UPDATE 02-06-2021 I decided to rewrite my whole blog, because I also wanted to show you the options you got when wiping Windows 10 devices
This blog will be about when and why you need to perform a retire or a (selective) wipe when an employee exits the company or when their device is stolen.
In one of my last blogs, I explained why it’s important you need to configure App protection policies. I want to dedicate this blog to the different methods available how you could make sure when a user exits the company there is no company data or/and apps left on the mobile device.
I also will show you what happens when you choose to wipe/autopilot reset or fresh start a Windows 10 Device because I noticed there is some ambiguity about it.
Choosing the right option really depends on which enrollment was configured, like if the devices are personally owned or corporate-owned? I don’t think the employee would be very happy if you wiped his personally owned mobile device?
We have got these 6 options:
- Selective Wipe
- App Protection Disabled Account Wipe
- Windows 10 Autopilot Reset
- Windows 10 Fresh Start
Like i was telling earlier I will also need to show you the option you have to wipe a Windows 10 device so I need to break down the wipe options in 2 Parts.
*Windows 10 Devices
Windows 10 Devices
When you need to wipe a Windows 10 Device it will give you 2 options to choose from.
So when you choose the first option: “wipe the device, but keep enrollment state and associated user account” some data is retained during the wipe.
Even when Microsoft is saying, User files are not retained your data in your user profile will not be deleted or wiped!!!
As an example, if you have some data in Onedrive which was not yet uploaded it is safe, it will not be deleted!
As shown above, an example from a device which received a Wipe device but keep enrollment. Onedrive data is not removed!
Luckily, personally owned android devices with a work profile can’t be wiped. Google doesn’t allow factory resetting of personally owned work profile devices from the MDM provider.
When you want the option to wipe the device, you need to configure corporate android devices with a work profile.
But looking at a personal enrolled IOS device, you will notice you can wipe it!!. It’s not greyed out?
The default enrollment is device-based instead of user-based. User-based enrollment (UBE) is way better for personal devices because it removes the option to wipe the device. UBE restricts the permissions that Intune has when managing the device.
But every advantage has its disadvantage, you will need to set up the Apple business manager and provide a DUNS number before you can make use of the user enrollment option, that’s a shame because it can take some time before you have received the duns number and configured ABM.
So what happens when you wipe a IOS mobile device?
When choosing the wipe option on an IOS mobile device, you will restore the factory defaults of the device, it will remove all personal and company data. This option is intended to be used on corporate-owned devices only. Like I told you earlier, you don’t want to wipe personally owned devices.
Of course, you could block the possibility to enrol personally owned devices to make sure only corporate-owned devices could be enrolled. I know there could be a lot of good reasons why you would only allow corporate device but in my opinion, when app protection is configured properly, there is no reason to block personally owned devices.
When you have personally owned mobile devices, this is maybe one of the best options you have as it removes managed application data (where applicable), settings and email profiles that were assigned by Intune. It will make sure the user’s personal data will be untouched!
IOS: When you choose to retire an IOS device this is what will happen:
Apps installed using Company Portal: Apps that are pinned to the management profile, all app data and the apps are removed. These apps include apps originally installed from App Store and later managed as company apps unless the app is configured to not be uninstalled on device removal.
Microsoft apps that use App Protection Policies and were installed from App Store: When a Retire action is initiated against an enrolled device, Intune also initiates a selective wipe for apps (including those installed from the App Store) that have work or school account data protected by an app protection policy. The next time the app is launched, the selective wipe removes the protected work or school account data. In order for the selective wipe to occur, an App Protection Policy check-in must occur between the MDM enrollment and retire events. Personal app data and the apps are not removed after a selective wipe.
Android: When you choose to retire an Android enterprise personally owned device with a workprofile, this is what will happen:
It will remove all the data, apps and settings in the work profile on the personally owned android device. It will also remove the whole work profile from the device.
Just like with IOS, retiring an Android device will leave the personal data intact.
If you only (selective) want to remove the company data from the device and not the apps, this is the option you need. You don’t want to remove all of the apps when the device is an employee owned device. Maybe the employee has configured his personal Outlook account and really don’t want to see that removed?
The only requirement to perform a selective wipe on IOS and android: you need to have App protection policies configured. If you don’t have app protection policies configured, selective wipe will not be possible.
How to perform a selective wipe?
The wipe may take up to 30 minutes and the user must open the app for the wipe to take place
You can monitor a retire or wipe action in the Microsoft endpoint admin center audit logs.
4. App protection Disabled account Wipe
I have been blogging about this option a week ago. Please read my short blog about
5. Windows 10 Autopilot Reset
The last option we need to talk about, would be the possibility to Autopilot reset a Windows 10 device to make sure the devices is reverted back to a business-ready state. When the reset is done, the next user is allowed to sign in back again.
Windows Autopilot Reset:
- Removes personal files, apps, and settings.
- Reapplies a device’s original settings.
- Maintains the device’s identity connection to Azure AD.
- Maintains the device’s management connection to Intune.
So what happens when we press the Autopilot Reset button?
Please make sure when are using the Windows Autopilot reset function, you have enabled the WinRE (windows recovery environment) otherwise you will end up with a nice error: 0x80070032
6. Windows 10 Fresh Start
The Fresh Start device action removes any applications that are installed on a Windows 10 device. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC.
Again, we have the option to retain user data on this device. You will notice all the apps which were installed are gone. now we need to wait before all the apps are reinstalled again… It took really long before all apps were installed again.
In my opinion, a fresh start is not really user friendly as the end user still needs to wait a long time after his device was “ready”?
It’s really important we all know the differences between each method to make sure data on the employee old device is removed.
*Please use the retire or selective wipe (app protection) method on personally owned mobiles devices (BYOD) when the user leaves the company.
*Please use Wipe when the device get’s stolen (if it’s possible).
*Please use “wipe the device, but keep enrollment state and associated user account” when you still have important data on your Windows 10 device.