If you ever see an Intune environment where Windows PCs are showing up with unknown ownership, and no apps or configuration policies apply to those devices, then your devices are probably enrolled under the wrong MDM authority of Office 365 Mobile instead of Intune. Here’s what you will see in Intune.
And in Entra, we can see devices with Office 365 Mobile as their MDM, which confirms these are not Intune enrolled devices:
You can confirm your MDM authority under Tenant Administration > Tenant Status. Also, as a side note, always check the MDM authority for tenants that you inherit. New M365 tenants will default to Intune as the MDM authority, but tenants that were provisioned years ago may still have their MDM authority set to Office 365 mobile. Typically, you will see a banner across the top of the Intune dashboard notifying you that the MDM authority is not set to Intune. However, in the case of this tenant, the banner was not showing.
To change the MDM authority, the simplest way is with this link – https://intune.microsoft.com/#view/Microsoft_Intune_Enrollment/ChooseMDMAuthorityBlade Also, it seems that once you change your MDM authority to Intune, you can’t change it back to “None” because the change option is greyed out (you wouldn’t want to change it back, but you couldn’t even try for testing purposes).
And if we try changing it through graph explorer, we see this error:
Unfortunately, we cannot transition these devices from Office 365 Mobile to Intune. They need to be deleted from Intune and then re-enrolled. In this situation, these are all existing hybrid-joined devices, so we will be reliant on the GPO for enrollment. The issue we’re faced with, though, is that some devices have properly enrolled since changing the MDM authority to Intune. Now there is a mix of both Intune and Office 365 mobile enrolled devices. We want to leave the Intune devices alone and only remove the Office 365 mobile devices.
There are also hundreds of devices in this tenant, so we need something that can filter and remove them in bulk. In Entra, we can filter for hybrid-joined devices that have Office 365 mobile as their MDM and bulk delete from the dashboard. In Intune, we can use the bulk device actions to filter these and delete them, or we can use this little script that finds all managed devices with “unknown” ownership and also running Windows, which are all the O365 Mobile devices, and remove them from Intune. You’ll get output of the devices that have been removed as well as a log that’s saved to the working directory of your PowerShell session.
Start-Transcript -Path ".\RemoveOffice365MobileDevices.log"
$scopes = "DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All, Directory.ReadWrite.All"
Connect-MgGraph -Scopes $scopes
$uri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices"
$response = Invoke-MgGraphRequest -Method GET -Uri $uri
#Get Devices with Ownership of Unknown (these are managed by Office 365 Mobile)
$UnknownWindowsDevices = $response.value | Where-Object {$_.operatingSystem -eq "Windows" -and $_.managedDeviceOwnerType -eq "Unknown"}
Write-Host "Found "($UnknownWindowsDevices.count)" Windows devices with Unknown Ownership"
Write-Host "Removing devices with unknown ownership from Intune"
ForEach ($UnknownWindowsDevice in $UnknownWindowsDevices) {
Try {
Invoke-MgGraphRequest -Method DELETE -Uri "$uri/$($unknownwindowsdevice.id)"
Write-Host "Successfully deleted $($unknownwindowsdevice.devicename)"
}
Catch {
Write-Host "Error deleting $($unknownwindowsdevice.devicename)"
Write-Host $_
}
}
disconnect-mggraph
Stop-Transcript
Now that the devices are removed from Intune/Entra, they probably won’t just happily re-hybrid-join and enroll in Intune since there will be artifacts from the previous device state and enrollment. You’ll need a way to push scripts out to your affected devices, so hopefully you have an RMM or other tool. This script will purge the device registration on the device, initiate the scheduled task to restart the hybrid-join process, clear out any previous enrollment registry information, and then do a gpupdate to initiate Intune enrollment. If your devices happen to be Entra-Joined, follow the instructions at the bottom of the script to comment out the correct lines and uncomment out the bottom of the script to restart the enrollment from the device.
dsregcmd /leave
start-sleep 3
schtasks.exe /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"
#Grab enrollment IDs
$taskpath = "C:\windows\system32\tasks\Microsoft\Windows\EnterpriseMgmt"
$EnrollmentGUIDs = Get-ChildItem $taskpath | Where-Object { $_.Name -match '^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$' } | Select-Object -ExpandProperty Name
#Loop through each enrollment ID, identify scheduled tasks, and remove.
ForEach ($EnrollmentGUID in $EnrollmentGUIDs) {
Try {
$tasks = Get-ScheduledTask -TaskPath "\Microsoft\Windows\EnterpriseMgmt\$EnrollmentGUID\*" | Select-Object -ExpandProperty "TaskName"
ForEach ($task in $tasks) {
Unregister-ScheduledTask -TaskName $task -Confirm:$false
}
Remove-Item -path "$taskpath\$enrollmentguid" -Force -Erroraction Continue
#Delete the folder in task scheduler
$scheduleObject = New-Object -ComObject Schedule.Service
$scheduleObject.connect()
$folder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt")
$folder.DeleteFolder($EnrollmentGUID, 0)
if (Test-Path HKLM:\SOFTWARE\Microsoft\Enrollments\$EnrollmentGUID) {
Remove-Item -Path HKLM:\SOFTWARE\Microsoft\Enrollments\$EnrollmentGUID -Force -Recurse -ErrorAction Continue
}
}
Catch {
Write-Host $_
}}
start-Sleep 3
gpupdate /force
#If Entra-Joined: Comment out lines 3, 4, 6, and 36. Uncomment what is below this line. If you have hybrid devices, like I did, push the script out, and then give the devices a few hours (or days if they don’t see a DC on a regular basis). Remember you’re reliant on the entra-connect sync cycle to complete the hybrid join process, which is a pre-req for the automatic Intune enrollment.