Retire or do not retire your devices!
Published: July 27, 2023 | Author: René Laas
The purpose of this blog post is to inform you how to use the retire action in Intune and get a report of devices that are listed for retiring
In my previous blog posts, I explained already a lot about compliance with Microsoft Intune.
- A method to designing an effective compliance policy design
Why do you even need a compliance policy, which stakeholder do you need, configuration options, etc.? - how to roll out your compliance policy
Which strategy can you use to roll out your compliance policy, in this blog post I explained some examples. - Configure compliance policies with Microsoft Intune
Besides your design and roll-out strategy, you must configure your policy, in this blog post I explained how to configure it with Intune. - Custom compliance policy script with multiple checks
To check on extra compliance settings that are not by default available you can use a PowerShell script, in this blog post I will explain how to configure this with multiple checks in one script. - how to configure a custom compliance policy script with multiple checks
In this blog post, I will explain how to configure your supported Windows build in a compliance policy in an automated way.
In the blog, configure your compliance policy within Intune I have already spoken about the non-compliant actions. In this blog post, I will dive a little bit deeper in the add a device to retire list option, and how to abuse this list. Of course, you can use the non-compliant report and use filter, but you can’t filter on device that are part of a specific compliant policy.
I have noticed that a lot of organization are struggling with the governance of their device and compliant / non-compliant devices. Usually, the processes are not well set up or watered down. To get back in shape, I will give you a free tip with this blog.
Requirements:
Retire an Intune device? What does it mean?
The Retire action is a valuable tool that allows you to remove managed app data, settings, and user settings like email profiles. When applied, the device is successfully unenrolled from Intune and removed from Intune device list.
Keep in mind, when a retire action is initiated, the device’s removal action will start during the next check-in process. Once the device connects to the network and syncs with Intune, the Retire action will be triggered remotely. It’s important to note that until the check-in happens, the device will continue to appear in the Intune console.
When you use the Retire action, the user’s personal data will not be removed from the device. Please check the following blog post from Microsoft to understand what data will remain on the device after retirement.
Noncompliant Retire devices list
You can check every day, week, or month your non-compliant device and perform manually some actions like retire or delete. This will have a major impact on the workload of your Intune admins. So lucky for us Microsoft has developed the non-compliant action.
The retire noncompliant device list is an overview of all your devices that are not compliant and met the configured threshold in your compliance policy. For example, after 30 days of non-compliant, the device will be added to that list.
To get more in control of your non-compliant devices, for example, you can use it for your personally enrolled devices.
Instead of doing a lot of manual tasks and checks, you have already an overview of devices that are not compliant for an X number of days within only a few clicks, and it will be updated automatically.
Now you can use this list and check per device, why the device is on the list, and perform the needed actions.
How to configure the add a device to retire list in a compliance policy
- Open Microsoft Intune
- In the menu select Devices
- In the sub-menu on the left side, scroll down to Policy
- Click on Compliance policies
- The submenu will be replaced by a new submenu.
- Click on Policies
- Open your compliance policy and click on properties in the menu under
- Scroll a little bit down till you see the option Actions for Noncompliance.
- Click on Edit after Actions for Noncompliance.
- On the Actions for Noncompliance tab, you can set your actions. By default, the option Mark device nonpliant is already set.
- We will set the option Add device to retire list.
- Enter the number of days after the device becomes not compliant and needs to be added to the list.
For instance, after 30 days.
- Click on Review + save
- Review your configuration at the Review + Create tab and click on Save
How to open the retirement list
- Open Microsoft Intune
- In the menu select Devices
- In the sub-menu on the left side, scroll down to Policy
- Click on Compliance policies
- The submenu will be replaced by a new submenu.
- Click on Retire non-compliant devices
- Now you have your list of non-compliant devices that are ready to retire,
- If needed, you can select export in the menu to get a CSV with all the devices.
- The submenu will be replaced by a new submenu.
- Click on Retire non-compliant devices
Do you still need to go the Microsoft 365 Admin portal and delete retired devices to get them permanently removed from the Autopilot device list? Thanks!
Retired devices and Autopilot devices are 2 different things, but when you want to delete a retired device from autopilot also, you could remove it from the Autopilot blade within Intune. Under Devices, Windows, Enrollment, Autopilot Devices