Call4Cloud | MMP-C | Autopilot | Device Preparation

To Retire, To Reset or Not to Wipe.

Patch My Pc | install & update thousands of apps

In this blog, I’ll discuss the methods for ensuring that no company data or apps remain on users their devices when they exit the company, focusing on options like Wipe, Retire, or a selective Wipe.

Additionally, I’ll clarify the outcomes of performing actions such as Wipe, Autopilot Reset, or Fresh Start on Windows 10/11 devices, addressing some common misconceptions.

Choosing the right approach depends on the type of enrollment—whether the devices are personally owned or corporate-owned. For example, wiping a personally owned device may not be well-received by the employee.

1. Wipe:

As I told you at the beginning of this blog, I will show you the options you have to remote wipe a device. To do so, I need to break down the Wipe options into two Parts. I also need to show you what happens with Windows and Mobile devices when you perform a remote wipe.

Windows Devices

When you need to remote wipe a Windows Device in Intune, you have multiple options. You can choose to Retain the enrollment state and the user account or wipe it all (Not-Retain)!

“Retain Data”

Wipe options in intune and the option to retain the enrollment state and user account

But what will be Retained after you have “checked” the option: “wipe the device, but keep enrollment state and associated user account“? Let’s take a look at which data is retained during the wipe.

Now we know what will be retained, let’s take a look at what isn’t retained when you have checked “wipe the device, but keep enrollment state and associated user account

Even when Microsoft says that User files are not retained, the data in your user profile will not be deleted or wiped!!! For example, if you have some data in OneDrive that has not yet been uploaded, it is safe; it will not be deleted!

As shown above, here is an example from a device that received a remote Wipe device but with the option to keep the enrollment. Onedrive data is not removed!

“Not Retain Data”

But what happens when we DON’T select anything and DON’T select the option to retain enrollment and user data and perform a remote wipe on a Windows device?

Please Note: In the meantime, Microsoft fixed the Windows.old issue when performing a remote wipe!

I dedicated a separate blog about the Remote Wipe that left data on the device as it was becoming way too large to tell the whole story in this blog. So please read it here!

In a quick summary, please beware that when we performed a remote wipe in the past on a BitLocker-configured Windows 11, your user data was moved to the Windows.old folder, but it was still readable after the wipe! Again, Microsoft fixed the issue, so there is nothing to worry about!

Mobile Devices

Android

Luckily, personally owned Android devices with a work profile can’t be wiped. Google doesn’t allow factory resetting personally owned work profile devices from the MDM provider.

When you want the option to wipe the device,  you must configure corporate Android devices with a work profile.

IOS

But if you look at a personally enrolled IOS device, you will notice you can wipe it!!. It’s not greyed out, right?

The default enrollment is device-based instead of user-based. User-based enrollment (UBE) is way better for personal devices because it removes the option to wipe the device. UBE restricts Intune’s permissions when managing the device.

But every advantage has its disadvantages. You will need to set up the Apple business manager and provide a DUNS number before you can use the user enrollment option. That’s a shame because it can take some time before you receive the DUNS number and configure ABM.

So what happens when you wipe an IOS mobile device?

When choosing the wipe option on an IOS mobile device, you will restore the factory defaults of the device, it will remove all personal and company data. This option is intended to be used on corporate-owned devices only. Like I told you earlier, you don’t want to wipe personally owned devices.

Of course, you could block the possibility of enrolling personally owned devices to ensure only corporate-owned devices could be enrolled. I know there could be many good reasons why you would only allow corporate devices, but in my opinion, when app protection is configured properly, there is no reason to block personally owned devices.

2. Retire

When you have personally owned mobile devices, this “retire” option could maybe one of the best options.

retire a device in Intune

It removes managed application data (where applicable), settings, and email profiles that were assigned by Intune. This ensures that the user’s personal data remains untouched!

IOS:

When you choose to retire an IOS device, this is what will happen:

Apps installed using Company Portal: Apps that are pinned to the management profile, all app data, and the apps are removed. These apps include apps originally installed from the App Store and later managed as company apps unless the app is configured to not be uninstalled on device removal.

Microsoft apps that use App Protection Policies and were installed from App Store: When a Retire action is initiated against an enrolled device, Intune also initiates a selective wipe for apps (including those installed from the App Store) that have work or school account data protected by an app protection policy. The next time the app launches, the selective wipe removes the protected work or school account data. For the selective wipe to occur, an App Protection Policy check-in must occur between the MDM enrollment and retire events. Personal app data and the apps are not removed after a selective wipe.

Android:

When you choose to retire an Android enterprise personally owned device with a work profile, this is what will happen:

It will remove all the data, apps, and settings in the work profile on the personally owned Android device and the whole work profile from the device.

Like with IOS, retiring an Android device will keep personal data intact.

3. Selective wipe

If you only (selective) want to remove the company data from the device and not the apps, this is the option you need. You don’t want to remove all the apps when the device is employee-owned. Maybe the employee configured his personal Outlook account and doesn’t want to see that removed?

The only requirement to perform a selective wipe on iOS and Android is that you have app protection policies configured. Without these policies, a selective wipe will not be possible. How do you perform a selective wipe?

Performing an App selective wipe in Intune

Please note:

The wipe may take up to 30 minutes, and the user must open the app for the wipe to take place

You can monitor a retire or wipe action in the  Microsoft endpoint admin center audit logs.

4. App protection Disabled Account Wipe

I dedicated a separate blog to what happens with app protection and a disabled account. Please read my short blog about it below:

App protection and a disabled Account – Call4Cloud

5. Autopilot Reset

Another option we need to discuss is the possibility of performing an Autopilot reset on a Windows device to ensure it is reverted back to a business-ready state. When the reset is complete, the user is allowed to sign in again.

Windows Autopilot Reset:

  • Removes personal files, apps, and settings.
  • Reapplies a device’s original settings.
  • Keeps Azure Ad Join connection
  • Maintains the device’s identity connection to Azure AD.
  • Maintains the device’s management connection to Intune.

Autopilot Reset only removes the user profile. It doesn’t perform a true wipe of the whole drive like a “wipe” would do

So what happens when we press the Autopilot Reset button?

performing an Autopilot Reset

Please make sure when you are using the Windows Autopilot reset function, you have enabled the WinRE (windows recovery environment); otherwise, you will end up with a nice error: 0x80070032

When you are using the Autopilot reset option, it will also maintain the keyboard/region/language/ and Wi-Fi connections.

Please Note: If an enrollment status page wasn’t configured for this device during initial device enrollment, the device will go straight to the desktop after sign-in. So please make sure you have configured the enrollment status page.

Using the Autopilot Reset could be a good option when you need to reset the device for the same user. Why? Because inside the Windows.old folder, you can still find the user his old onedrive data. I am explaining it all here:

Windows Autopilot Reset vs. Intune Remote Wipe – Patch My PC

6. Fresh Start

The Fresh Start device action removes any applications installed on your Windows device. It also helps removing pre-installed (OEM) apps that are typically installed with a new device, so it will also remove that dirty bloatware!

performing a fresh start from Intune

Again, in the picture above, we have the option to “retain user data on this device.”

Please note: In both options: Retaining or not retaining the User data, the device will be removed from MDM/Intune but it will stay Azure Ad Joined!

Let’s see what Microsoft has to tell us about when you choose to not retain the user data:

Please ensure you aren’t blocking the “Local Admin Account,” as shown below. Otherwise, you will end up with a not-so-nice error: “There was a problem resetting your PC. No changes were made.” and a device that is halfway done resetting.

But let’s go further and examine what the device looks like when it’s done. You will probably notice that all the apps that were installed are gone. Now, we need to wait before all the apps are reinstalled again. It took really long before all the apps were installed again.

In my opinion, a Fresh Start could not be really user-friendly as the end user still needs to wait a long time after his device is “ready”?.

7. Summary

MethodUsageMDMEntra ID Connection
Retire/DeleteRemoving those old devicesRemovedRemoved except If the 4k HH is in Entra
Wipe (keep enrollment)Resets the device to its default settings, removes all user-installed apps, and keeps user dataMaintained
policies will be reapplied
Maintained
WipeWhen the employee exits the company and the device needs to be handed over to a colleagueRemovedRemoved
Fresh Start
(keep enrollment)
It makes sure Windows is reinstalled with only the built-in Apps (Signature Edition), so bloatware is removed. Maintained Maintained
Fresh StartMakes sure Windows will be reinstalled with only the build-in Apps (Signature Edition) So again bloatware will be removed Removed Maintained
Autopilot ResetWhen you want to quickly reuse a device for the same user. It will ONLY remove the previous user’s profile and data. Maintained Maintained

And for the people who like flows more than text overview!

Conclusions:

It’s really important that we all know the differences between each method to ensure that data on the employee’s old device is removed.

*Please use “The retire or selective wipe” (app protection) method on personally owned mobile devices (BYOD) when the user leaves the company.

*Please use “Wipe” when you want to reuse the device for the next user. It’s the best option to ensure the device is cleaned!

*Please use “wipe the device, but keep enrollment state and associated user account” when you still have important data on your Windows device and need to re-enroll it.

*Please use “Autopilot reset” only when you want to reuse the device quickly for the same user.

So delete Wipe it is!

3 thoughts on “To Retire, To Reset or Not to Wipe.

  1. Very useful information, especially the contexts when these options should be used. Great content, as always!

  2. We tried Autopilot resetting a device for a new user (before reading this article about using wipe istead) and it installed Windows 10 on the device, which already had Windows 11 installed. Do you know why this happened and how to prevent it? Will using wipe instead keep the OS?
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

71  −  63  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.