoft.com. Go to Devices → Enroll devices → Windows Autopilot devices.

Use the search bar to find your device by serial number or hardware hash. You can also filter by device name if you know it.

# Alternative: Find device via PowerShell Graph query
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All"
Get-MgDeviceManagementWindowsAutopilotDeviceIdentity | Where-Object {$_.SerialNumber -eq "YOUR_SERIAL_NUMBER"}

Select the device from the list and click Delete. Confirm the deletion when prompted.

Warning: Deleting an Autopilot device prevents it from being automatically provisioned in the future. Only delete devices that are being decommissioned or replaced.

Verification: Search for the device again in the Autopilot devices list. It should no longer appear. The deletion may take a few minutes to propagate.

Remove Device from Intune Managed Devices

Next, remove the device from Intune's managed devices list if it appears there. This step retires the device and removes it from the Company Portal.

In the Intune admin center, navigate to Devices → All devices. Search for your device by name, user, or device ID.

Select the device and click Delete. This action will:

Issue a retire command to the device
Remove the device from the Company Portal
Unenroll the device from Intune management
Remove company data (depending on your policies)

# PowerShell alternative for bulk operations
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All"
$devices = Get-MgDeviceManagementManagedDevice | Where-Object {$_.DeviceName -like "*PATTERN*"}
foreach ($device in $devices) {
    Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id
    Write-Host "Deleted device: $($device.DeviceName)"
}

Pro tip: If you need to reprovision the device later, use the Wipe option instead. Select Wipe → check Remove company data and Do not keep enrollment state to reset to OOBE while preserving Autopilot registration.

Verification: The device should disappear from the All devices list within 5-10 minutes. Check the device's status before deletion - it may show as "Pending" during the retirement process.

Delete Device from Microsoft Entra ID

Now that the Autopilot registration is removed, you can delete the device from Entra ID (formerly Azure AD). This step removes the device identity and revokes access to organizational resources.

Open the Microsoft Entra admin center at https://entra.microsoft.com. Navigate to Devices → All devices.

Search for your device by name, device ID, or other attributes. You can use filters to narrow down the results if you have many devices.

Select the device and optionally click Disable first to immediately block access while keeping the device record. Then click Delete and confirm the action.

# PowerShell method for Entra ID device deletion
Connect-MgGraph -Scopes "Device.ReadWrite.All"

# Find device by name
$device = Get-MgDevice -Filter "displayName eq 'DEVICE_NAME'"

# Or find by device ID
$device = Get-MgDevice -Filter "deviceId eq 'DEVICE_ID'"

# Delete the device
Remove-MgDevice -DeviceId $device.Id
Write-Host "Deleted device: $($device.DisplayName) from Entra ID"

Warning: If the delete option is greyed out, the device likely still has an active Autopilot registration. Return to step 1 and ensure the Autopilot device was properly deleted.

Verification: Search for the device again in Entra ID. It should no longer appear in the devices list. You can also verify using PowerShell: Get-MgDevice -Filter "displayName eq 'DEVICE_NAME'" should return no results.

Handle Hybrid-Joined Devices

For hybrid Azure AD-joined devices, additional steps are required to prevent the device from reappearing due to Active Directory synchronization.

First, identify if your device is hybrid-joined by checking its join type in Entra ID. Look for "Hybrid Azure AD joined" in the device details.

Connect to your on-premises domain controller and open Active Directory Users and Computers. Navigate to the Computers container or the specific OU where the device is located.

# PowerShell to find and delete from on-premises AD
Import-Module ActiveDirectory

# Find the computer object
$computer = Get-ADComputer -Filter "Name -eq 'DEVICE_NAME'"

# Delete the computer object
Remove-ADComputer -Identity $computer.DistinguishedName -Confirm:$false
Write-Host "Deleted $($computer.Name) from on-premises AD"

Right-click the computer object and select Delete. This prevents Azure AD Connect from re-synchronizing the device.

Wait for the next Azure AD Connect sync cycle (typically 30 minutes) or force a sync:

# Force Azure AD Connect sync (run on sync server)
Start-ADSyncSyncCycle -PolicyType Delta

Pro tip: You can check the Azure AD Connect sync status in the Entra admin center under Azure AD Connect → Connect Health to confirm the deletion has synchronized.

Verification: After the sync completes, verify the device doesn't reappear in Entra ID. Check both the Entra admin center and run Get-MgDevice -Filter "displayName eq 'DEVICE_NAME'" to confirm permanent deletion.

Use Graph Explorer for Orphaned Autopilot Records

Sometimes Autopilot devices exist in the backend but don't appear in the Intune console. Use Microsoft Graph Explorer to find and remove these orphaned records.

Open Graph Explorer at https://developer.microsoft.com/graph/graph-explorer and sign in with your admin account.

First, find the device in Entra ID to get its Azure AD device ID. Run this query in Graph Explorer:

GET https://graph.microsoft.com/v1.0/devices?$filter=displayName eq 'DEVICE_NAME'

Copy the deviceId from the response. Then search for the corresponding Autopilot record:

GET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities?$filter=azureActiveDirectoryDeviceId eq 'DEVICE_ID'

If an Autopilot record is found, note the id and serialNumber. Delete it using:

DELETE https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/AUTOPILOT_ID

Alternatively, use PowerShell for the same operations:

# Find Autopilot device by Azure AD device ID
$autopilotDevice = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity -Filter "azureActiveDirectoryDeviceId eq 'DEVICE_ID'"

# Delete the Autopilot record
Remove-MgDeviceManagementWindowsAutopilotDeviceIdentity -WindowsAutopilotDeviceIdentityId $autopilotDevice.Id

Pro tip: Graph Explorer is excellent for troubleshooting. You can explore device relationships and see all associated records across Microsoft 365 services.

Verification: Re-run the Graph query to confirm the Autopilot record is deleted. The query should return an empty result set.

Bulk Delete Multiple Devices with PowerShell

For organizations with many stale devices, use PowerShell scripts to automate the deletion process across all three platforms.

First, install the required PowerShell modules:

# Install Microsoft Graph modules
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.DeviceManagement -Scope CurrentUser
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser

Create a text file with device names (one per line) and save it as devices.txt. Then run this comprehensive script:

# Connect with required permissions
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Device.ReadWrite.All"

# Read device list
$deviceNames = Get-Content "C:\temp\devices.txt"

foreach ($deviceName in $deviceNames) {
    Write-Host "Processing device: $deviceName" -ForegroundColor Yellow
    
    # Step 1: Find and delete Autopilot record
    $autopilotDevice = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity | Where-Object {$_.DisplayName -eq $deviceName}
    if ($autopilotDevice) {
        Remove-MgDeviceManagementWindowsAutopilotDeviceIdentity -WindowsAutopilotDeviceIdentityId $autopilotDevice.Id
        Write-Host "  Deleted from Autopilot" -ForegroundColor Green
    }
    
    # Step 2: Find and delete from Intune managed devices
    $intuneDevice = Get-MgDeviceManagementManagedDevice | Where-Object {$_.DeviceName -eq $deviceName}
    if ($intuneDevice) {
        Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $intuneDevice.Id
        Write-Host "  Deleted from Intune" -ForegroundColor Green
    }
    
    # Step 3: Find and delete from Entra ID
    $entraDevice = Get-MgDevice -Filter "displayName eq '$deviceName'"
    if ($entraDevice) {
        Remove-MgDevice -DeviceId $entraDevice.Id
        Write-Host "  Deleted from Entra ID" -ForegroundColor Green
    }
    
    Start-Sleep -Seconds 2  # Rate limiting
}

Warning: Test this script on a small subset of devices first. Bulk deletions cannot be easily undone, and you may lose important device configurations or BitLocker recovery keys.

Verification: After running the script, spot-check a few devices to ensure they're removed from all three locations. You can also run a summary report: Get-MgDeviceManagementWindowsAutopilotDeviceIdentity | Where-Object {$_.DisplayName -in $deviceNames}

Clean Up BitLocker Recovery Keys and Dependencies

Before completing the device deletion process, handle BitLocker recovery keys and other dependencies that might be orphaned.

BitLocker recovery keys are stored in Entra ID and should be backed up before device deletion. Navigate to the device in Entra ID and check for BitLocker keys in the device details.

# Export BitLocker keys before deletion
Connect-MgGraph -Scopes "BitLockerKey.Read.All", "Device.Read.All"

$device = Get-MgDevice -Filter "displayName eq 'DEVICE_NAME'"
$bitlockerKeys = Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$($device.DeviceId)'"

foreach ($key in $bitlockerKeys) {
    $keyDetails = Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $key.Id
    Write-Host "Device: $($device.DisplayName)"
    Write-Host "Key ID: $($key.Id)"
    Write-Host "Recovery Key: $($keyDetails.Key)"
    Write-Host "Created: $($key.CreatedDateTime)"
    Write-Host "---"
}

Check for other dependencies that might need cleanup:

Compliance policies: Remove device-specific compliance assignments
Configuration profiles: Clean up device-targeted configurations
App assignments: Remove device-specific app deployments
Conditional Access: Update any device-based CA policies

# Check for assigned policies (requires additional Graph scopes)
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

# Get device compliance policies
$compliancePolicies = Get-MgDeviceManagementDeviceCompliancePolicy
foreach ($policy in $compliancePolicies) {
    $assignments = Get-MgDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $policy.Id
    # Check if device is specifically targeted
}

Pro tip: Create a device deletion checklist that includes backing up BitLocker keys, documenting assigned policies, and notifying relevant teams before bulk deletions.

Verification: Confirm BitLocker keys are backed up and no critical policies are broken after device deletion. Check the Intune reports for any assignment errors that might indicate orphaned references.

Verify Complete Removal Across All Platforms

Perform a final verification to ensure the device is completely removed from all Microsoft platforms and won't cause future conflicts.

Run these verification commands to confirm complete removal:

# Comprehensive verification script
Connect-MgGraph -Scopes "Device.Read.All", "DeviceManagementManagedDevices.Read.All", "DeviceManagementServiceConfig.Read.All"

$deviceName = "YOUR_DEVICE_NAME"

# Check Entra ID
$entraCheck = Get-MgDevice -Filter "displayName eq '$deviceName'"
if ($entraCheck) {
    Write-Host "WARNING: Device still exists in Entra ID" -ForegroundColor Red
} else {
    Write-Host "✓ Device removed from Entra ID" -ForegroundColor Green
}

# Check Intune managed devices
$intuneCheck = Get-MgDeviceManagementManagedDevice | Where-Object {$_.DeviceName -eq $deviceName}
if ($intuneCheck) {
    Write-Host "WARNING: Device still exists in Intune" -ForegroundColor Red
} else {
    Write-Host "✓ Device removed from Intune" -ForegroundColor Green
}

# Check Autopilot
$autopilotCheck = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity | Where-Object {$_.DisplayName -eq $deviceName}
if ($autopilotCheck) {
    Write-Host "WARNING: Device still exists in Autopilot" -ForegroundColor Red
} else {
    Write-Host "✓ Device removed from Autopilot" -ForegroundColor Green
}

Write-Host "Verification complete for device: $deviceName"

Additionally, check these locations manually:

Microsoft 365 admin center: Go to Devices → Active devices to ensure the device doesn't appear
Security & Compliance center: Check device compliance reports
Endpoint Analytics: Verify the device is removed from startup performance and other reports

For hybrid environments, also verify on-premises:

# Check on-premises AD (run on domain controller)
Import-Module ActiveDirectory
$adCheck = Get-ADComputer -Filter "Name -eq '$deviceName'" -ErrorAction SilentlyContinue
if ($adCheck) {
    Write-Host "WARNING: Device still exists in on-premises AD" -ForegroundColor Red
} else {
    Write-Host "✓ Device removed from on-premises AD" -ForegroundColor Green
}

Warning: If any verification checks fail, the device may reappear or cause conflicts during future enrollments. Repeat the appropriate deletion steps for any platforms where the device still exists.

Verification: All checks should return green confirmations. Document the successful deletion with timestamps for audit purposes. The device should not reappear in any Microsoft platform within 24 hours.

Frequently Asked Questions

Why can't I delete a device from Entra ID even though I have admin permissions?+

The most common reason is that the device still has an active Autopilot registration in Microsoft Intune. Autopilot registrations block Entra ID deletions as a protective measure. You must first delete the device from Intune's Windows Autopilot devices section, then wait a few minutes for the change to propagate before attempting to delete from Entra ID. This sequence is mandatory and cannot be bypassed.

What happens to BitLocker recovery keys when I delete a device from these platforms?+

BitLocker recovery keys stored in Entra ID are permanently deleted when you remove the device object. This is irreversible and can cause data loss if the device's drive becomes inaccessible. Always export and securely store BitLocker recovery keys before deleting devices. Use PowerShell with the Microsoft Graph API to retrieve keys: Get-MgInformationProtectionBitlockerRecoveryKey with appropriate filtering by device ID.

Will deleting an Autopilot device prevent me from re-enrolling the same hardware later?+

Yes, deleting an Autopilot device removes its hardware hash and serial number registration, preventing automatic zero-touch deployment. If you need to reprovision the same hardware, you'll need to re-capture the hardware hash and re-register it in Autopilot. For temporary removal, consider using the 'Wipe' option instead, which resets the device to OOBE while preserving Autopilot registration.

How do I handle hybrid Azure AD-joined devices that keep reappearing after deletion?+

Hybrid-joined devices sync from on-premises Active Directory via Azure AD Connect. Deleting them only from cloud platforms is temporary - they'll reappear during the next sync cycle. You must delete the computer object from on-premises Active Directory first, then wait for Azure AD Connect to sync the deletion (typically 30 minutes), or force a sync using Start-ADSyncSyncCycle. Only then delete from Entra ID and Intune.

Can I use PowerShell to bulk delete hundreds of stale Autopilot devices efficiently?+

Yes, PowerShell with Microsoft Graph modules is the most efficient method for bulk operations. Install Microsoft.Graph.DeviceManagement and Microsoft.Graph.Identity.DirectoryManagement modules, connect with appropriate scopes (DeviceManagementServiceConfig.ReadWrite.All, Device.ReadWrite.All), then loop through device lists. Always test on a small subset first, implement rate limiting with Start-Sleep, and maintain detailed logs. Consider using device filters based on last activity dates to identify truly stale devices.

Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Further Intelligence

Deepen your knowledge with related resources

tutorial

Windows

Discussion

Share your thoughts and insights

How to Delete Windows Autopilot Devices from Intune, Entra ID, and M365

Why Remove Windows Autopilot Devices from Microsoft Platforms?

What Makes Device Deletion Complex Across Microsoft Platforms?

Full Procedure

Delete Device from Intune Autopilot Registry

Remove Device from Intune Managed Devices

Delete Device from Microsoft Entra ID

Handle Hybrid-Joined Devices

Use Graph Explorer for Orphaned Autopilot Records

Bulk Delete Multiple Devices with PowerShell

Clean Up BitLocker Recovery Keys and Dependencies

Verify Complete Removal Across All Platforms

Frequently Asked Questions

Evan Mael

Further Intelligence

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

How to Set PowerShell Execution Policy Using Intune and Group Policy

How to Deploy Bitwarden Password Manager Using Microsoft Intune

Discussion