Retire Device from Intune Portal

Created by Aranjit Kuanr, Modified on Mon, 1 Jun, 2020 at 10:18 AM by Aranjit Kuanr

The Retire action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management. This happens the next time the device checks in and receives the remote Retire action. The device still shows up in Intune until the device checks in. If you want to remove stale devices immediately.

Retire leaves the user's personal data on the device.

The following tables describe what data is removed, and the effect of the Retire action on data that remains on the device after company data is removed.

iOS

TABLE 3
Data type	iOS
Company apps and associated data installed by Intune	Apps installed using Company Portal: For apps that are pinned to the management profile, all app data and the apps are removed. These apps include apps originally installed from App Store and later managed as company apps unless the app is configured to not be uninstalled on device removal. Microsoft apps that use mobile app management and were installed from App Store: For apps that are not managed by the Company Portal, company app data that's protected by Mobile Application Management (MAM) encryption within the app local storage is removed. Data that's protected by MAM encryption outside the app remains encrypted and unusable, but isn't removed. Personal app data and the apps are not removed.
Settings	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settings	Removed.
Certificate profile settings	Certificates are removed and revoked.
Management agent	The management profile is removed.
Email	Email profiles that are provisioned through Intune are removed. Cached email on the device is deleted.
Azure AD unjoin	The Azure AD record is removed.

Android device administrator

TABLE 4
Data type	Android	Android Samsung Knox Standard
Web links	Removed.	Removed.
Unmanaged Google Play apps	Apps and data remain installed. Company app data that's protected by Mobile Application Management (MAM) encryption within the app local storage is removed. Data that's protected by MAM encryption outside the app remains encrypted and unusable, but isn't removed.	Apps and data remain installed. Company app data that's protected by Mobile Application Management (MAM) encryption within the app local storage is removed. Data that's protected by MAM encryption outside the app remains encrypted and unusable, but isn't removed.
Unmanaged line-of-business apps	Apps and data remain installed.	Apps are uninstalled and data that's local to the app is removed. No data that's outside the app (for example, on an SD card) is removed.
Managed Google Play apps	App data is removed. The app isn't removed. Data that's protected by Mobile Application Management (MAM) encryption outside the app (for example, an SD card) remains encrypted and unusable, but isn't removed.	App data is removed. The app isn't removed. Data that's protected by MAM encryption outside the app (for example, an SD card) remains encrypted, but isn't removed.
Managed line-of-business apps	App data is removed. The app isn't removed. Data that's protected by MAM encryption outside the app (for example, an SD card) remains encrypted and unusable, but isn't removed.	App data is removed. The app isn't removed. Data that's protected by MAM encryption outside the app (for example, an SD card) remains encrypted and unusable, but isn't removed.
Settings	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settings	Removed.	Removed.
Certificate profile settings	Certificates are revoked but not removed.	Certificates are removed and revoked.
Management agent	Device Administrator privilege is revoked.	Device Administrator privilege is revoked.
Email	N/A (Email profiles aren't supported by Android devices)	Email profiles that are provisioned through Intune are removed. Cached email on the device is deleted.
Azure AD unjoin	The Azure AD record is removed.	The Azure AD record is removed.

Android Enterprise devices with a work profile

Removing company data from an Android work profile device removes all data, apps, and settings in the work profile on that device. The device is retired from management with Intune. Wipe is not supported for Android work profiles.

Android Enterprise dedicated devices

You can only wipe kiosk devices. You can't retire Android kiosk devices.

macOS

TABLE 5
Data type	macOS
Settings	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settings	Removed.
Certificate profile settings	Certificates that were deployed through MDM are removed and revoked.
Management agent	The management profile is removed.
Outlook	If Conditional Access is enabled, the device doesn't receive new mail.
Azure AD unjoin	The Azure AD record is removed.

Windows

TABLE 6
Data type	Windows 8.1 (MDM) and Windows RT 8.1	Windows RT	Windows Phone 8.1 and Windows Phone 8	Windows 10
Company apps and associated data installed by Intune	Keys are revoked for files that are protected by EFS. The user can't open the files.	Company apps aren't removed.	Apps originally installed through the Company Portal are uninstalled. Company app data is removed.	Apps are uninstalled. Sideloading keys are removed. For Windows 10 version 1709 (Creators Update) and later, Microsoft 365 Apps aren't removed. Intune management extension installed Win32 apps will not be uninstalled on unenrolled devices. Admins can leverage assignment exclusion to not offer Win32 apps to BYOD Devices.
Settings	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.	Configurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settings	Removed.	Removed.	Not supported.	Removed.
Certificate profile settings	Certificates are removed and revoked.	Certificates are removed and revoked.	Not supported.	Certificates are removed and revoked.
Email	Removes email that's EFS-enabled. This includes emails and attachments in the Mail app for Windows.	Not supported.	Email profiles that are provisioned through Intune are removed. Cached email on the device is deleted.	Removes email that's EFS-enabled. This includes emails and attachments in the Mail app for Windows. Removes mail accounts that were provisioned by Intune.
Azure AD unjoin	No.	No.	The Azure AD record is removed.	The Azure AD record is removed.

Note:

For Windows 10 devices that join Azure AD during initial Setup (OOBE), the retire command will remove all Azure AD accounts from the device.

Retire

1. Sign in to the Microsoft Endpoint Manager admin center.
2. In the Devices pane, select All devices.
3. Select the name of the device that you want to retire.
4. In the pane that shows the device name, select Retire. To confirm, select Yes.

If the device is on and connected, the Retire action propagates across all device types in less than 15 minutes.