Skip to content
February 27, 2026 Junior (1-3 years) How-To

Intune Device Wipe and Retire

How to wipe, retire, or factory reset devices in Microsoft Intune. Complete guide for device lifecycle management.

Intune Device Wipe and Retire

When a device needs to be reset or removed, Intune gives you options. Here’s when to use each.

Wipe vs Retire

ActionWhat HappensUse When
RetireRemove managed apps/data, keep deviceUser leaves, device reassigned
WipeFactory reset, delete everythingDevice being sold, serious issues
Autopilot ResetClean but keep enrollmentRefresh device, keep Intune

Retire a Device

# Via Graph API
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'").Id

Invoke-MgDeviceManagementManagedDeviceRetireManagedDevice -ManagedDeviceId $DeviceId

What Happens

  • Company data removed
  • Apps uninstalled
  • Settings reverted
  • Device remains in Intune (unmanaged)

Wipe a Device

# Full wipe
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'").Id

Invoke-MgDeviceManagementManagedDeviceWipeManagedDevice -ManagedDeviceId $DeviceId -KeepUserData $false

Options

  • Keep user data: Yes/No
  • Persist enrolled apps: Yes/No (Windows)

Autopilot Reset

# Trigger Autopilot reset
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'").Id

Invoke-MgDeviceManagementManagedDevice windowsAutopilotDeviceIdentity -ManagedDeviceId $DeviceId -ResetAccount

What It Does

  • Removes user accounts
  • Re-enrolls in Intune
  • Like fresh OOBE
  • Keeps Autopilot enrollment

Confirmation Required

# Devices in user-driven enrollment require:
# - User confirmation on device
# OR
# - Recovery key provided first

# Check if device requires recovery key
Get-MgDeviceManagementManagedDevice -DeviceId $DeviceId |
    Select-Object recoveryKeyIdentifier

Pre-Wipe Checklist

  • Backup user data (if keeping)
  • Export BitLocker keys
  • Document serial number
  • Check device ownership
# Export BitLocker keys before wipe
Get-MgDeviceManagementManagedDeviceBitLockerRecoveryKey -ManagedDeviceId $DeviceId

Automation Script

<#
.SYNOPSIS
    Safely wipe a device
#>
param(
    [Parameter(Mandatory=$true)]
    [string]$DeviceName,
    
    [Parameter(Mandatory=$false)]
    [switch]$KeepUserData
)

$Device = Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'"

if (-not $Device) {
    Write-Host "Device not found: $DeviceName"
    exit 1
}

# Export recovery keys first
$Keys = Get-MgDeviceManagementManagedDeviceBitLockerRecoveryKey -ManagedDeviceId $Device.Id

# Backup keys
$Keys | Export-Csv -Path ".\$DeviceName-BitLockerKeys.csv"

# Confirm wipe
Write-Host "About to WIPE device: $DeviceName"
Write-Host "This cannot be undone!"
$Confirm = Read-Host "Type 'YES' to confirm"

if ($Confirm -eq "YES") {
    Invoke-MgDeviceManagementManagedDeviceWipeManagedDevice -ManagedDeviceId $Device.Id -KeepUserData:$KeepUserData
    Write-Host "Wipe initiated"
}

Wrap-Up

Use Retire for reassignment, Wipe for disposal, Autopilot Reset for refresh. Always backup keys first.

Questions? Drop them below!

#intune #wipe #retire #factory-reset #device-management
Was this helpful?