cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Using Intune device cleanup rules 
By
Shitanshu Verma
Published Mar 19 2019 06:06 PM 69.2K Views
Shitanshu Verma
Microsoft
‎Mar 19 2019 06:06 PM

Using Intune device cleanup rules 

‎Mar 19 2019 06:06 PM

NOTE:  An updated version of this blog post is now available at Using Intune device cleanup rules (Updated version) - Microsoft Community Hub

 

First published on TECHNET on Nov 20, 2018

As Intune Service Administrators at Microsoft, we often get a lot of inactive and stale Intune records due to the nature of test device enrollments. We want to keep our Intune environment and reports current by cleaning up these stale devices. With Intune device cleanup, we have the ability to configure the automatic cleanup rule which cleans up devices that are inactive, orphaned, or obsolete and have not checked in recently. The rule allows us to choose between 90 and 270 days to automatically remove inactive/obsolete device records from Intune.

 

 

 

To get started, go to the Devices blade in Intune portal and navigate to "Device cleanup rules". Here you will be able to enable the cleanup rule to delete devices that haven't checked in for {X} days; the minimum is 90 days and the maximum is 270 days. At Microsoft, we have configured it as 90 days as we would like to keep device count as realistic as possible with the amount of test devices that get enrolled. Once this rule is enabled, Intune will automatically remove devices that haven’t checked in for the number of days you set.

 

 

 

 

What happens behind the scene for Device Cleanup rules?

 

After the Intune Service Admins enable the rule, Intune services run a background job every few hours to remove all applicable devices from the Intune portal and they won't show up in any Intune blade or device list anymore. This device removal is only applicable to Intune portal and devices do not get removed from Azure AD. Azure AD tenant admin has  to perform the device cleanup task in Azure AD portal to remove the stale record permanently.

 

 

 

What device types get affected from this device cleanup?

 

Device cleanup rules aren't available for Android Enterprise scenarios like Fully Managed, Dedicated, and Corporate-Owned with Work Profile. All other enrolled devices including MDM, MDM/SCCM (Co Management) devices will be removed. This includes registered devices and also approval pending devices.

 

 

 

Does this device cleanup rule perform device wipe or retire?

 

No, this automatic rule only removes the devices from the Intune portal which are orphaned devices. It means these device are no longer checking in with the service for the last x days chosen by the admin before getting removed from the Intune portal.

 

 

 

Is it possible to have devices removed by  the device cleanup rule to come back in some scenarios?

 

Yes it is possible that some devices can come back in the Intune portal as there is service criteria to auto-recover the cleaned up devices if they check-in to the Intune service recently. The purpose of this behavior is to recover devices owned by somebody that took a long leave (e.g. Extended vacation, sabbatical, maternity leaves). The grace period for the device to show up in the Intune portal again is before the device cert expires, which is 180 days.  If you do not want devices to be able to check back in, consider filtering for stale devices and doing a bulk delete from the All devices view instead.

 

9-11-2020 Update made to clarify device types affected from device cleanup

3-3-2022 Update:  This article is older and may be causing some confusion.  Please also reference official documentation at Retire or wipe devices using Microsoft Intune | Microsoft Docs for more up-to-date details.

11-15-2022 Update: Removed EAS from types of devices cleaned-up as the Intune functionality has changed.

3-7-23 Linking to new version of post

15 Comments
Paul Beiler
Steel Contributor
‎Jun 02 2020 05:13 PM
‎Jun 02 2020 05:13 PM

Where do I start, to attempt an auto-recovery, of a device that dropped due to the cleanup?

DevilDog
Copper Contributor
‎Jan 05 2021 09:56 AM
‎Jan 05 2021 09:56 AM

If a device has been removed by clean-up rule and needs to get added back, does opening Company Portal and syncing device add back in?

Wolfgang42
Brass Contributor
‎Jan 15 2021 06:07 AM
‎Jan 15 2021 06:07 AM

Thanks for this article. Some questions:

- are we able to enumerate/access these "tombstoned" devices somehow, MS Graph?

- the certificate lifetime is imho 365d. You are talking about 180d. Has something changed?

- if a device is registered with Autopilot and the Intune record gets deleted by this task, we cannot delete the Autopilot registration. It says there is an Intune device. But this device is not visible in the portal but already exists in the background. How to handle this situation?

JaseKay
Copper Contributor
‎Sep 30 2021 03:12 AM
‎Sep 30 2021 03:12 AM

Thanks for the info
@Wolfgang42 Did you find out if you were able to enumerate/access the tombstoned devices as just needing that info myself at the moment

0 Likes
Like
Wolfgang42
Brass Contributor
‎Sep 30 2021 03:25 AM
‎Sep 30 2021 03:25 AM

@JaseKay Unfortunately no :(

0 Likes
Like
danielfawcett
Copper Contributor
‎Oct 07 2021 05:25 AM
‎Oct 07 2021 05:25 AM

@JaseKay @Wolfgang42 

If I understand what you are looking for correctly, this might be helpful.  You might want to check the scopes are correct as I've pulled this from a script.

#Requires -modules Microsoft.Graph.Authentication,Microsoft.Graph.DeviceManagement

Connect-MgGraph -Scopes "Device.Read.All","DeviceManagementManagedDevices.Read.All"

$tombstoned = Get-MgDeviceManagementManagedDevice -All -Select azureADDeviceId,id,deviceName -Filter "azureAdDeviceId eq 
'00000000-0000-0000-0000-000000000000'"

More info on using the Graph PowerShell SDK here and here.

0 Likes
Like
Wolfgang42
Brass Contributor
‎Oct 09 2021 10:08 AM
‎Oct 09 2021 10:08 AM

@danielfawcett 

Hi, we are looking to access device information for deleted devices which were deleted by the Intune cleanup task. They can not be accessed with "normal" Graph or Powershell commands. Devices with device ID '0000...' may exist in the tenant, but they are visible and can also be seen in the console.

 

Thanks

Wolfgang

0 Likes
Like
danielfawcett
Copper Contributor
‎Oct 11 2021 01:28 AM
‎Oct 11 2021 01:28 AM

@Wolfgang42 

I think I realised I'd misunderstood later that night after I posted!  Thanks, though.

0 Likes
Like
dpsyl
Copper Contributor
‎Jan 05 2022 06:06 AM
‎Jan 05 2022 06:06 AM

I have a question about checking in the device again.

 

If the device has been removed in Intune and you add it again with the company portal, the device will come back as personal instead of corporate. How can i make the device return as corporate?

0 Likes
Like
MikkelLundKnudsen
Iron Contributor
‎Feb 21 2022 12:37 AM
‎Feb 21 2022 12:37 AM

There has been very few - if none answers to all of the questions in here.

What are the experience when enabling this feature - does anyone have had good results with this feature? :)

0 Likes
Like
luciferprakash2360
Copper Contributor
‎Apr 06 2022 03:18 AM
‎Apr 06 2022 03:18 AM

minimum number of days has been changed to 30 days.

0 Likes
Like
SaschaBanz
Copper Contributor
‎Nov 15 2022 12:45 AM
‎Nov 15 2022 12:45 AM

@dpsyl did u testet this behaivor? 

0 Likes
Like
Martin_Millward
Copper Contributor
‎Aug 10 2023 04:58 AM
‎Aug 10 2023 04:58 AM

We have this set to "No" in out Tenant, but we are still getting devices removed when we do not want them to be. Is there some other rules Microsoft apply without this control being set? We are losing devices from Intune which are still in Azure and Autopilot, but this means we cannot manage them.

0 Likes
Like
MBK12
Copper Contributor
‎Nov 02 2023 03:59 AM
‎Nov 02 2023 03:59 AM

Bonjour,
Dans le but de peaufiner les statistiques des appareils qui apparaissent comme non-conformes, j'ai décidé de mettre en place une politique de nettoyage automatique mais j'aimerais savoir s'il est possible de faire des exceptions pour certains postes ? 

 

0 Likes
Like
albertzulu
Copper Contributor
‎Feb 05 2024 07:52 AM
‎Feb 05 2024 07:52 AM

Hello,

 

Delete devices that haven’t checked in for this many days, the rule allows us to choose between 30 and 270 days to automatically remove inactive/obsolete device records from Intune.

0 Likes
Like
Co-Authors
Version history
Last update:
‎Mar 07 2023 08:51 AM
Updated by: