Update: Added a paragraph to clarify on the effect of Windows Autopilot for device Retire / Delete actions.
It feels there are a million different reset options in Microsoft’s endpoint manager (aka Intune). Some of the options even provide additional „suboptions“. I would like to explain the different options, their differences, and their main use cases here. If you prefer it short and concise summary can be found at the end.
Let us get started with Retire option. The Retire action removes app data, settings, and Intune managed email profiles from the device. The device will still show up in Intune until the device ultimately checks in. If you want to remove stale devices immediately, use the Delete action instead. Delete will also issue the retire command but it will remove the device from the All devices list immediately. Retire leaves users’ personal data on the device.
|Action||Data type||Windows 10|
|Retire/Delete||Company apps and associated data installed by Intune||Apps are uninstalled. Sideloading keys are removed. Microsoft 365 Apps are not removed.|
Intune management extension installed Win32 apps will not be uninstalled on unenrolled devices.
|Retire/Delete||Settings||Configurations that were set by Intune policy are no longer enforced. Users can change the settings.|
|Retire/Delete||Wi-Fi and VPN profile settings||Removed|
|Retire/Delete||Certificate profile settings||Certificates are removed and revoked.|
|Retire/Delete||Removes email that’s EFS-enabled. This includes emails and attachments in the Mail app for Windows. Removes mail accounts that were provisioned by Intune. (PST or OST files are not removed!)|
|Retire/Delete||User accounts||Only if a local account exists (non AAD accounts) a sign-in is possible after Retire Action.|
|Retire/Delete||Personal Data||Users personal data is not removed.|
|Retire||Remove from Intune||Yes, wait until device ultimately checks in|
|Delete||Remove from Intune||No, remove from Intune immediately|
|Retire/Delete||Azure AD unjoin||The Azure AD record is removed.*|
Retire should be used for devices that are no longer needed. For corporate devices, it removes all access to the device completely, as it also deletes the Azure AD record.
Please note there is an exception to this: If your device has an Autopilot hash assigned (Zero Touch ID, ZTDID) it will NOT be deleted from Azure AD. This is because if you register a device with Autopilot it will create a linked stub device object in Azure AD. This object is the anchor for the Autopilot device. Therefore, the Azure AD team has added an extra safeguard to prevent any deletion of AAD device objects with assigned Windows Autopilot IDs.
If you still want to delete the AAD device, you need to remove it in Endpoint Manager Admin Center first.
Without any local administrator provisioned, you will not be able to access the device after a Retire/Delete any longer. Retire is a perfect option for BYOD devices enrolled in Intune, as it will remove all management Intune settings like Wi-fi, VPN profile, certificates, e-mail accounts, the Azure AD join record, and apps. However, it will not remove Microsoft 365 Apps for Enterprise (Office ProPlus) and other Win32 apps or any user’s personal data.
The Wipe action (formerly named Factory Reset) can be a destructive action with potential data loss. It will restore a device to its default settings (OOBE, out-of-box experience). The Wipe action has an option to keep the enrollment state and associated user account. If this option is not set, all data, apps, and settings will be removed. See differences in the table.
|Device action||Keep enrollment state and user account||Removed from Intune management||Description|
|Wipe||Checked||No||Wipes all MDM Policies. |
Keeps user accounts and data (Profile).
Resets user settings back to default, Removes user-installed apps,
Resets the operating system to its default state and settings.
Keeps AAD join,
MDM policies will be reapplied the next time device connects to Intune.
|Wipe||Not checked||Yes||Wipes all user accounts, |
Wipes all user data and user-installed apps,
Removes MDM policies, and non-default settings.
Resets the operating system to its default state and settings (OOBE).
A wipe is useful for resetting a device before it will be given to a new user, or when the device has been lost or stolen.
The option “Wipe the device and continue to wipe even if device loses power” is a new option to avoid the circumvention of a wipe by simply power cycling the device. This option will keep trying to reset the device until it succeeded.
The Fresh Start device action removes any apps that are installed on a PC running Windows 10. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC. In this context, it is almost identically to a wipe. The only advantage of Fresh Start is it removes OEM-preloaded applications (Bloatware).
Fresh Start comes with one option. If you do not retain user data, the device will be restored to the default OOBE completed state retaining the built-in administrator account.
BYOD devices will be unenrolled from Azure AD and mobile device management. Azure AD joined devices will be enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device.
|Device action||Retain user data on this device||Removed from Intune management||Description|
|Fresh Start||Not checked||Yes||Wipes all user accounts, all user data and installed Win32 apps, MDM policies, and non-default settings.|
Keep Windows Store Apps,
Updates Windows to latest version and its default state and settings.
Keeps AAD join
|Fresh Start||Checked||No||Keeps all user accounts and data,|
Wipes all MDM Policies and Win32 apps, Keeps Store Apps, Resets user settings back to default. Removes user-installed apps, Updates Windows to latest version. Keeps AAD join
Fresh Start is ideal for devices that do not come with a plain vanilla Windows (Signature Edition) installed. For example, you bought a device at the local electronic store and the installation contains a lot of demo software and a trial virus scanner. With Fresh Start, you reset the device to the only built-in applications included with the default Microsoft Windows 10 ISO image.
Autopilot Reset removes all the files, apps, and settings on a device (including the user profile) but retains the connection to Azure AD and Intune. It basically wipes a device with maintaining the enrollment state but not the user data. Autopilot Reset also maintains the region/language/keyboard, any machine provisioning packages applied, and Wi-Fi connections. There is no OOBE or Autopilot ability after Autopilot Reset, as this data is retained. The user will be presented directly with the Windows 10 login screen and can sign-in directly!
|Wipe action||Removed from Intune management||Description|
|Autopilot reset||No||Wipes all MDM Policies and User data. Resets user settings back to default. Removes user-installed apps, Keeps user accounts. Resets the operating system to its default state and management settings. Keeps AAD join|
Autopilot Reset is the best option for re-using a working device within your organization. Basically, the last user is removed from a device and (depending on your Intune deployment configuration) and it can be handed over to the next person with no extra work needed.
|Method||Usage||Intune management||Azure AD enrollment|
|Retire/Delete||get rid of outdated devices||removed||removed|
|Wipe (keep enrollment)||Reset device to default, remove Apps|
keep user’s data/files
|Wipe||Lost stolen device, device handover, Return to OOBE||removed||removed|
|Reset device to Signature Edition, |
remove Apps, keep user’s data/files update to latest Windows version
|Fresh Start||Reset device to latest Windows Signature Edition||removed||keep|
|Autopilot Reset||Reuse a device and remove previous user’s profile/data.||keep||keep|