Legacy PC management is going out of support on October 15, Learn more. Use the following steps to retire desktops that you are managing as PCs by running the Intune software client on them.
Manage devices and protect data with on-premises MDM in Configuration Manager
When you retire a PC, it removes it from Intune management. You cannot wipe a PC from Intune to set it back to its original factory settings. If a PC cannot connect to Intune, a message is displayed in the Dashboard workspace. It is removed from the Intune management and inventory, and the license associated with the PC is made available for re-use.
This retirement does not perform a full wipe on the PC. Intune removes the software client from the PC. If the PC is not connected to the Intune service, the software client will be removed next time it connects. If the PC has another endpoint application installed and it is disabled, that application can be re-enabled after Microsoft Intune Endpoint Protection is removed to ensure that your PC are protected. The PC no longer receives software updates or malware definition updates from the Intune service.
If the Endpoint Protection client fails to uninstall, read Troubleshoot Endpoint Protection for more help. Common Windows PC management tasks with the Intune software client. You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode. Is this page helpful? Yes No. Any additional feedback? Skip Submit. Send feedback about This page. This page. Submit feedback. There are no open issues. View on GitHub.When a device is lost or stolen, or if the employee leaves your company, you want to make sure company app data is removed from the device.
But you might not want to remove personal data on the device, especially if the device is an employee-owned device. Deployment of Application Protection Policies are not required to enable app selective wipe. To selectively remove company app data, create a wipe request by using the steps in this topic. After the request is finished, the next time the app runs on the device, company data is removed from the app. In addition to creating a wipe request, you can configure a selective wipe of your organization's data as a new action when the conditions of Application Protection Policies APP Access settings are not met.
This feature helps you automatically protect and remove sensitive organization data from applications based on pre-configured criteria. Contacts synced directly from the app to the native address book are removed.
Any contacts synced from the native address book to another external source can't be wiped. Currently, this only applies to the Microsoft Outlook app.
This configuration allows companies to protect their corporate documents based on the WIP configuration, while allowing the user to maintain management of their own Windows devices. Once documents are protected with a WIP policy, the protected data can be selectively wiped by an Intune administrator Global administrator or an Intune Service administrator. By selecting the user and device, and sending a wipe request, all data that was protected via the WIP policy will become unusable.
Sign in to the Microsoft Endpoint Manager admin center. The Create wipe request pane is displayed. Click Select userchoose the user whose app data you want to wipe, and click Select at the bottom of the Select user pane.
Click Select the devicechoose the device, and click Select at the bottom of the Select Device pane. The service creates and tracks a separate wipe request for each protected app on the device, and the user associated with the wipe request.
The user will continue to get wipe commands at every check-in from all devices. To re-enable a user, you must remove them from the list.
You can have a summarized report that shows the overall status of the wipe request, and includes the number of pending requests and failures. To get more details, follow these steps:. Because the system creates a wipe request for each protected app running on the device, you might see multiple requests for a user. The status indicates whether a wipe request is pendingfailedor successful. Additionally, you are able to see the device name, and its device type, which can be helpful when reading the reports.
The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.The Fresh Start device action removes any apps that are installed on a PC running Windows 10, version or later.
If you do not retain user data, the device will be restored to the default OOBE out-of-box experience completed state retaining the built in administrator account. Azure AD joined devices will be enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device. You may also leave feedback directly on GitHub.
Skip to main content. Exit focus mode. From the list of devices you manage, choose a Windows 10 desktop device. Click Fresh Start.
Select Retain user data on this device to: Keep the device Azure AD joined Device is enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device. Keep the contents of the device user's Home folder, and remove apps and settings Important If you do not retain user data, the device will be restored to the default OOBE out-of-box experience completed state retaining the built in administrator account.
Is this page helpful? Yes No. Any additional feedback? Skip Submit. Send feedback about This page. This page. Submit feedback. There are no open issues. View on GitHub.Mobile devices can store sensitive data and provide easy access to many organizational resources. To help protect devices and data, use Configuration Manager for the following device management actions:. When you need to secure a lost device or when you retire a device from active use, you can start a full wipe on it.
This action restores the device to its factory defaults. It removes all organizational and user data and settings. In the Configuration Manager console, go to the Assets and Compliance workspace, and choose the Devices node. You can also choose Device Collections and select a collection of which the device is a member. In the Retire from Configuration Manager window, select the option to Wipe the mobile device and retire it from Configuration Manager.
How to wipe only corporate data from Intune-managed apps
The following tables describe what data is removed and the effect on data that remains on the device after a selective wipe. In the Retire from Configuration Manager window, select the following option: Wipe company content and retire the mobile device from Configuration Manager. For a successful wipe of apps, make sure the apps are distributed through mobile device app management.
If a user forgets their passcode, use this action to force a new temporary passcode on the device. You can also remove the passcode entirely. The following table lists how passcode reset works on different mobile platforms. Start the passcode reset action from the top-level site. For example, if you use a central administration site, you can only do the action on that site. If you're using a standalone primary site, you can only do the action from that site. If a user loses their device, you can lock the device remotely.
Microsoft Intune is an MDM and MAM provider for your devices
The following table lists how remote lock works on different mobile platforms. Start the remote lock action from the top-level site. If you're using a standalone primary site, do the action from that site. Confirm the action. You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode.Simplify modern workplace management and achieve digital transformation with Microsoft Intune. Create the most productive Microsoft environment for users to work on devices and apps they choose, while protecting data.
Streamline and automate deployment, provisioning, policy management, app delivery, and updates. Stay up to date with a highly scalable, globally distributed cloud service architecture.
Leverage the intelligent cloud for insights and baselines for your security policies and configuration settings. Intune app protection policies provide granular control over Office data on mobile devices. Get up and running with FastTrack and have peace of mind with global deployment support all day, every day, both included with your subscription.
Ensure all your company-owned and bring-your-own BYO devices are managed and always up to date with the most flexible control over any Windows, Apple, and Android devices. Let employees choose devices and apps with intuitive, self-service support and deployment. Get the most integrated and complete device management, app lifecycle management, and user provisioning capabilities for Windows Lower your total cost of ownership TCO and gain intelligent cloud-based management using co-management integration between Microsoft Endpoint Configuration Manager and Intune.
Shift to a modern desktop at your own pace while maintaining the control you require. Windows Autopilot. Desktop Analytics. Microsoft Endpoint Configuration Manager. Protect your data while maintaining productivity for your employees on the mobile devices and apps they choose. Mobile device management and mobile application management provide integrated data protection and compliance capabilities that let you be precise about what data different users can access as well as what they can do with the data within Office and other mobile apps.
Define comprehensive policies that only allow the right people under the right conditions to access your company data and ensure the data stays protected by controlling how they use it within Office and other mobile apps.
Enforce the policies based on conditions you specify such as user, location, device state, app sensitivity, and real-time risk. Proactively reduce the risk in your environment with AI and machine learning from billions of signals received in the cloud.
Azure Active Directory conditional access. Microsoft Defender ATP integration. Provide the Office experience your workers expect without compromising user productivity. Create a collaborative environment with granular data controls within Office mobile apps and enforce conditional access policies for Exchange, SharePoint, and Teams. Keep work and personal data separate in multi-identity apps by applying data security policies based on corporate user identities.Microsoft Intune offers a device-only subscription service that helps organizations manage devices that aren't affiliated with specific users.
For more information about the purpose of Intune device licensing, see Microsoft Intune announces device-only subscription for shared resources. You can purchase device licenses based on your estimated usage. If the actual usage exceeds your current license limit, you don't have to purchase device licenses separately.
Skip to main content. Select Product Version. All Products. How to purchase the device-only subscription. Last Updated: Aug 1, Was this information helpful? Yes No. Tell us what we can do to improve the article Submit.
Your feedback will help us improve the support experience. Australia - English. Bosna i Hercegovina - Hrvatski. Canada - English. Crna Gora - Srpski. Danmark - Dansk. Deutschland - Deutsch. Eesti - Eesti. Hrvatska - Hrvatski. India - English. Indonesia Bahasa - Bahasa. Ireland - English. Italia - Italiano. Malaysia - English. Nederland - Nederlands. New Zealand - English. Philippines - English. Polska - Polski. Schweiz - Deutsch. Singapore - English.
South Africa - English. Srbija - Srpski.It integrates with other services, including Microsoft and Azure Active Directory Azure AD to control who has access, and what they have access to, and Azure Information Protection for data protection. When you use it with Microsoftyou can enable your workforce to be productive on all their devices, while keeping your organization's information protected.
View a larger version of the Intune architecture diagram. In Intune, you manage devices using an approach that's right for you. For organization-owned devices, you may want full control on the devices, including settings, features, and security. In this approach, devices and users of these devices "enroll" in Intune. Once enrolled, they receive your rules and settings through policies configured in Intune. For personal devices, or bring-your-own devices BYODusers may not want their organization administrators to have full control.
In this approach, give users options.
For example, users enroll their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication MFA to use these apps. What is device enrollment? Apply features and settings on your devices using device profiles.
Protect devices with Microsoft Intune. Mobile application management MAM in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices, and personal devices. One way that Intune provides mobile app security is through app protection policies. App protection policies:.
For example, a user signs in to a device with their organization credentials. Their organization identity allows access to data that's denied to their personal identity. As that organization data is used, app protection policies control how the data is saved and shared. When users sign in with their personal identity, those same protections aren't applied.
In this way, IT has control of organization data, while end users maintain control and privacy over their personal data. And, you can use Intune with the other services in EMS. This feature provides your organization mobile app security beyond what's included with the operating system and any apps.
Apps managed with EMS have access to a broader set of mobile app and data protection features. Intune integrates with Azure AD to enable a broad set of access control scenarios. For example, require mobile devices be compliant with organization standards defined in Intune before accessing network resources, such as email or SharePoint.
Likewise, you can lock down services so they're only available to a specific set of mobile apps. Set rules on devices to allow access to your organization resources. Common ways to use Conditional Access with Intune. Intune is used in many sectors, including governmenteducationkiosk or dedicated device for manufacturing and retail, and more. You may also leave feedback directly on GitHub.
Skip to main content. Exit focus mode. Set rules and configure settings on personal and organization-owned devices to access data and networks. Deploy and authenticate apps on devices -- on-premises and mobile.