Configure Intune Device Cleanup Rules | Delete Stale Devices
In this article, I’ll show you how to configure Intune device cleanup rules that automatically remove inactive or stale devices from Intune records. You can automatically delete devices with cleanup rules in Intune.
As Intune Service Administrators, we often get a lot of inactive and stale Intune records due to the nature of test device enrollments. We want to make sure that our Intune environment and reports are always up-to-date, so we need to clean up these old devices.
With Intune device cleanup rules, you can set up an automatic cleanup rule that gets rid of inactive, orphaned, or obsolete devices that have not checked in recently. The rule lets us choose between 90 and 270 days for Intune to automatically delete records for inactive or old devices.
Intune applies cleanup rules immediately and continuously so that your device records remain current. If a removed device checks in before its device certification expires, it will reappear in the console. This goal of this guide is to you help you understand what are device cleanup rules in Intune, how they work and how can you configure them to remove stale devices and keep your tenant tidy.
What are Automatic Device Clean-up Rules in Intune?
The Device Cleanup rules in Intune automatically remove devices that haven’t checked in for several days. If you want to delete stale devices from Intune, you can configure the cleanup rules to automatically delete the devices based on the last check-in date. With auto cleanup rules, you can get rid of inactive, orphaned, or obsolete devices that have not checked in recently.
How Device Cleanup Rules work?
When the device cleanup rule runs, it finds all the devices that haven’t checked in for the number of days you specify and deletes them immediately. After the service admins turn on the Intune device cleanup rules, all the relevant devices are removed from the portal and can no longer be seen in any blades or device lists. Devices are not removed from Azure AD and are solely applicable to the Intune portal. To permanently delete the stale record, an Azure AD tenant admin must delete the stale devices from Azure AD.
The device cleanup rules in Intune aren’t available for Android Enterprise scenarios like Fully Managed, Dedicated, and Corporate-Owned with Work Profile. All other enrolled devices, including MDM, MDM/SCCM (co-management) devices, will be removed. This includes registered devices as well as approval-pending devices. The device clean-up rule doesn’t trigger a wipe or retire.
Ways to Delete devices from the Intune Portal
There are two ways to delete devices from the Intune Portal:
- Manually delete the devices from Intune Portal: Use this method if you have a handful of devices to be deleted from the Intune. The Intune admins needs to have a list of device names for deletion.
- Automatically delete devices with cleanup rules: This is a recommended approach where you configure Intune to automatically remove devices that appear to be inactive, stale, or unresponsive
Manually Delete the devices from Intune Portal
If you want to manually remove devices from the Intune portal, you can delete them from the specific device pane. The next time the device checks in, any company data on it will be removed as Intune also retires a device when deleting it from the console.
- Sign in to the Intune Admin Portal.
- Choose Devices > All devices > Select the Devices that you wish to remove > Delete.
Locating Device Cleanup Rules
If you are new to Intune, you may use the following steps to locate the automatic device cleanup rules.
- Sign in to the Microsoft Endpoint Manager admin center (Intune Portal).
- Choose Devices > Device clean-up rules.
By default, the device clean-up rules aren’t configured for your Intune tenant. The admin must manually enable and configure the automatic device cleanup rules.
Configure Intune Device Cleanup Rules
Now that you have located the clean-up rules, let’s go through the steps to set up the device cleanup rules in Intune. Sign in to the Microsoft Endpoint Manager admin center (Intune Portal). Choose Devices > Device cleanup rules.
There are two options that you see when you configure the device clean-up rule. Each of these options should be configured carefully as it can affect the entire tenant. Let’s look at the options in order.
- Delete devices based on last check-in date: This option allows you to automatically delete the devices from Intune based on the device last check-in date. When set to Yes, Intune deletes devices based on the custom number of days you specify.
- Delete devices that haven’t checked in for this many days: The rule lets you select between 90 and 270 days for Intune to automatically delete records for inactive or old devices. If you enter a lower value such as 89 or a higher value such as 271, Intune won’t allow you to save the settings.
Once you press Save, all the devices that have been inactive for the specified number of days will be immediately removed from Intune. Select “Yes” to save changes to your device cleanup rules. Intune will continue to delete devices as they exceed the number of set days. Reports with data about the removed devices may take up to 48 hours to refresh.
How to View Devices Affected by Cleanup Rules
You can locate and export the devices that are impacted by device cleanup rules using Intune. You can see the impacted devices after turning on the device cleanup rules in Intune. These are the devices that Intune promptly deletes after applying the cleanup guidelines. Click “View Affected Devices” in the Device clean-up rules window. You should now see a list of devices that haven’t checked in for over 180 days.
You won’t find any impacted devices if your Intune tenant is properly managed and if every device frequently checks in. Although desirable, this doesn’t actually occur in organizations. Since I’m setting up the cleanup rules for my lab’s devices, there are no devices that are affected.
Exporting the Affected Devices
When you click on view affected devices, it shows a list of devices that are deleted by device clean up rules. You may want to export these managed devices to a file. Thankfully, Intune allows you to export the devices that haven’t been checked in for X number of days to a .csv file.
To export the devices impacted by device cleanup rules, click on View Affected devices and select the Export option. This will export all columns available for the table listed including the filters you have set to comma-separated values (.csv) file. Click on Download and save the file to your computer.
Hi praj,
Is there a way we can get a list of machines from Intune/ AAD cleanup by this rule ? Thank you
Hi Prajwal.
The link “delete the stale devices from Azure AD.” leads to an article about orphaned groups, and not an article about stale devices in Azure AD. Just a heads up.
Regards
Thomas
Hi Prajwal you mentioned the following in your article:
“The device cleanup rules in Intune aren’t available for Android Enterprise scenarios like Fully Managed, Dedicated, and Corporate-Owned with Work Profile” .
However these scenario’s weren’t supported previously, but are now supported for several months:
Kind regards,
Tim
Hi Tim, I will go through the article and update my post shortly. Thanks for the info.