Retire Device from Intune Portal

Created by Aranjit Kuanr, Modified on Mon, 1 Jun, 2020 at 10:18 AM by Aranjit Kuanr

The Retire action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management. This happens the next time the device checks in and receives the remote Retire action. The device still shows up in Intune until the device checks in. If you want to remove stale devices immediately.

Retire leaves the user's personal data on the device.

The following tables describe what data is removed, and the effect of the Retire action on data that remains on the device after company data is removed.

iOS

TABLE 3
Data typeiOS
Company apps and associated data installed by IntuneApps installed using Company Portal: For apps that are pinned to the management profile, all app data and the apps are removed. These apps include apps originally installed from App Store and later managed as company apps unless the app is configured to not be uninstalled on device removal.

Microsoft apps that use mobile app management and were installed from App Store: For apps that are not managed by the Company Portal, company app data that's protected by Mobile Application Management (MAM) encryption within the app local storage is removed. Data that's protected by MAM encryption outside the app remains encrypted and unusable, but isn't removed. Personal app data and the apps are not removed.
SettingsConfigurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settingsRemoved.
Certificate profile settingsCertificates are removed and revoked.
Management agentThe management profile is removed.
EmailEmail profiles that are provisioned through Intune are removed. Cached email on the device is deleted.
Azure AD unjoinThe Azure AD record is removed.

Android device administrator

TABLE 4
Data typeAndroidAndroid Samsung Knox Standard
Web linksRemoved.Removed.
Unmanaged Google Play appsApps and data remain installed.

Company app data that's protected by Mobile Application Management (MAM) encryption within the app local storage is removed. Data that's protected by MAM encryption outside the app remains encrypted and unusable, but isn't removed.
Apps and data remain installed.

Company app data that's protected by Mobile Application Management (MAM) encryption within the app local storage is removed. Data that's protected by MAM encryption outside the app remains encrypted and unusable, but isn't removed.
Unmanaged line-of-business appsApps and data remain installed.Apps are uninstalled and data that's local to the app is removed. No data that's outside the app (for example, on an SD card) is removed.
Managed Google Play appsApp data is removed. The app isn't removed. Data that's protected by Mobile Application Management (MAM) encryption outside the app (for example, an SD card) remains encrypted and unusable, but isn't removed.App data is removed. The app isn't removed. Data that's protected by MAM encryption outside the app (for example, an SD card) remains encrypted, but isn't removed.
Managed line-of-business appsApp data is removed. The app isn't removed. Data that's protected by MAM encryption outside the app (for example, an SD card) remains encrypted and unusable, but isn't removed.App data is removed. The app isn't removed. Data that's protected by MAM encryption outside the app (for example, an SD card) remains encrypted and unusable, but isn't removed.
SettingsConfigurations that were set by Intune policy are no longer enforced. Users can change the settings.Configurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settingsRemoved.Removed.
Certificate profile settingsCertificates are revoked but not removed.Certificates are removed and revoked.
Management agentDevice Administrator privilege is revoked.Device Administrator privilege is revoked.
EmailN/A (Email profiles aren't supported by Android devices)Email profiles that are provisioned through Intune are removed. Cached email on the device is deleted.
Azure AD unjoinThe Azure AD record is removed.The Azure AD record is removed.

Android Enterprise devices with a work profile

Removing company data from an Android work profile device removes all data, apps, and settings in the work profile on that device. The device is retired from management with Intune. Wipe is not supported for Android work profiles.

Android Enterprise dedicated devices

You can only wipe kiosk devices. You can't retire Android kiosk devices.

macOS

TABLE 5
Data typemacOS
SettingsConfigurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settingsRemoved.
Certificate profile settingsCertificates that were deployed through MDM are removed and revoked.
Management agentThe management profile is removed.
OutlookIf Conditional Access is enabled, the device doesn't receive new mail.
Azure AD unjoinThe Azure AD record is removed.

Windows

TABLE 6
Data typeWindows 8.1 (MDM) and Windows RT 8.1Windows RTWindows Phone 8.1 and Windows Phone 8Windows 10
Company apps and associated data installed by IntuneKeys are revoked for files that are protected by EFS. The user can't open the files.Company apps aren't removed.Apps originally installed through the Company Portal are uninstalled. Company app data is removed.Apps are uninstalled. Sideloading keys are removed.
For Windows 10 version 1709 (Creators Update) and later, Microsoft 365 Apps aren't removed. Intune management extension installed Win32 apps will not be uninstalled on unenrolled devices. Admins can leverage assignment exclusion to not offer Win32 apps to BYOD Devices.
SettingsConfigurations that were set by Intune policy are no longer enforced. Users can change the settings.Configurations that were set by Intune policy are no longer enforced. Users can change the settings.Configurations that were set by Intune policy are no longer enforced. Users can change the settings.Configurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settingsRemoved.Removed.Not supported.Removed.
Certificate profile settingsCertificates are removed and revoked.Certificates are removed and revoked.Not supported.Certificates are removed and revoked.
EmailRemoves email that's EFS-enabled. This includes emails and attachments in the Mail app for Windows.Not supported.Email profiles that are provisioned through Intune are removed. Cached email on the device is deleted.Removes email that's EFS-enabled. This includes emails and attachments in the Mail app for Windows. Removes mail accounts that were provisioned by Intune.
Azure AD unjoinNo.No.The Azure AD record is removed.The Azure AD record is removed.

Note:

For Windows 10 devices that join Azure AD during initial Setup (OOBE), the retire command will remove all Azure AD accounts from the device. 

Retire

  1. 1. Sign in to the Microsoft Endpoint Manager admin center.
  2. 2. In the Devices pane, select All devices.
  3. 3. Select the name of the device that you want to retire.
  4. 4. In the pane that shows the device name, select Retire. To confirm, select Yes.

If the device is on and connected, the Retire action propagates across all device types in less than 15 minutes.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article