In this post, I will show you how to configure device clean-up rules in Intune. Device cleanup rules in Microsoft Intune automatically hide devices that have not checked in for a set number of days. Hidden devices are removed from the Intune views and reports. Devices can reappear if they check in again before their device certificate expires. With the Intune service release 2507, you can now create device cleanup rules per platform like Windows, Android, iOS etc. For more information, refer to MS learn page: Automatically Hide Devices With Cleanup Rules – Microsoft Intune | Microsoft Learn.
Device cleanup rules do not take any device action like wipe or retire, it will only hide the device from Intune portal and reports. The device is not removed from Entra ID. If a device does not check-in before its device certificate expires, you will have to re-enroll that device. Device cleanup rules does not work on Jamf-managed devices.
Contents
Prerequisites
- Intune service administrator or a custom Intune role with permissions Managed Device Cleanup Rules/Update and Managed Device Cleanup Settings/Update.
Device Clean-up Rules Platform Support
You can create device cleanup rules per platform. If you create a rule, it will apply tenant wide for the selected platform. You cannot create more than one rule per platform. While creating a device cleanup rule on Intune admin center, you have the option to select either All Platforms or any of the below available platforms:
- Andriod (AOSP)
- Andriod (fully managed/dedicated/corporate-owned work profile)
- Android (device administrator)
- Android (personally-owned work profile)
- Chroms OS (preview)
- iOS/iPadOS
- macOS
- Windows
- Windows Holographic
- visionOS
- tvOS
Recommendations
- One of the most important decision points is setting the value for Remove devices that haven’t checked in for this many days. You can specify a value between 30 and 270 days, depending on your business requirements. Setting it too low, such as 30 days, may hide devices belonging to users who are on vacation or business trips. Setting it too high, such as 270 days, may result in numerous stale devices that are visible in the Intune portal and reports.
- As already mentioned that the device cleanup rules do not remove Entra device objects, therefore if a device is stale and is never going to be used again, you can delete its Entra device object as well. Refer to the Microsoft learn page to understand about the management of stale device objects in Microsoft Entra ID: How to manage stale devices in Microsoft Entra ID – Microsoft Entra ID | Microsoft Learn.
- Prepare a step-by-step re-enrollment plan for devices on which the management certificate is expired if you want those devices to appear in Intune again.
- Decide whether Remove devices that haven’t checked in for this many days value should be the same or different for each platform. It’s best to start with a higher value and adjust it later based on device activity and organizational requirements.
Create a Device Clean-up Rule in Intune
Follow the steps below to create a device cleanup rule in Intune. In this example, I will create a rule for Windows devices and configure it to remove only those devices that haven’t checked in for a specified number of days. You can use the same steps to create cleanup rules for individual platforms, or choose All platforms to apply the rule universally.
- Sign in to the Intune admin center > Devices > Device clean-up rules > + Create.
- Basics tab: Provide a name and description and select the platform for which you want to create this rule. Click Next.
- Under the Rule settings tab, enter the value for Remove devices that haven’t checked in for this many days, which could be between 30 and 270 days. After entering the number of days, click on Preview affected devices to list the device will be affected by this rule. You can export the list of affected devices for future reference and troubleshooting by clicking on the Export option.
- Click on Create to create the device clean-up rule.
Administrator Experience
Device cleanup rule runs every 24 hours by default to check for devices that meet the criteria of not checking in within the number of days specified in the rule. If a device meets this condition, it will be removed. To verify this, go to Tenant administration > Audit logs. Under the Activity name column, look for entries such as Device set to be removed from Intune reports by Device Cleanup Rule Windows device clean-up rule. This means that these devices are targeted and removed by the device cleanup rule in place.
