Using Intune device cleanup rules 


As Intune Service Administrators at Microsoft, we often get a lot of inactive and stale Intune records due to the nature of test device enrollments. We want to keep our Intune environment and reports current by cleaning up these stale devices. With Intune device cleanup, we have the ability to configure the automatic cleanup rule which cleans up devices that are inactive, orphaned, or obsolete and have not checked in recently. The rule allows us to choose between 90 and 270 days to automatically remove inactive/obsolete device records from Intune. 

  

To get started, go to the Devices blade in Intune portal and navigate to "Device cleanup rules". Here you will be able to enable the cleanup rule to delete devices that haven't checked in for {X} days; the minimum is 90 days and the maximum is 270 days. At Microsoft, we have configured it as 90 days as we would like to keep device count as realistic as possible with the amount of test devices that get enrolled. Once this rule is enabled, Intune will automatically remove devices that haven’t checked in for the number of days you set. 

  

 

What happens behind the scene for Device Cleanup rules? 

After the Intune Service Admins enable the rule, Intune services run a background job every few hours to remove all applicable devices from the Intune portal and they won't show up in any Intune blade or device list anymore. This device removal is only applicable to Intune portal and devices do not get removed from Azure AD. Azure AD tenant admin has  to perform the device cleanup task in Azure AD portal to remove the stale record permanently. 

  

What device types get affected from this device cleanup? 

All enrolled devices including MDM, EAS/MDM, MDM/SCCM (Co Management) devices will be removed. This includes registered devices and also approval pending devices.

 

Does this device cleanup rule perform device wipe or retire? 

No, this automatic rule only removes the devices from the Intune portal which are orphaned devices. It means these device are no longer checking in with the service for the last x days chosen by the admin before getting removed from the Intune portal. 

 

Is it possible to have devices removed by  the device cleanup rule to come back in some scenarios?

Yes it is possible that some devices can come back in the Intune portal as there is service criteria to auto-recover the cleaned up devices if they check-in to the Intune service recently. The purpose of this behavior is to recover devices owned by somebody that took a long leave (e.g. Extended vacation, sabbatical, maternity leaves). The grace period for the device to show up in the Intune portal again is before the device cert expires, which is 180 days.  If you do not want devices to be able to check back in, consider filtering for stale devices and doing a bulk delete from the All devices view instead.

Comments (0)

Skip to main content