Last Updated on March 1, 2023 by rudyooms
I want to dedicate this blog to the different methods available (Retire or a (selective) Wipe) how you could make sure when a user exits the company there is no company data and apps left on the mobile device.
I also will show you what happens when you choose to perform a Wipe, Autopilot Reset, or a Fresh start on a Windows 10/11 Device because I noticed there is some ambiguity about it.
Choosing the right option really depends on which enrollment was configured, like if the devices are personally owned or corporate-owned? I don’t think the employee would be very happy if you wiped his personally owned mobile device?
These are the options we have got for now
1.Wipe:
As I was telling you at the beginning of this blog, I am going to show you the options you have to remote wipe a device. To do so I need to break down the Wipe options into 2 Parts. Because I need to show you what happens with Windows Devices and Mobile devices when you are performing a remote wipe
Windows Devices
When you need to remote wipe a Windows Device in Intune it will give you multiple options to choose from. You will need to choose to Retain the enrollment state and the user account or wipe it all (Not-Retain)!
“Retain Data”
But what will be Retained after you have “checked” the option: “wipe the device, but keep enrollment state and associated user account“? Let’s take a look at which data is retained during the wipe.
Now we know what will be retained, let’s take a look at what isn’t retained when you checked “wipe the device, but keep enrollment state and associated user account”
Even when Microsoft is saying, User files are Not retained your data in your user profile will not be deleted or wiped!!! As an example, if you have some data in Onedrive which was not yet uploaded it is safe, it will not be deleted!
As shown above, an example from a device that received a remote Wipe device but with the option to keep the enrollment. Onedrive data is not removed!
“Not Retain Data”
But what happens when we DIDN’T select anything and DIDN’T select the option to retain enrollment and the user data and perform a remote wipe on a Windows device. I am going to show you what happens and the differences when you perform a Remote wipe on Windows 10 and Windows 11.
I dedicated a separate blog about this topic because it was becoming way too large to tell the whole story in this blog. So please read it here!
A quick summary, please beware of the fact that when performing a remote wipe on a BitLocker configured Windows 11 your user data will be moved to the Windows.old folder and is still readable after the wipe!
1.2 Mobile Devices
Android
Luckily, personally owned android devices with a work profile can’t be wiped. Google doesn’t allow factory resetting of personally owned work profile devices from the MDM provider.
When you want the option to wipe the device, you need to configure corporate android devices with a work profile.
IOS
But looking at a personally enrolled IOS device, you will notice you can wipe it!!. It’s not greyed out?
The default enrollment is device-based instead of user-based. User-based enrollment (UBE) is way better for personal devices because it removes the option to wipe the device. UBE restricts the permissions that Intune has when managing the device.
But every advantage has its disadvantage, you will need to set up the Apple business manager and provide a DUNS number before you can make use of the user enrollment option, that’s a shame because it can take some time before you have received the duns number and configured ABM.
So what happens when you wipe an IOS mobile device?
When choosing the wipe option on an IOS mobile device, you will restore the factory defaults of the device, it will remove all personal and company data. This option is intended to be used on corporate-owned devices only. Like I told you earlier, you don’t want to wipe personally owned devices.
Of course, you could block the possibility to enroll personally-owned devices to make sure only corporate-owned devices could be enrolled. I know there could be a lot of good reasons why you would only allow corporate devices but in my opinion, when app protection is configured properly, there is no reason to block personally owned devices.
2.Retire
When you have personally owned mobile devices, this is maybe one of the best options you have as it removes managed application data (where applicable), settings, and email profiles that were assigned by Intune. It will make sure the user’s personal data will be untouched!
IOS:
When you choose to retire an IOS device this is what will happen:
Apps installed using Company Portal: Apps that are pinned to the management profile, all app data, and the apps are removed. These apps include apps originally installed from App Store and later managed as company apps unless the app is configured to not be uninstalled on device removal.
Microsoft apps that use App Protection Policies and were installed from App Store: When a Retire action is initiated against an enrolled device, Intune also initiates a selective wipe for apps (including those installed from the App Store) that have work or school account data protected by an app protection policy. The next time the app is launched, the selective wipe removes the protected work or school account data. In order for the selective wipe to occur, an App Protection Policy check-in must occur between the MDM enrollment and retire events. Personal app data and the apps are not removed after a selective wipe.
Android:
When you choose to retire an Android enterprise personally owned device with a work profile, this is what will happen:
It will remove all the data, apps, and settings in the work profile on the personally owned android device. It will also remove the whole work profile from the device.
Just like with IOS, retiring an Android device will leave the personal data intact.
3.Selective wipe
If you only (selective) want to remove the company data from the device and not the apps, this is the option you need. You don’t want to remove all of the apps when the device is an employee-owned device. Maybe the employee has configured his personal Outlook account and really doesn’t want to see that removed?
The only requirement to perform a selective wipe on IOS and Android: you need to have App Protection policies configured. If you don’t have app protection policies configured, selective wipe will not be possible.
How to perform a selective wipe?
Please note:
The wipe may take up to 30 minutes and the user must open the app for the wipe to take place
You can monitor a retire or wipe action in the Microsoft endpoint admin center audit logs.
4. App protection Disabled account Wipe
I have been blogging about this option a week ago. Please read my short blog about
App protection and a disabled Account – Call4Cloud
5. Autopilot Reset
Another option we need to talk about would be the possibility of performing an Autopilot reset on a Windows device to make sure the device is reverted back to a business-ready state. When the reset is done, the user is allowed to sign in back again.
Windows Autopilot Reset:
- Removes personal files, apps, and settings.
- Reapplies a device’s original settings.
- Keeps Azure Ad Join connection
- Maintains the device’s identity connection to Azure AD.
- Maintains the device’s management connection to Intune.
Autopilot Reset, only removes the user profile. It doesn’t perform a true wipe of the whole drive like a “wipe” would do
So what happens when we press the Autopilot Reset button?
Please make sure when are using the Windows Autopilot reset function, you have enabled the WinRE (windows recovery environment) otherwise you will end up with a nice error: 0x80070032
When you are using the Autopilot reset option, it will also maintain the keyboard/region/language/ and Wi-Fi connections.
Please Note: If an enrollment status page wasn’t configured for this device during initial device enrollment, the device will go straight to the desktop after sign-in. So please make sure you have configured the enrollment status page
In my opinion, using the Autopilot Reset could be a good option when you need to reset the device for the same user.
6. Fresh Start
The Fresh Start device action removes any applications that were installed on a Windows 10 device. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new device. So it will also remove that dirty bloatware!
Again, looking at the picture above we have the option to “retain user data on this device”.
Please note: In both options: Retaining or not retaining the User data, the device will be removed from MDM/Intune but it will stay Azure Ad Joined!
Let’s see what Microsoft has to tell us about when you choose to not retain the user data:
So please make sure you aren’t blocking the “Local Admin Account” as shown below. Because otherwise, you will end up with a not-so-nice error: “There was a problem resetting your PC. No changes were made.” and a device that is halfway done resetting the device.
But let’s go further and take a look at what the device looks like when it’s done. You will probably notice all the apps which were installed are gone. now we need to wait before all the apps are reinstalled again… It took really long before all apps were installed again.
In my opinion, a Fresh Start could not be really user-friendly as the end user still needs to wait a long time after his device was “ready”?.
7. Summary
| Method | Usage | MDM | Azure AD Connection |
|---|---|---|---|
| Retire/Delete | Removing those old devices | Removed | Removed except If the 4k HH is in Azure |
| Wipe (keep enrollment) | Resets the device to its default settings, removes all user-installed apps, and keeps user data | Maintained policies will be reapplied | Maintained |
| Wipe | When the employee exits the company and the device needs to be handed over to a colleague | Removed | Removed |
| Fresh Start (keep enrollment) | Makes sure Windows will be reinstalled with only the build-in Apps (Signature Edition) So bloatware will be removed. This method will maintain the user data and makes sure Windows will be updated to the latest build | Maintained | Maintained |
| Fresh Start | Makes sure Windows will be reinstalled with only the build-in Apps (Signature Edition) So again bloatware will be removed | Removed | Maintained |
| Autopilot Reset | When you want to quickly reuse a device for the same user. It will ONLY remove the previous user’s profile and data. | Maintained | Maintained |
Conclusions:
It’s really important we all know the differences between each method to make sure data on the employee’s old device is removed.
*Please use “The retire or selective wipe” (app protection) method on personally owned mobile devices (BYOD) when the user leaves the company.
*Please use “Wipe” when you want to re-use the device for the next user. It’s the best option to make sure the device is cleaned!
*Please use “wipe the device, but keep enrollment state and associated user account” when you still have important data on your Windows device and you need to re-enroll the device.
*Please use “Autopilot reset” only when you want to perform a “quick” re-use of the device for the same user.
So delete Wipe it is!
Very useful information, especially the contexts when these options should be used. Great content, as always!
We tried Autopilot resetting a device for a new user (before reading this article about using wipe istead) and it installed Windows 10 on the device, which already had Windows 11 installed. Do you know why this happened and how to prevent it? Will using wipe instead keep the OS?
Thanks