As the Intune Service Administrator at Microsoft, we often have to clean up a lot of inactive and stale device records to keep our environment clean. Such records are generated due to test devices enrolled in the environment, workforce changes, users purchasing new devices etc. and can easily skew up the device compliance reporting. The Intune feature “Device clean-up rules”, provides the ability to configure the automatic cleanup rule for the devices that are inactive, orphaned and have not checked in recently. The rule allows administrators to choose between 30 and 270 days to remove the inactive device records from Intune automatically. We had a popular blog post on this from years ago that has grown outdated, so this is an updated version.
For configuring the rule in the environment, navigate to the Devices blade in Microsoft Endpoint Manager admin center and click on Device clean-up rules. Administrator will be able to enable the cleanup rule to delete the devices that have not checked in for {X} days (30-270). At Microsoft, we have configured it as 90 days to keep device count as realistic as possible for such a large environment.
What happens behind the scenes for Device Clean-up rules?
After the Intune Service Administrator enables the rule, Intune services run a background job every few hours to remove all applicable devices from the Intune portal and they will not show up in any Intune blade or device list anymore. The device removal is only applicable to Intune portal and devices do not get removed from Azure AD. Azure AD tenant administrator has to perform the device cleanup task in Azure AD portal to remove the stale record permanently.
What device types get affected from this device clean-up?
Device cleanup rules are applicable for Android, IOS, Windows, MacOS and Linux. The devices that were unable (user abandonment, etc.) to complete the enrollment process are also cleaned up as well.
Does this device clean-up rule perform device wipe or retire?
No, this automatic rule only removes the devices from the Intune portal which are orphaned devices. It means these devices are no longer checking in with the service for the last x days chosen by the administrator before getting removed from the Intune portal.
Is it possible to have devices removed by the device clean-up rule to come back in some scenarios?
Yes, it is possible that some devices can come back in the Intune portal as there is a service criterion to auto-recover the cleaned-up devices if they successfully check-in to the Intune service subsequently. The purpose of this behavior is to recover devices owned by the employees that took a long leave (e.g., Extended vacation, sabbatical, maternity leaves) and the devices were not communicating with the service during their absence. The threshold for devices to show up in the Intune portal is 180 days provided the Intune device certificate is not expired. Please note that Intune service only does the soft delete of inactive device records and the records are still preserved at the backend for certain period to enable such auto recovery.
General reference link: https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#automatically-delete-devices-with-cleanup-rules
Posted on behalf of the author, Satish Petwe
Microsoft
