Cleaning up devices in Microsoft Intune ensures that you always have a fairly current list of devices, the problem is how do you define how long a device should be inactive before it is automatically deleted and should this time frame be the same for different device platforms, Windows, iOS or Android for example.
Currently, if you are using Microsoft Intune to manage devices in your organisation, you have two options to automatically cleanup your devices:
Option 1 - Device clean-up rules
You configure the device cleanup rules in the Intune admin center under Devices > Device clean-up rules. This allows you to set your Intune device cleanup rules to delete Intune MDM enrolled devices that appear inactive, stale, or unresponsive for a defined amount of time.
The problem with this setting is there is no granularity. Ideally, you would be able to define rules within this setting, i.e. add exclusion on a per-user basis, and define the platform-level and/or other aspects of the device configuration. Currently, the setting is black or white for any device managed though Intune, so generally the setting is not used, or set at a very high day count for safety.
Option 2 - PowerShell scripting
The alternative (and my preferred option currently) is PowerShell scripting. You can use PowerShell to define specific logic to delete the device based on your own rules, which are not yet available natively in the portal. The rule can be as simple or as complex as you make it, not a real example below:
If (Device is out of date AND no linked sign-in logs in Entra AND device is not in Exclusions group) {
Remove-MgDeviceManagementManagedDevice -ManagedDeviceId ***
}
The problem with this is that you are subject to the API, developing a script, maintaining a script and incurring any runtime charges for the script.
Thankfully, in December 2024 improvements are being made to the device clean-up rules in Microsoft Intune to provide admins the capability to target clean-up rules based on the platform type:
- Windows
- iOS/iPadOS
- macOS
- Android
- Linux
This will provide an additional level of flexibility, enabling administrators to add custom rules for device platforms which are likely to go extended periods without check-in to the Intune service, for example, POS devices at seasonal locations, such as outdoor venues.
Unfortunately, it doesn’t solve all the problems I highlighted above. Administrators still need additional customisation features to add additional safeguards to devices being deleted such as exclusions based on users, devices, or protected attributes. To keep up to date on this feature change, check out Feature ID 397886 on the Microsoft 365 roadmap.