Administrative Intune Offboarding

Comprehensive guide on removing a corporate device from MDM enforcement.

Intune Device Actions

Retire/Delete Device Action

The Retire action removes app data, settings, and Intune managed email profiles from the device. The device will still show up in Intune until the device ultimately checks in.

If you want to remove devices immediately, use the Delete action instead. Delete will also issue the Retire command, but it will remove the device from the All Devices list immediately.

Both Retire and Delete leaves users’ personal data on the device.

If a Device used Autopilot to Intune join, they would need to have the device entry removed from the Autopilot Devices section prior to initiating a Retire/Delete action.

Wipe Device Action

The Wipe action will restore a device to its default settings (OOBE, out-of-box experience).

The Wipe action has an option “Keep the enrollment state and associated user account”. If this option is not set, all data, apps, and settings will be removed.

The Wipe action also has an option “Wipe the device and continue to wipe even if device loses power”. This will prevent the circumvention of a wipe by simply power cycling the device, issuing the reset on the device until it succeeds.

A Wipe is useful for resetting a device before it will be given to a new user, or when the device has been lost or stolen.

Fresh Start Device Action

The Fresh Start action removes any apps that are installed on a PC running Windows 10/11.

Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC.

The Fresh Start action has an option ”Retain user data on this device”. If this option is not set, the device will be restored to the default OOBE completed state retaining the built-in administrator account.

BYOD devices will be unenrolled from Azure AD and Intune 

Azure AD joined devices will be re-enrolled into Intune when an Azure Active Directory enabled user attempts to sign into the device.

Autopilot Reset Device Action

The Autopilot Reset action removes all the files, apps, and settings on a device (including the user profile) but retains the connection to Azure AD and Intune. This action wipes a device while maintaining the enrollment state but not the data associated with the user.

Autopilot Reset also maintains the region/language/keyboard, any machine provisioning packages applied, and Wi-Fi connections. There is no OOBE or Autopilot ability after Autopilot Reset, as this data is retained.

The user will be presented directly with the Windows 10 login screen and can sign-in directly.

Autopilot Reset is the best option for re-using a working device within your organization. The last user is removed from a device and (depending on your Intune deployment configuration) it can be handed over to the next person with no extra work needed.

Offboarding a Machine from the Intune Portal

  1. Navigate to the Windows Autopilot Devices – Intune portal, here we will want to verify that the device that we wish to Offboard from MDM services is not listed. If the device is listed, the entry will need to be removed prior to carrying out a desired Offboarding Device Action, removal can be done by selecting the device and selecting Delete.
  2. Once the Delete action is selected, a consent prompt will be displayed detailing that this action will only remove the autopilot entry and not fully unenroll the device from Intune management. Select Yes to continue to device removal from Intune.
  3. After the Autopilot Device entry has been removed, we will move on to removing the device from Intune. Navigate to the Windows Device – Intune portal, a list of all currently Intune joined Windows devices will be shown. We will want to locate and select the device entry that was tied to the removed Autopilot Device entry, this is the Associated Intune Device data field from the Autopilot Device profile.
  4. Once the device is selected, the device profile will be loaded. We will be looking to select either Retire or Delete to remove all Intune pushed configuration items on the device. Please reference the list at the start of the guide to determine if a different action needs to be leveraged.
  5. Once the Retire or Delete action is selected, a consent prompt will be displayed detailing that these actions will remove the company data associated with the machine and that the device will also no longer be accessible from the Intune portal. Select Yes to finalize the Intune Device Offboarding process.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.