It’s a common scene: you arrive at a fresh Intune tenant and discover that one diligent technician has signed in to every device “just to test things”. First, that habit feels harmless; however, it quietly assigns the same person as the primary user on the whole fleet.
As you can imagine, with someone enrolling all devices that person gets set as the primary user….. on ALL devices. A friend of mine, Peter, reminded me this week of a script that I had for accomplishing this. What I’d like to do is go over how I clean this up at scale, while at the same time driving the user to a more hands off approach (pre-provisioning).
First things first, in my tenant A User has the DEM role and enrolls all of my devices. I get that this is not the correct way, but for demonstration purposes just bear with me. What we see A User has enrolled the device and is also listed as the primary user.
Peeking Under the Hood with Graph Explorer
Next, let’s play detective. Fire up Graph Explorer and run /deviceManagement/managedDevices/<Device ID>. If you’re confused on where to get started with the Graph, check out Steve’s video series here.
Straight away you’ll spot the UserPrincipalName field showing our over‑eager tech.
Scroll a little further and surprise, the Users Logged On section tells a completely different story. Cue dramatic music.
Meet the Clean‑Up Crew: Set_Primary_User.ps1
Then, when the mystery is solved, it’s time to tidy up. My script lives here: Intune-Scripts/Set_Primary_User.ps1 at main · dgulle/Intune-Scripts
- Install the required modules.
- Prompt you to sign in.
- Pull each device, its current primary user, and the last person who really logged on.
The core command behind the curtain is:
Get-MgBetaDeviceManagementManagedDevice. While these commands can be run directly with Graph calls, I’m choosing to use a module to hopefully limit confusion. Running this command below will result in getting the device name, UPN, and the last User Logged On. The -Filter being the most important piece of this command.
Get-MgBetaDeviceManagementManagedDevice -Filter "deviceName eq <Device Name>'" | select DeviceName,UserPrincipalName, UsersLoggedOnFour Ways to Pick Your Targets
After that, choose how wide you want your net:
One‑at‑a‑time: -Device “<Exact Name>”
Contains this text: -DeviceContains “zt“
Everything Windows: -All
This will get All Windows devices (yes, I left it at Windows on purpose. Tweak line 76 if you want different).
Sampling only: pair any option with -Top 5, -Top 10, or your own number
Each choice shows a preview list and politely asks, “Proceed? (Y/N)”.
Watching the Magic Happen
Finally, let’s run a quick example with -Device “ZTT-61908320437”.
A few seconds later, Intune refreshes and the real user appears as primary while the prep tech quietly steps aside.
Quick Takeaway
In short, a tiny habit can snowball into messy ownership data, but a quick script and a few minutes of detective work will set things right with no heavy lifting required. Happy cleaning!
