“Hey, my new laptop says it’s compliant in Company Portal, but Teams keeps telling me I’m on an untrusted device… can you just ‘fix Intune’?”
That message kicked off what turned into a surprisingly annoying pattern for us: Autopilot (hybrid join) would finish, the user could sign in, apps would deploy, and then Conditional Access would randomly block access because Entra had two device objects for the same physical machine. One would show as Entra registered / not managed, the other as hybrid joined / managed, and depending on timing, the wrong one would get evaluated by CA or show up in reports. Help desk would “clean up devices” manually, sometimes deleting the wrong record, and then we’d get a second ticket because the device wouldn’t re-enroll cleanly.
The worst part wasn’t even the duplicates (apparently that’s a known reality in some hybrid Autopilot flows) — it was the inconsistency and the human factor. Different techs had different cleanup habits, and we had zero auditability around who deleted what and why. We also tried letting an AI assistant suggest steps in chat, but we drew a hard line on letting AI directly execute deletes in Entra/Intune. Too easy to nuke the wrong object when the names/IDs look almost identical.
What finally made this sane was putting Autom Mate in the middle as the execution layer. We kept the “chatty” part in Teams (users and L1 live there), but every risky action became deterministic and policy-gated.
The flow we landed on looks like this in practice:
A service desk agent types a Teams command like “cleanup device duplicates” and pastes the serial number (or the Autopilot device ID). Autom Mate takes that input and runs a controlled sequence: it pulls the matching device records, checks which one is actually Intune-managed, checks last check-in timestamps, and then applies our rules (e.g., don’t touch anything that checked in within the last X hours; don’t delete if there’s an active incident/change; don’t delete if the requester isn’t in the right support group). Only if it passes those gates does it generate an approval request for a lead.
Behind the scenes it’s just Autom Mate doing what it’s good at: orchestrating the calls and keeping the logic consistent. We used a mix of Autom Mate’s library actions where we could, and for the bits that were tenant-specific we used a REST/HTTP action to hit our internal webhook that wraps Graph calls (we didn’t want raw Graph tokens floating around in random scripts). Every step writes back to the ticket with what it found, what it plans to delete, and the correlation IDs.
The immediate change was boring in the best way: fewer “mystery” CA blocks, fewer rework tickets, and no more tribal-knowledge cleanup. The bigger win was governance — we can now prove that deletes only happen after the right checks + approval, and we can replay the exact decision trail when someone asks “why did you delete my device?”
Curious how others are handling the hybrid Autopilot duplicate-object mess: are you cleaning up proactively on a schedule, or only when CA/user impact shows up? We’re debating adding a nightly Autom Mate sweep, but I’m wary of automating deletes without a human in the loop unless we get the confidence level really high.