Device mismatch occurs when the current endpoint user differs from the expected or assigned owner. Like patch noncompliance, this can gradually impact your security posture, so regular audits are essential. And with the right tools, you can automate the hardest parts while receiving real-time alerts on mismatched logins.
This article explains how to track device mismatch cases using built-in tools and how modern RMM solutions can enhance your reports.
Device mismatch report generation, simplified
Follow these steps to collect device mismatch data while keeping goals and technical constraints in mind.
📌 Prerequisites:
- Administrator privileges
- Windows 10/11 or Server 2016+
- PowerShell 5.1 or newer
- Graph API permissions
- Admin access on devices
- Access to authoritative user-device mappings (e.g., Intune, AD, asset register, CMDB)
- Optional: Registry write access for local tagging
- Optional: NinjaOne or equivalent RMM for script automation and reporting
📌 Recommended deployment strategies:
| Click to Skip to a Step | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Step 1: Identify the current device user via PowerShell | ✓ | |
| Step 2: Pull the expected device owner from external source | ✓ | |
| Step 3: Compare actual vs expected owner and report mismatch | ✓ | ✓ |
| Step 4: Log results to Registry for ongoing monitoring | ✓ | |
| Step 5: Schedule and automate script execution | ✓ | ✓ |
Step 1: Identify the current device user via PowerShell
Use powerful cmdlets to quickly identify relevant device users.
📌 Use Cases: Check device registry logs for recent user interaction.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- To see who last accessed the device, run the following:
$lastUserSID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI").LastLoggedOnUserSID
$lastUsername = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI").LastLoggedOnUser
- To check the last profile that used the device, run the following:
$profiles = Get-CimInstance -ClassName Win32_UserProfile | Where-Object { -not $_.Special }
$lastUsed = $profiles | Sort-Object LastUseTime -Descending | Select-Object -First 1
$lastUsed.LocalPath
Step 2: Pull the expected device owner from external source
📌 Use Cases: Retrieve an accurate list of end-user device assignments.
📌 Prerequisites: Graph API
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- To pull the expected device owner list from Intune via Graph API, run the following:
Connect-MgGraph -Scopes "Device.Read.All", "DeviceManagementManagedDevices.Read.All", "User.Read.All"
$device = Get-MgDeviceManagementManagedDevice | Where-Object { $_.DeviceName -eq $env:COMPUTERNAME }
$expectedOwner = $device.UserPrincipalName
- To generate the list from local registry data, run the following:
Get-ItemProperty -Path "<KeyPath>" -Name "ExpectedOwner"
Replace <KeyPath> with the path of the key used to store ownership data (e.g., HKLM:\SOFTWARE\Org\Ownership).
Step 3: Compare actual vs expected owner and report device mismatch
Here’s how to automate owner mismatch checks using PowerShell scripts.
📌 Use Cases: Detect device mismatch using ownership records.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- To create a report object, run this script:
if ($lastUsername -ne $expectedOwner) {
$report = [PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
ActualUser = $lastUsername
ExpectedUser = $expectedOwner
Timestamp = (Get-Date).ToString("u")
Mismatch = $true
}
} else {
$report = [PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
ActualUser = $lastUsername
ExpectedUser = $expectedOwner
Timestamp = (Get-Date).ToString("u")
Mismatch = $false
}
}
- To export your device mismatch findings as a .csv file, run the following:
$report | Export-Csv "C:\Reports\DeviceOwnerMismatch.csv" -NoTypeInformation
Step 4: Log results to the registry for ongoing monitoring
⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.
📌 Use Cases: Storing a copy of device mismatch audit results in the registry for redundancy
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- To log ownership status results to your registry, run the following:
New-Item -Path "<StoragePath>" -Force
Set-ItemProperty -Path "<StoragePath> -Name "OwnerMismatch" -Value $report.Mismatch
Set-ItemProperty -Path "<StoragePath>" -Name "ActualUser" -Value $report.ActualUser
Set-ItemProperty -Path "<StoragePath>" -Name "ExpectedUser" -Value $report.ExpectedUser
Replace <StoragePath>with the registry path of the storage key you use for ownership data (e.g., HKLM:\SOFTWARE\Org\DeviceAudit).
- Press Win + R, type cmd, and press Ctrl + Shift + Enter.
- To confirm registry entry changes, run:
reg query <StoragePath>
Step 5: Schedule and automate script execution to detect owner mismatch
📌 Use Cases: Leverage external platforms for seamless report generation.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- To automate regular ownership checks, run the following:
schtasks /create /tn "DeviceOwnerAudit" /tr "powershell.exe -File C:\Scripts\CheckOwnerMismatch.ps1" /sc weekly /st 03:00 /ru SYSTEM
- Alternatively, run the scripts through RMM (e.g., NinjaOne) for enterprise-wide deployments.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Graph API returns outdated ownership data | Correct device ownership flagged as a mismatch | Validate against multiple external resources (e.g., HR records, local registry data). |
| Script fails silently | Missing alerts; overlooked device mismatch | Enforce version control on PowerShell scripts. |
| Incorrect user identified due to outdated profile cache | False positive | Use Event Log with Get-WinEvent to check login history. |
| Logic error when comparing actual vs expected owner | Questionable audits, additional backtracking | Verify both variables before comparing; add null checks. |
Important considerations for user agent-to-device mapping
Keep these key points in mind while collecting data for device ownership reports.
Shared workstations
Multi-use workstations should also be factored into your device mismatch reports. To exempt shared environments like shop kiosks during ownership audits, add their account’s Security Identifier (SID) to the following registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions
Cloud-only devices
For cloud-centric endpoints, the Microsoft Graph API is the main resource for device ownership. Pull registered device owners by running the following:
GET /devices/{id}/registeredOwners
Provisioning integration
User assignment is a key step to device provisioning. During this stage, either the Intune portal or the Autopilot CSV files are used, so keep this in mind if you need more troubleshooting leads.
Role drift
Job changes, hardware upgrades, and unauthorized usage are the most common causes for device mismatch. Keep your endpoints in check with management platforms that offer scalable solutions.
Troubleshooting owner mismatch reports
Here’s how to resolve device mismatch issues MSPs run into the most.
Missing expected owner
If the device’s expected owner isn’t listed, look for the endpoint’s Intune data and verify that your custom registry key for ownership tracking (e.g., HKLM:\SOFTWARE\Org\DeviceOwners) is populated.
Registry keys inaccessible
Administrator privileges are required to access or modify certain registry paths. Sign in with admin credentials, or run Start-Process powershell -Verb RunAs to elevate your permissions.
Multiple users show activity
Multiple users are often displayed when running Win32_UserProfile. To access the most relevant login event, run the following to arrange them by timestamp:
Get-CimInstance Win32_UserProfile | Sort-Object LastUseTime -Descending | Select-Object -First 1
Graph API timeout
If you receive timeout errors while retrieving data on the Graph API (e.g., 429 Too Many Requests), use Retry-After headers and $top, $skip, and @odata.nextLink.
NinjaOne services streamline mismatch detection
NinjaOne enhances mismatch detection by:
- Providing around-the-clock detection and real-time alerts.
- Deploying device mismatch checks across your enterprise.
- Checking registry values for mismatched flags
- Grouping non-compliant devices for technician review
- Automating remediation workflows (e.g., owner reassignment, ticket generation)
- Generating reports across all tenants to highlight and resolve device drift
Automate data collection for your device-user mismatch report
Utilizing advanced tools enables you to collect, analyze, and store device mismatch data across your system. Additionally, leverage RMM platforms and their automation capabilities to eliminate human error and apply scalable solutions like custom functions and visualized reports.
Related topics:
