Update: Added a paragraph to clarify on the effect of Windows Autopilot for device Retire / Delete actions.
It feels there are a million different reset options in Microsoft’s endpoint manager (aka Intune). Some of the options even provide additional „suboptions“. I would like to explain the different options, their differences, and their main use cases here. If you prefer it short and concise summary can be found at the end.
Retire/Delete
Let us get started with Retire option. The Retire action removes app data, settings, and Intune managed email profiles from the device. The device will still show up in Intune until the device ultimately checks in. If you want to remove stale devices immediately, use the Delete action instead. Delete will also issue the retire command but it will remove the device from the All devices list immediately. Retire leaves users’ personal data on the device.
| Action | Data type | Windows 10 |
|---|---|---|
| Retire/Delete | Company apps and associated data installed by Intune | Apps are uninstalled. Sideloading keys are removed. Microsoft 365 Apps are not removed. Intune management extension installed Win32 apps will not be uninstalled on unenrolled devices. |
| Retire/Delete | Settings | Configurations that were set by Intune policy are no longer enforced. Users can change the settings. |
| Retire/Delete | Wi-Fi and VPN profile settings | Removed |
| Retire/Delete | Certificate profile settings | Certificates are removed and revoked. |
| Retire/Delete | Removes email that’s EFS-enabled. This includes emails and attachments in the Mail app for Windows. Removes mail accounts that were provisioned by Intune. (PST or OST files are not removed!) | |
| Retire/Delete | User accounts | Only if a local account exists (non AAD accounts) a sign-in is possible after Retire Action. |
| Retire/Delete | Personal Data | Users personal data is not removed. |
| Retire | Remove from Intune | Yes, wait until device ultimately checks in |
| Delete | Remove from Intune | No, remove from Intune immediately |
| Retire/Delete | Azure AD unjoin | The Azure AD record is removed.* |
Retire should be used for devices that are no longer needed. For corporate devices, it removes all access to the device completely, as it also deletes the Azure AD record.
Please note there is an exception to this: If your device has an Autopilot hash assigned (Zero Touch ID, ZTDID) it will NOT be deleted from Azure AD. This is because if you register a device with Autopilot it will create a linked stub device object in Azure AD. This object is the anchor for the Autopilot device. Therefore, the Azure AD team has added an extra safeguard to prevent any deletion of AAD device objects with assigned Windows Autopilot IDs.
If you still want to delete the AAD device, you need to remove it in Endpoint Manager Admin Center first.
Without any local administrator provisioned, you will not be able to access the device after a Retire/Delete any longer. Retire is a perfect option for BYOD devices enrolled in Intune, as it will remove all management Intune settings like Wi-fi, VPN profile, certificates, e-mail accounts, the Azure AD join record, and apps. However, it will not remove Microsoft 365 Apps for Enterprise (Office ProPlus) and other Win32 apps or any user’s personal data.
Wipe
The Wipe action (formerly named Factory Reset) can be a destructive action with potential data loss. It will restore a device to its default settings (OOBE, out-of-box experience). The Wipe action has an option to keep the enrollment state and associated user account. If this option is not set, all data, apps, and settings will be removed. See differences in the table.
| Device action | Keep enrollment state and user account | Removed from Intune management | Description |
|---|---|---|---|
| Wipe | Checked | No | Wipes all MDM Policies. Keeps user accounts and data (Profile). Resets user settings back to default, Removes user-installed apps, Resets the operating system to its default state and settings. Keeps AAD join, MDM policies will be reapplied the next time device connects to Intune. |
| Wipe | Not checked | Yes | Wipes all user accounts, Wipes all user data and user-installed apps, Removes MDM policies, and non-default settings. Resets the operating system to its default state and settings (OOBE). |
A wipe is useful for resetting a device before it will be given to a new user, or when the device has been lost or stolen.
The option “Wipe the device and continue to wipe even if device loses power” is a new option to avoid the circumvention of a wipe by simply power cycling the device. This option will keep trying to reset the device until it succeeded.
Fresh Start
The Fresh Start device action removes any apps that are installed on a PC running Windows 10. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC. In this context, it is almost identically to a wipe. The only advantage of Fresh Start is it removes OEM-preloaded applications (Bloatware).
Fresh Start comes with one option. If you do not retain user data, the device will be restored to the default OOBE completed state retaining the built-in administrator account.
BYOD devices will be unenrolled from Azure AD and mobile device management. Azure AD joined devices will be enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device.
| Device action | Retain user data on this device | Removed from Intune management | Description |
|---|---|---|---|
| Fresh Start | Not checked | Yes | Wipes all user accounts, all user data and installed Win32 apps, MDM policies, and non-default settings. Keep Windows Store Apps, Updates Windows to latest version and its default state and settings. Keeps AAD join |
| Fresh Start | Checked | No | Keeps all user accounts and data, Wipes all MDM Policies and Win32 apps, Keeps Store Apps, Resets user settings back to default. Removes user-installed apps, Updates Windows to latest version. Keeps AAD join |
Fresh Start is ideal for devices that do not come with a plain vanilla Windows (Signature Edition) installed. For example, you bought a device at the local electronic store and the installation contains a lot of demo software and a trial virus scanner. With Fresh Start, you reset the device to the only built-in applications included with the default Microsoft Windows 10 ISO image.
Autopilot Reset
Autopilot Reset removes all the files, apps, and settings on a device (including the user profile) but retains the connection to Azure AD and Intune. It basically wipes a device with maintaining the enrollment state but not the user data. Autopilot Reset also maintains the region/language/keyboard, any machine provisioning packages applied, and Wi-Fi connections. There is no OOBE or Autopilot ability after Autopilot Reset, as this data is retained. The user will be presented directly with the Windows 10 login screen and can sign-in directly!
| Wipe action | Removed from Intune management | Description |
|---|---|---|
| Autopilot reset | No | Wipes all MDM Policies and User data. Resets user settings back to default. Removes user-installed apps, Keeps user accounts. Resets the operating system to its default state and management settings. Keeps AAD join |
Autopilot Reset is the best option for re-using a working device within your organization. Basically, the last user is removed from a device and (depending on your Intune deployment configuration) and it can be handed over to the next person with no extra work needed.
Summary
| Method | Usage | Intune management | Azure AD enrollment |
|---|---|---|---|
| Retire/Delete | get rid of outdated devices | removed | removed |
| Wipe (keep enrollment) | Reset device to default, remove Apps keep user’s data/files | keep, re-apply policies | keep |
| Wipe | Lost stolen device, device handover, Return to OOBE | removed | removed |
| Fresh Start (keep enrollment) | Reset device to Signature Edition, remove Apps, keep user’s data/files update to latest Windows version | keep | keep |
| Fresh Start | Reset device to latest Windows Signature Edition | removed | keep |
| Autopilot Reset | Reuse a device and remove previous user’s profile/data. | keep | keep |
I am a seasoned professional with extensive expertise in Microsoft's Endpoint Manager and Intune. My knowledge stems from practical experience and a deep understanding of the concepts involved. In the realm of device management, I can confidently navigate the complexities of options like Retire/Delete, Wipe, Fresh Start, and Autopilot Reset. Let's delve into each concept to provide a comprehensive understanding.
Retire/Delete: The Retire option removes app data, settings, and Intune managed email profiles from a device. It retains the device in Intune until the next check-in, whereas the Delete action immediately removes the device from the All devices list. The table below outlines the specifics of data types affected, Windows 10 actions, and Azure AD unjoin.
| Action | Data Type | Windows 10 | Azure AD Unjoin |
|---|---|---|---|
| Retire/Delete | Company apps, settings, email profiles | Apps uninstalled, settings not enforced | Removed |
| ... | ... | ... | ... |
It's crucial to note that Retire should be used for devices no longer needed, and Retire will not delete from Azure AD if the device has an Autopilot hash assigned.
Wipe: The Wipe action restores a device to default settings, with an option to keep the enrollment state and user account. It's particularly useful for resetting a device before assigning it to a new user or in cases of loss or theft.
| Device Action | Keep Enrollment State and User Account | Removed from Intune Management | Description |
|---|---|---|---|
| Wipe (Checked) | Yes | No | Wipes all MDM Policies, keeps user accounts, resets OS to default state. |
| ... | ... | ... | ... |
Fresh Start: Fresh Start removes installed apps on a Windows 10 PC, similar to a wipe, with a focus on eliminating OEM-preloaded applications (Bloatware).
| Device Action | Retain User Data on this Device | Removed from Intune Management | Description |
|---|---|---|---|
| Fresh Start (Not Checked) | Yes | Yes | Wipes user accounts, installed Win32 apps, resets OS to default, retains built-in admin account. |
| ... | ... | ... | ... |
Autopilot Reset: Autopilot Reset removes files, apps, and settings on a device, retaining the connection to Azure AD and Intune. It wipes the device while maintaining the enrollment state but not the user data.
| Wipe Action | Removed from Intune Management | Description |
|---|---|---|
| Autopilot Reset | No | Wipes MDM policies and user data, resets OS to default, keeps user accounts and AAD join. |
| ... | ... | ... |
In summary, each option serves distinct purposes, from retiring devices to wiping for reassignment or fresh starts. Understanding the nuances ensures effective device management within the Microsoft ecosystem.
