Let’s learn how to set up automatic Intune Device Cleanup Rules to delete stale records. Stale records could create issues with Intune reporting, compliance reports, etc.
In this quick blog post, you will learn more details about how to set up Automatic Intune device cleanup rules. This cleanup task is similar to SCCM maintenance tasks.
Intune device clean-up rule to delete stale records helps Intune admins to choose between 30 and 270 days to remove the inactive device records from Intune automatically. I would recommend keeping these numbers as per your organization’s requirements.
Microsoft confirmed that you don’t need to worry about the device whose employees are on long leave such as medical, subatical, etc. Because even though the device is deleted from Intune portal, the backend will keep the devices until the device certificate expires.
However, you don’t have the same (like SCCM) control on Intune maintenance tasks. It’s not mandatory to set the cleanup rules within your Intune tenant because of the default behavior explained below.
Video Automatic Intune Device Cleanup Rules Delete Stale Devices
Let’s discuss, Intune Device Clean-up Rules in Detail | Remove Stale Record from Intune and Azure AD | Automation of maintenance tasks for Intune in this video.
Intune Maintenance Activities
There are different types of maintenance activities in Intune. The infra side of maintenance activities is not visible to customers. Automatic Intune Device Cleanup Rules is Intune Maintenance Activity to clean up stale device records from Intune device management solution.
- Manual maintenance activities such as cleaning old/legacy apps, policies, Wi-Fi, VPN profiles, etc.
Automatic Intune Device Cleanup Rules Delete Stale Devices
These Device Cleanup rules are available to automatically remove devices that haven’t checked in for several days you set. Go to the Intune pane, choose Devices, and select Device cleanup rules to see a new law.
When setting this Intune Device Cleanup Rule to Yes, Intune deletes devices based on the custom number of days you specify.
- Delete Devices based on last check-in Date – YES.
- Delete Devices that haven’t checked in for this many days – 90 Days (Checkout NOTE 1 for more details)
- Click on the SAVE button to apply the rule (Checkout NOTE 2 for more information)
NOTE 1 – You can have custom days value between 90 to 270. Set your Intune device cleanup rules to delete Intune MDM enrolled devices that appear inactive, stale, or unresponsive. Intune applies cleanup rules immediately and continuously so that your device records remain current.
NOTE 2 – Once you click the Save button, all devices that have been inactive for the specified number of days will immediately be deleted from Intune. Intune will continue to delete devices as they exceed the number of set days. Reports with data about the removed devices may take up to 48 hours to refresh.
When you set Delete Devices based on the last check-in Date to No, Intune automatically deletes all devices that haven’t checked in to Intune for more than 270 days.
After you click Save, all devices that have been inactive for the specified number of days will immediately be deleted from Intune. Intune will continue to delete devices as they exceed the number of set days. Reports with data about the deleted devices may take up to 48 hours to refresh.
Intune Device Cleanup Rules Behavior
Set your Intune device cleanup rules to delete Intune MDM Enrolled and Co-Managed SCCM devices that appear as any of the following conditions, then Intune applies cleanup rules immediately.
- Inactive
- Stale
- Unresponsive
NOTE 1 – Intune will also make sure the device is relevant by performing this cleanup task continuously so that your device records remain current.
NOTE 2 – This deletion action won’t remove or delete or clean up the device from Azure Active Directory. More details are in the Resources section.
How to Find Out Affected Devices
Intune provides an option to find out and export the affected devices with the Device Cleanup rules you just implemented above.
Once you click the Save button on Device Cleanup Rules, all devices that have been inactive for the specified number of days (90 Days in the above example) will immediately be deleted from Intune.
NOTE! To ensure that you are deleting the correct devices, I recommend clicking on the “View Affected Devices” link and confirming whether you want to remove those devices.
These are the devices that haven’t checked in for 90 Days.
Do we have the option to delete only Windows Devices?
We don’t have the option to delete only Windows Devices at this point in time. This clean-up rule in Intune is for all the stale records from Intune Devices node.
Intune Device Certificate Validity Dependency?
Dependencies on Reappearance of devices into Intune console. Microsoft Intune MDM Device CA certificate is valid for 1 year.
The threshold for devices to show up in the Intune portal is 180 days provided the Intune device certificate is not expired. if you have configured Delete devices that haven’t checked in for this many days as 90 days.
Resources
- How to use Intune Cleanup Rules
- Rules for Removing Intune Devices
- Delete Device from Azure Active Directory
One of the Microsoft articles says if device checks in before 180 days, it can be auto recovered. Is it 180 days or 365 days. As we have MDM certificate valid for 1 year?
Reference – techcommunity.microsoft.com/t5/device-management-in-microsoft/using-intune-device-cleanup-rules-amp-160/ba-p/377272
Isn’t that an old article from 2019? And this is not the official documentation ..isn’t it?
Hi Anoop,
Thank you for sharing a Nice blog about remove stale devices from Intune. Can you please share me the blog which you have created for Autopilot troubleshooting & Monitoring.
Thanks
Narayanan
Hi Narayanan, Here you can explore the Troubleshooting post for Windows Autopilot :: https://www.anoopcnair.com/windows-autopilot-troubleshooting-guide/
Hi Anoop, Thanks for sharing your deep and impressive knowledge of Intune and Cloud management. Like many of us techies who use your articles I haven’t posted my thanks (until now). I do wonder about when the devices that get cleaned up (deleted) from Intune will be removed from the Azure AD database also…? Would this happen automatically after the year long certificate validity expires, or do we need to remove these devices with a script somehow?
I also wonder about Autopilot device objects (by serial number) in Intune – are these device objects also removed at the same time as the computer hostname Intune object is cleaned by this rule?
Thanks for your assistance understanding how this works,
Andy
Hi Anoop, I am looking to clarify something I can’t find out for sure. If you pre-provision a windows device via Autopilot, and the device never reaches a user before the clean up rule kicks in, will that device be removed as well?
We build stock way in advance on occasion so wondering how aggressive we should be with the clean ups.
Thanks
I am curious what is the user experience like for a device returns from being inactive?
Does the device automatically re-appear in Intune, or would it need to go through re-enrollment with Intune either via ADE/Autopilot/Automatic or manual onboarding?
From an educational standpoint we may devices that are offline for a few months then suddenly pop up online again, would be very curious to better understand how that all works from a administrator and user perspective side of things.
Also would the experience be different for a Hybrid vs AAD Environment?