To Wipe or not to Wipe?

When managing devices with Microsoft Intune, you may encounter situations where you need to perform some remote wipe actions on the devices. For example, you may want to remove a device from Intune management, reset a device to its factory settings, or reinstall Windows on a device.

Intune offers to many device actions that you can use to achieve these goals. It can be pretty hard to select between them in some cases. Each device action has different effects and implications depending on the device platform and configuration. In this blog post, I will explain the differences between the following device actions:

  • Delete
  • Retire
  • Wipe
  • Fresh start
  • Autopilot reset

Delete

The delete action removes a device from the Intune portal immediately. It also sends a retire command to the device and the next time the device checks in, any company data on it will be removed as Intune also retires a device when deleting it from the admin center. However, the retire command may not reach the device if it is offline or powered off.

The delete action does not affect the user personal data or settings on the device. The user can still access their personal files and apps.

However, there are some caveats to consider when using the wipe action:

  • If the device do not check in with Intune, no retire will occur
  • iOS does not Retire and delete company data
  • Android does not Retire and delete company data

The delete action is useful for removing stale or duplicate devices from the Intune portal. However, it does not guarantee that the device is no longer managed by Intune. If you want to ensure that the device is completely unenrolled from Intune, you should use the wipe action instead.

Retire

The retire action removes the Intune management profile and policies from the device. It also removes any company apps and company data on it and certificates that were installed by Intune. However, it does not remove any personal user data or settings from the device. The user can still access their personal files and apps.

Removal happens the next time the device checks in and receives the remote Retire action. The device still shows up in Intune until the device checks in. However, this may take some time depending on the device’s connectivity and sync frequency.

  • The wipe action does not remove any Win32 apps that were installed by using the Intune management extension.

The retire action is useful for devices that are no longer needed or being repurposed. For corporate devices, it removes all access to company resources and data from the device. However, it does not reset the device to its factory settings or reinstall Windows on the device. If you want to do that, you should use the wipe, fresh start, or autopilot reset actions instead.

Wipe

The wipe action restores a device to its factory default settings. This is also sometimes called a Factory Reset or in Windows world, Out-of the box experience. It removes all user data, apps, and settings from the device (also Personal). It also removes the Intune management profile and policies from the device.

However, there are some caveats to consider when using the wipe action:

  • Wipe action is not available for iOS/iPadOS devices enrolled with User Enrollment
  • Retain Personal apps and data on Android Enterprise

The wipe action is useful for resetting a device before giving it to a new user or when the device has been lost or stolen. It ensures that no personal or company data remains on the device. It will keep trying to reset the device until it is done or deleted manually.

If you select Wipe device, but keep enrollment state and associated user account you will:

  • Retain accounts associated with the device
  • Retain Microsoft Entra Join
  • Retain Microsoft Intune Managed
  • Retain OEM apps
  • Retain User Profile
  • Retain Personal Data outside of User Profile

Fresh start

The fresh start action reinstalls Windows on a device and removes any pre-installed apps (OEM apps) that are not part of Windows. It also removes all user data, apps, and settings from the device. It preserves the Azure AD join state and re-enrolls the device into Intune after the reinstall.

However, there are some caveats to consider when using the fresh start action:

  • Only works on Windows
  • Only removes Win32 apps, not other modern apps
  • Updates to the latest version of Windows

If you select Retain user data on this device you will:

  • Keep the device Microsoft Entra joined
  • Keep the device Microsoft Intune Managed after first sign-in.
  • Keep personal data but remove apps and settings

The fresh start action is useful for devices that have performance issues or unwanted bloatware. It ensures that the device has a clean and up-to-date version of Windows clean from bloatware.

Autopilot reset

The autopilot reset action resets a device to its initial state and applies an Autopilot profile to configure it for a specific user or group. It removes all user data, apps, and settings from the device. It preserves the Azure AD join state and re-enrolls the device into Intune after the reset. The next user who signs in after the reset will be set as the primary user

However, there are some caveats to consider when using the autopilot reset action:

  • Only works on Windows
  • Does not support Hybrid Azure AD joined devices
  • Keep Wi-Fi settings
  • Keep SCEP certificates
  • Keep provisioning packages

The autopilot reset action is useful for devices that are part of an Autopilot deployment. It ensures that the device is configured according to the Autopilot profile and ready for a new user.

Removed from Intune management

Conclusion

There are too many options, Hope this will be better in the future. How about a checkbox for what to keep? In this blog post, I have explained the differences between the delete, retire, wipe, fresh start, and autopilot reset actions in Intune. I hope this helps you to choose the right device action for your scenario. In this table you can also compare the them side by side:

ActionOSFactory Reset OSOEM appsUser Apps and DataCompany Apps and DataCompany CertificatesLocal AccountsUser ProfileEntra JoinIntune Manage
DeleteWindowsKeepKeepKeepKeepKeepKeepKeepRemainWipe/Retire
Delete AndroidKeepKeepKeepKeepKeepKeepKeepRemainWipe/Retire
DeleteiOSKeepKeepKeepKeepKeepKeepKeepRemainWipe/Retire
DeletemacOSKeepKeepKeepKeepKeepKeepKeepRemainWipe/Retire
RetireWindowsKeepKeepKeepWipeWipe/RevokeKeepKeepWipeWipe
RetireAndroidKeepKeepKeepWipeWipe/RevokeKeepKeepRemainWipe
RetireiOSKeepKeepKeepWipeWipe/RevokeKeepKeepRemainWipe
RetiremacOSKeepKeepKeepWipeWipe/RevokeKeepKeepRemainWipe
WipeWindowsResetKeepWipeWipeWipe/RevokeWipeWipeWipeWipe
WipeAndroidResetKeepWipeWipeWipe/RevokeWipeWipeWipeWipe
WipeiOSResetKeepWipeWipeWipe/RevokeWipeWipeWipeWipe
WipemacOSResetKeepWipeWipeWipe/RevokeWipeWipeWipeWipe
Wipe – Keep enrollment state and associated user accountWindowsResetKeepKeepWipeKeepWipeKeepKeepKeep
Fresh StartWindowsResetWipeWipeWipeWipe/RevokeWipeWipeWipeWipe
Fresh Start – Retain user data on this deviceWindowsResetWipeKeep home folderWipeWipe/RevokeWipeKeepKeepKeep
AutoPilot ResetWindowsResetKeepWipeWipeWipe/RevokeWipeWipeKeepKeep

Have a nice day! 😊

About The Author

Mr T-Bone

Torbjörn Tbone Granheden is a Solution Architect for Modern Workplace at Coligo AB. Most Valuable Professional (MVP) on Enterprise Mobility. Certified in most Microsoft technologies and over 23 years as Microsoft Certified Trainer (MCT)

You may also like...