Using device clean-up rules in Microsoft Intune

This week is a relatively short post about the updated device clean-up rules in Microsoft Intune. There can be many reasons why it is important to clean-up devices in Microsoft Intune (and Microsoft Entra). That can be security related by preventing access to resources, that can be cost savings by preventing device licenses from being used, and that can often even be as simple as preventing clutter in the Microsoft Intune admin center portal and keeping reports accurate. The standard functionality within Microsoft Intune to automatically clean-up devices, got a nice update with the latest service release (2507). It is now possible to create device clean-up rules per platform. And, with that, differentiate per platform. The main concept remains the same. Device clean-up rules are focused on automatically cleaning up devices that appear to be inactive, stale, or unresponsive. Those device clean-up rules continuously monitor the environment. The devices that are cleaned up are actually concealed and hidden from reports. This post will look closer at the configuration options and the results of those configurations.

Important: Device clean-up rules in Microsoft Intune do not retire or wipe the device, it only conceals the device. When the device checks in before the device certification expires, it will reappear.

Note: Device clean-up rules in Microsoft Intune do not affect device objects in Microsoft Entra.

Configuring device clean-up rules

When looking at the new configuration experience for device clean-up rules, it is actually pretty straightforward. It all comes down to walking through a simple wizard. That wizard allows the configuration for device clean-up rules per platform and with a specified number of days of inactivity. Besides that, it is also still possible to create a device clean-up rule that is appliable to all platforms. To determine the direct impact of the new rule, the wizard provides the ability to preview the affected devices. In the end, that makes the configuration of a device clean-up rule as simple as walking through the following 5 steps.

1. Open the Microsoft Intune admin center portal and navigate to Devices > Device clean-up rules
2. On the Devices | Device clean-up rules page, click Create
3. On the Basics page, as shown below in Figure 1, provide at least a unique name (1) to distinguish it from similar rules, select the platform (2) that the rules should be applied to, and click Next

4. On the Rules settings page, as shown below in Figure 2, specify a number (between 30 – 270) of days that devices haven’t checked (1) and click Next

Note: The Preview affected devices link (2) directly provides an overview of the devices that will be affected by the rule.

5. On the Review + create page, verify the configuration and click Create

Note: Once the rule is created, all devices inactive for the number of days specified set will be removed. After that, devices that are inactive for that number of days will automatically be removed on a daily basis.

Experiencing device clean-up rules

Once the device clean-up rules are in place, it is pretty straightforward to verify the behavior. The devices that have not checked in within the specified number of days, will automatically be cleaned up. That action will be repeated every 24 hours. The best part of it is that it also clearly logged within the Intune audit logs. In the Intune audit logs will be a message per device that has been removed, as shown below in Figure 3. That message includes the device clean-up rule that caused the action.

When a device that was cleaned up checks in again before the device certification expires, the device will reappear. Once the device certificate is expired, the device must actually go through a re-enrollment process.

More information

For more information about cleaning up devices in Microsoft Intune, refer to the following docs.

• Retire or wipe devices using Microsoft Intune | Microsoft Learn