Intune: What is Retire / Wipe / Delete / Fresh Start / Autopilot Reset

Update: Added a paragraph to clarify on the effect of Windows Autopilot for device Retire / Delete actions.

It feels there are a million different reset options in Microsoft’s endpoint manager (aka Intune). Some of the options even provide additional „suboptions“. I would like to explain the different options, their differences, and their main use cases here. If you prefer it short and concise summary can be found at the end.

Intune device actions

Retire/Delete

Let us get started with Retire option. The Retire action removes app data, settings, and Intune managed email profiles from the device. The device will still show up in Intune until the device ultimately checks in. If you want to remove stale devices immediately, use the Delete action instead. Delete will also issue the retire command but it will remove the device from the All devices list immediately. Retire leaves users’ personal data on the device.

ActionData typeWindows 10
Retire/DeleteCompany apps and associated data installed by IntuneApps are uninstalled. Sideloading keys are removed. Microsoft 365 Apps are not removed.
Intune management extension installed Win32 apps will not be uninstalled on unenrolled devices.
Retire/DeleteSettingsConfigurations that were set by Intune policy are no longer enforced. Users can change the settings.
Retire/DeleteWi-Fi and VPN profile settingsRemoved
Retire/DeleteCertificate profile settingsCertificates are removed and revoked.
Retire/DeleteEmailRemoves email that’s EFS-enabled. This includes emails and attachments in the Mail app for Windows. Removes mail accounts that were provisioned by Intune. (PST or OST files are not removed!)
Retire/DeleteUser accountsOnly if a local account exists (non AAD accounts) a sign-in is possible after Retire Action.
Retire/DeletePersonal DataUsers personal data is not removed.
RetireRemove from IntuneYes, wait until device ultimately checks in
DeleteRemove from IntuneNo, remove from Intune immediately
Retire/DeleteAzure AD unjoinThe Azure AD record is removed.*

Retire should be used for devices that are no longer needed. For corporate devices, it removes all access to the device completely, as it also deletes the Azure AD record.
Please note there is an exception to this: If your device has an Autopilot hash assigned (Zero Touch ID, ZTDID) it will NOT be deleted from Azure AD. This is because if you register a device with Autopilot it will create a linked stub device object in Azure AD. This object is the anchor for the Autopilot device. Therefore, the Azure AD team has added an extra safeguard to prevent any deletion of AAD device objects with assigned Windows Autopilot IDs.

Devices with Autopilot ZTDID cannot be removed from AAD

If you still want to delete the AAD device, you need to remove it in Endpoint Manager Admin Center first.

Without any local administrator provisioned, you will not be able to access the device after a Retire/Delete any longer. Retire is a perfect option for BYOD devices enrolled in Intune, as it will remove all management Intune settings like Wi-fi, VPN profile, certificates, e-mail accounts, the Azure AD join record, and apps. However, it will not remove Microsoft 365 Apps for Enterprise (Office ProPlus) and other Win32 apps or any user’s personal data.

Wipe

The Wipe action (formerly named Factory Reset) can be a destructive action with potential data loss. It will restore a device to its default settings (OOBE, out-of-box experience). The Wipe action has an option to keep the enrollment state and associated user account. If this option is not set, all data, apps, and settings will be removed. See differences in the table.

Device actionKeep enrollment state and user accountRemoved from Intune managementDescription
WipeCheckedNoWipes all MDM Policies.
Keeps user accounts and data (Profile).
Resets user settings back to default, Removes user-installed apps,
Resets the operating system to its default state and settings.
Keeps AAD join,
MDM policies will be reapplied the next time device connects to Intune.
WipeNot checkedYesWipes all user accounts,
Wipes all user data and user-installed apps,
Removes MDM policies, and non-default settings.
Resets the operating system to its default state and settings (OOBE).

A wipe is useful for resetting a device before it will be given to a new user, or when the device has been lost or stolen.
The option “Wipe the device and continue to wipe even if device loses power” is a new option to avoid the circumvention of a wipe by simply power cycling the device. This option will keep trying to reset the device until it succeeded.

Fresh Start

The Fresh Start device action removes any apps that are installed on a PC running Windows 10. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC. In this context, it is almost identically to a wipe. The only advantage of Fresh Start is it removes OEM-preloaded applications (Bloatware).

Fresh Start comes with one option. If you do not retain user data, the device will be restored to the default OOBE completed state retaining the built-in administrator account.

BYOD devices will be unenrolled from Azure AD and mobile device management. Azure AD joined devices will be enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device.

Device actionRetain user data on this deviceRemoved from Intune managementDescription
Fresh StartNot checkedYesWipes all user accounts, all user data and installed Win32 apps, MDM policies, and non-default settings.
Keep Windows Store Apps,
Updates Windows to latest version and its default state and settings.
Keeps AAD join
Fresh StartCheckedNoKeeps all user accounts and data,
Wipes all MDM Policies and Win32 apps, Keeps Store Apps, Resets user settings back to default. Removes user-installed apps, Updates Windows to latest version. Keeps AAD join

Fresh Start is ideal for devices that do not come with a plain vanilla Windows (Signature Edition) installed. For example, you bought a device at the local electronic store and the installation contains a lot of demo software and a trial virus scanner. With Fresh Start, you reset the device to the only built-in applications included with the default Microsoft Windows 10 ISO image.

Autopilot Reset

Autopilot Reset removes all the files, apps, and settings on a device (including the user profile) but retains the connection to Azure AD and Intune. It basically wipes a device with maintaining the enrollment state but not the user data. Autopilot Reset also maintains the region/language/keyboard, any machine provisioning packages applied, and Wi-Fi connections. There is no OOBE or Autopilot ability after Autopilot Reset, as this data is retained. The user will be presented directly with the Windows 10 login screen and can sign-in directly!

Wipe actionRemoved from Intune managementDescription
Autopilot resetNoWipes all MDM Policies and User data. Resets user settings back to default. Removes user-installed apps, Keeps user accounts. Resets the operating system to its default state and management settings. Keeps AAD join

Autopilot Reset is the best option for re-using a working device within your organization. Basically, the last user is removed from a device and (depending on your Intune deployment configuration) and it can be handed over to the next person with no extra work needed.

Summary

MethodUsageIntune managementAzure AD enrollment
Retire/Deleteget rid of outdated devicesremovedremoved
Wipe (keep enrollment)Reset device to default, remove Apps
keep user’s data/files
keep,
re-apply policies
keep
WipeLost stolen device, device handover, Return to OOBEremovedremoved
Fresh Start
(keep enrollment)
Reset device to Signature Edition,
remove Apps, keep user’s data/files update to latest Windows version
keepkeep
Fresh StartReset device to latest Windows Signature Editionremovedkeep
Autopilot ResetReuse a device and remove previous user’s profile/data.keep keep

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Google Foto

Du kommentierst mit Deinem Google-Konto. Abmelden /  Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.