It is best practice removing user profiles from Windows 10/11 devices that are no longer in use. This not only frees up space on the device, but is also beneficial from a security standpoint. This is particularly useful for devices shared by multiple users, where the likelihood of stale user profiles is higher.
You can perform this task manually by logging onto each device, checking the profile date/time stamp, and deleting outdated profiles. However, this approach is feasible only when dealing with a few devices.
When you need to delete stale user profiles from hundreds of devices, automated solutions like PowerShell or Intune are more effective.
If your organization uses Intune to manage Windows devices, you can create a device configuration profile to configure and assign a policy that removes old user profiles that haven’t been used for a specified number of days.
Contents
Intune Policy to Delete Old Windows User Profiles
- Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Click Create to begin with the creation of the device configuration profile.
- On the Basics tab, provide a Name and Description of the policy and click Next.
- On Configuration settings tab, click on + Add settings and use the Settings picker to search for delete user profiles and select Delete user profiles older than a specified number of days on system restart.
- Delete user profiles older than a specified number of days on system restart: Use the toggle switch to enable this setting.
- Delete user profiles older than (days) (Device): Provide a value as per your business requirement. As you can see from below screenshot, I have provided a value of 90, which means that any user profiles which are not used in the last 90 days will be automatically removed.
- On Scope tags tab, click Next.
- On Assignments tab, Click on Add groups to select an Entra security group containing Windows 10/11 devices.
- Click Create on Review + create tab to create the Device configuration profile.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End User Experience
All user profiles are located in the C:\Users directory. After you assign this device configuration profile to Windows devices, any old or stale user profiles based on the number of specified number of days, will be automatically removed.
