Intune Device Cleanup Rules

The purpose of this blog is to show you how to configure Intune device cleanup rule to remove stale devices, we often see many stale devices in Intune which are not cleaned up and because of this, we face challenges to keep the Intune environment and reports updated. With Intune device cleanup rule we can configure the automatic cleanup rule which will clean up the inactive, stale, or unresponsive and haven't checked in recently.

The rule allows us to choose the number of days between 30 - 270 days to automatically remove Inactive or stale devices from Intune records, this way we can keep the Intune environment and report updated with the active device details.

How to configure the device cleanup rule?

Login to Intune portal and navigate to "Device Clean Up Rule" under Other and tap to select.

Select "Yes" from the option Delete devices based on the last check-in date this will enable the option to enter the days for which the device is inactive or not reported to Intune, If we enter 30 days the devices which are in an inactive state for last 30 days will be deleted from Intune, in many cases it is recommended to 90 days if some users had gone for a long vacation, but this depends upon the organization.

After you click Save, all devices that have been inactive for the specified number of days will immediately be deleted from Intune. Intune will continue to delete devices as they exceed the number of set days. Reports with data about the deleted devices may take up to 48 hours to refresh in Intune.

You can select View Affected Devices to see the list of devices that will be deleted from Intune as per the set days.

If a removed device checks in before its device certification expires, it will reappear in the Intune console.

Frequently Asked Questions related to Device Cleanup Rule

What happens when the rules are applied?

Once Intune Admin or Global Admin enable the rule Intune services will run a background job every few hours to remove all applicable devices from Intune portal and they won't show up in any Intune blade or device list anymore. This removal applies only to Intune portal and devices do not get removed from Azure AD. Azure AD tenant admin has to perform the device cleanup task in the Azure AD portal to remove the stale record permanently.

Does this device cleanup rule perform device wipe or retire?

No, the automatic rule deletes orphaned devices from the Intune portal. In other words, a device no longer checks in with the service for the last x days chosen by the admin before being removed from the Intune portal.

What device types get affected by this device cleanup?

Android Enterprise scenarios like Fully Managed, Dedicated, and Corporate-Owned with Work Profile does not support device cleanup rules. Any other enrolled devices including MDM devices, EAS/MDM devices, and MDM/SCCM devices (Co-Management) will be removed. Both registered and pending devices will be removed.

Is it possible to have devices removed by the device cleanup rule to come back in some scenarios?

Yes, it is possible that some devices can come back in the Intune portal as there are service criteria to auto-recover the cleaned-up devices if they check in to the Intune service recently. The purpose of this behavior is to recover devices owned by somebody that took a long leave (e.g. Extended vacation, sabbatical, maternity leaves). The grace period for the device to show up in the Intune portal again is before the device cert expires, which is 180 days. If you do not want devices to be able to check back in, consider filtering for stale devices and doing a bulk delete from the All devices view instead.