It is best practice removing user profiles from Windows 10/11 devices that are no longer in use. This not only frees up space on the device, but is also beneficial from a security standpoint. This is particularly useful for devices shared by multiple users, where the likelihood of stale user profiles is higher.
You can perform this task manually by logging onto each device, checking the profile date/time stamp, and deleting outdated profiles. However, this approach is feasible only when dealing with a few devices.
When you need to delete stale user profiles from hundreds of devices, automated solutions like PowerShell or Intune are more effective.
If your organization uses Intune to manage Windows devices, you can create a device configuration profile to configure and assign a policy that removes old user profiles that haven’t been used for a specified number of days.
Contents
Intune Policy to Delete Old Windows User Profiles
- Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Click Create to begin with the creation of the device configuration profile.
- On the Basics tab, provide a Name and Description of the policy and click Next.
- On Configuration settings tab, click on + Add settings and use the Settings picker to search for delete user profiles and select Delete user profiles older than a specified number of days on system restart.
- Delete user profiles older than a specified number of days on system restart: Use the toggle switch to enable this setting.
- Delete user profiles older than (days) (Device): Provide a value as per your business requirement. As you can see from below screenshot, I have provided a value of 90, which means that any user profiles which are not used in the last 90 days will be automatically removed.
- On Scope tags tab, click Next.
- On Assignments tab, Click on Add groups to select an Entra security group containing Windows 10/11 devices.
- Click Create on Review + create tab to create the Device configuration profile.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End User Experience
All user profiles are located in the C:\Users directory. After you assign this device configuration profile to Windows devices, any old or stale user profiles based on the number of specified number of days, will be automatically removed.
Do you know of a way to exclude a device’s Primary User from having their profile deleted? I’m thinking of a person who’s on extended leave and doesn’t sign into their assigned device for longer than the number of days specified.
Hi John, As of now, I do not see any exclusions for a particular user account in the policy setting. A simple automated solution for this could be as follows:
1. Update a field or add a user attribute in Entra ID to reflect that the user is on extended leaves.
2. Create a dynamic Entra security group based on that user attribute to group all those users who are on extended leaves.
3. In the Intune deployment, Exclude this group. This will ensure Auto deletion policy will not be applied to the user’d devices.
Once the user is back from extended leaves, clear that Entra ID attribute. User will be automatically removed from the dynamic group and Auto delete policy will apply again.