Intune Device Actions for Windows PCs

Caution

Be aware, the below is true only for Windows devices. Expected behavior is different between operating systems and should be accounted for.

Quick reference

Action	Removes corporate data	Removes user data	Removes Intune record	Removes Entra ID record	Keeps Autopilot registration	Typical use-case
Retire	✅	❌	✅ (At next check-in)	❌	✅	BYOD off-boarding
Wipe	✅	✅	❌	❌	✅	Lost/stolen devices, refreshing devices, and troubleshooting.
Delete ¹	—	—	✅ (immediate)	✅ if not in Autopilot	✅	Removing stale records
Autopilot Reset	✅	✅	❌	❌	✅	Handing a managed PC to the next employee with zero-touch IT intervention

¹ Delete first triggers Retire (Windows) or Wipe (other platforms). The table shows the final state.

² Actions differ depending on weather keep enrollment state is selected or not.

---

Retire (“remove corporate footprint”)

The Retire action removes managed app data, Intune settings, and email profiles that were assigned using Intune. Personal files and local users will remain intact.

Warning

This may not always be suitable, as this may leave small/unexpected footprints of company data depending on your configuration. The device object remains in Intune until it next checks in.

Use when

• Off-boarding personally-owned (BYOD) Windows PCs.
• You want to stop enforcing¹ policy without a factory reset.

Caution

• BitLocker recovery keys remain in Entra ID.
• Device can linger in inventory until it syncs again.
• Does not unregister the device from Windows Autopilot.

What happens

Intune installed Win32 apps aren’t uninstalled on unenrolled devices. Be mindful of this for any software running device licensing.

¹ Be mindful, that not enforcing does not always mean changing back to defaults.

---

Wipe (“factory reset”)

Wipe acts as a “Reset this PC option”, and puts the device back to a fresh, OOBE state when using the full wipe option. Using the keep enrollment option is a strong option if the device is returning to the original user.

Two flavours

Plain wipe — Acts as a factory reset, and puts the device back to the OOBE after a cloud reinstall.
Wipe + keep enrolment — keeps Intune enrolment and the primary user account for rapid redeploy.

Use when

• Device is lost, stolen, being renewed or removed from the business.
• OS-level level troubleshooting.

Caution

• Autopilot registration stays with both options; the PC will re-enrol on next OOBE.
• If power loss is a risk, enable “continue wiping even if device loses power” to avoid a bricked device.
• If using “Keep enrolment”, User data outside of the user profile is retained and their profile, and should be used only for the same user.

---

Delete (“record housekeeping”)

What happens

Instantly removes the Intune record, then silently issues Retire (Windows) or Wipe (other OSes).
If the PC is not in Autopilot, its Entra ID object is deleted too.

Use when

• Clearing out stale or duplicate device records.
• The physical hardware was disposed of long ago.
• permanently retiring devices from circulation

Caution

• Capture BitLocker keys before deleting if Intune managed encryption.
• If the PC is seen online before certificate expiry, it starts a fresh enrolment.

---

Autopilot Reset (“business-ready hand-off”)

What happens

Removes user data, apps and settings while retaining Autopilot, Entra ID and Intune membership.
The device reboots and re-enrolls. Note: Required apps are not shown during ESP during an autopilot reset. See here for more info

Use when

• Front-line or shared PCs need a quick turnaround between users.
• Re-issuing hardware to a new hire with minimal IT intervention.

Caution

• Works only on Entra-joined devices. Hybrid-joined machines require a full Wipe.
• New user cannot sign in until policy sync completes; allow a few minutes during hand-over.
• Not as thorough as a full wipe, in terms of re-enrollment behavior and ESP.

---

Decision checklist

Caution

If a device is leaving the org, be GDPR compliant. Delete the device from Intune and use data destruction tools on the drives.

1. Do you need to keep the current user’s personal data?
   Yes → Retire/Delete (finished).
   No → continue.

2. Will the device ever re-enrol into Intune?
   No → Wipe (finished).
   Yes → continue.

3. Will the device stay inside your organization for the next user?
   Yes → Autopilot Reset or Wipe (finished).
   No → Delete and handle data destruction appropriately.

4. Clean-up
   For any destructive action that never appears to complete/hangs, delete the entry from Intune. It’s a known issue that the trust-relationship can be lost before the device informs intune of it’s completed state.

---

Summary

Data handling

• Intune Fresh Start: Removes all applications/software, while retaining user data device settings.
• Intune Wipe: Returns the device to factory settings with no data preservation¹
• Intune Retire: Removes company data and configurations but keeps personal data and applications intact. Intune installed Win32 apps aren’t uninstalled on unenrolled devices.
• Intune Delete: On windows, also triggers a retire action

¹ Does not 0 out the existing drives and is not a data security method.

Practical tips

• Ensure you double check each action meets your needs. Retire, Wipe, Delete and Autopilot Reset are destructive.
• Automate stale-device cleanup with Intune’s Delete devices that haven’t checked in rule and review regularly.
• Use Tenant Administration → Audit logs to see who triggered a destructive actions.

Further reading

• Microsoft Learn - Retire or wipe devices in Intune
• Microsoft Learn - Deleting devices from Microsoft Intune
• Microsoft Learn - Windows Autopilot Reset
• Microsoft Learn - Autopilot Known Issues