Intune Cleanup Rules – The wonderful demystification

In todays post we will discuss about Intune device cleanup rules. One of Intune’s lesser-known but incredibly useful features is the Cleanup Rules functionality. These rules act as the unsung heroes of device management, quietly maintaining the cleanliness and efficiency of your Intune environment. In this article, we’ll demystify Intune Cleanup Rules, exploring how they work, why they’re crucial, how to leverage them effectively to streamline your device management processes.

What are Intune Clean-up rules?

Intune cleanup rules are a powerful feature designed to automatically remove inactive and stale device records from your Intune environment. As an Intune Administrator, maintaining a clean and accurate device inventory is crucial for effective management and reporting. These rules help address the challenges posed by test devices, workforce changes, and users purchasing new devices, all of which can lead to an inflated and inaccurate device count.

The “Device clean-up rules” feature in Intune provides administrators with the ability to configure automatic cleanup for devices that are:

  1. Inactive
  2. Orphaned
  3. Have not checked in recently

This automated process allows administrators to set a threshold between 30 and 270 days, after which inactive device records are automatically removed from Intune.

Configuring Cleanup Rules

To set up device cleanup rules in your Intune environment:

  1. Navigate to the Devices blade in the Intune Portal.
  2. Click on Device clean-up rules.
  1. Enable the cleanup rule.
  2. Set the number of days (between 30 and 270) after which inactive devices should be deleted.

A best practice is to set the device cleanup days to 180. In any case configure it based on your business requirements.

Behind the Scenes: How Cleanup Rules Work

Once the rule is enabled, Intune services run a background job every few hours. This job identifies and removes all applicable devices from the Intune portal based on the configured inactivity threshold. It’s important to note that:

  • Removed devices will no longer appear in any Intune blade or device list.
  • The removal is specific to the Intune portal; devices are not automatically removed from Entra ID.
  • Entra ID tenant administrators must perform a separate cleanup task in the Azure AD portal to permanently remove stale records.

Scope of Device Cleanup Rules

Device cleanup rules are comprehensive in their coverage, applying to a wide range of device types:

  • Android
  • iOS
  • Windows
  • macOS
  • Linux

Important Considerations

  1. Non-destructive Removal: The cleanup rule does not perform device wipe or retire actions. It simply removes orphaned devices from the Intune portal that haven’t checked in for the specified period.
  2. Potential Device Recovery: In some scenarios, devices removed by the cleanup rule can reappear in the Intune portal. This auto-recovery feature is designed to accommodate devices owned by employees who have taken extended leaves (e.g., vacations, sabbaticals, maternity leaves). Devices can be auto-recovered if they successfully check in to the Intune service within 180 days of removal, provided the Intune device certificate hasn’t expired.
  3. Soft Delete: Intune performs a soft delete of inactive device records, preserving them at the backend for a certain period to enable auto-recovery.
  4. No Impact on Azure AD: The cleanup rule only affects the Intune portal. Devices are not automatically removed from Azure AD.
  5. Re-enrollment Requirement: Devices deleted by the cleanup rule must go through a re-enrollment process to reappear in the Intune console.
  6. BitLocker Consideration: The device cleanup rule doesn’t trigger a BitLocker suspension when BitLocker encryption is managed by Intune. Administrators need to create a separate BitLocker profile for this purpose.
  7. Jamf-managed Devices: Device cleanup rules are not available for Jamf-managed devices.
  8. Permission Requirement: To update device cleanup rules, administrators need the “Managed Device Cleanup Rules” Update permission set to “Yes” within Intune Roles.

Wait what? Auto-recovery feature?

As mentioned above already, devices removed by the cleanup rule can reappear in the Intune portal if the device checks in successfully to the Intune service within 180 days of removal, provided the Intune device certificate hasn’t expired. But what is the device certificate mentioned here. To find out check my post about MDM certificate.

If a device communicates with the Intune service, after the MDM certificate is deleted or expired (if the communication is within 180 days of removal), the device will automatically renew the certificate and the Intune record will reappear.

From my experience 25-30 minutes are required for the Intune record to show up again in Intune Portal.

Documentation

Other interesting posts

configurationsintune
By IntuneLeave a Comment on Intune Cleanup Rules – The wonderful demystification

Leave a Reply

Your email address will not be published. Required fields are marked *