How to Configure Intune Device Cleanup Rules for Automatic Stale Device Removal

Before configuring device cleanup rules, confirm you have the necessary permissions. Navigate to the Microsoft Intune admin center and check your role assignments.

Open your browser and go to https://intune.microsoft.com. Sign in with your administrative account and navigate to Tenant administration > Roles > My permissions.

Verify you have one of these roles:

• Intune Service Administrator (full access)
• Custom role with these specific permissions:
  • Managed Device Cleanup Rules/Update
  • Managed Device Cleanup Settings/Update
  • Organization/Read
  • Managed devices/Read

Navigate to the device cleanup rules configuration area within the Intune admin center. This is where you'll create and manage all your cleanup policies.

From the Intune admin center main dashboard:

1. Click Devices in the left navigation pane
2. Under the "Organize devices" section, click Device cleanup rules
3. You'll see the device cleanup rules overview page showing any existing rules

The interface displays current rules, their status, and the number of devices affected by each rule. If this is your first time setting up cleanup rules, the list will be empty.

Before creating cleanup rules, analyze your current device inventory to determine appropriate inactivity thresholds. This prevents accidentally hiding devices that are legitimately offline.

Navigate to Devices > All devices to review your device inventory. Use the built-in filters to analyze device activity:

1. Click the Filter button at the top of the device list
2. Add filter criteria:
   • Last check-in: Set to "Older than 30 days"
   • Platform: Select specific platforms if needed
   • Compliance state: Review non-compliant devices
3. Export the filtered results by clicking Export to analyze in Excel

Review the exported data to identify patterns:

• How many devices haven't checked in for 30, 60, 90+ days?
• Are there seasonal patterns (vacation periods, remote work)?
• Which platforms have longer offline periods?

Now create a device cleanup rule with your determined inactivity threshold. Start with a conservative approach for your first rule.

From the Device cleanup rules page, click Create to start the rule creation wizard:

Basic Settings Configuration:

1. Name: Enter a descriptive name like "Windows Devices - 90 Day Cleanup"
2. Description: Add details like "Hides Windows devices inactive for 90+ days to maintain clean inventory"
3. Platform: Select your target platform:
   • Choose All platforms for universal cleanup
   • Select Windows for platform-specific rules (recommended for granular control)
   • Other options: Android (AOSP), Android (fully managed), iOS/iPadOS, macOS

Click Next to proceed to rule settings.

Rule Settings Configuration:

1. In the "Remove devices that haven't checked in for this many days" field, enter your threshold (between 30-270 days)
2. For your first rule, use 90 days as a conservative starting point
3. Click Preview affected devices to see which devices will be hidden by this rule

Review the preview carefully - these devices will be hidden from your Intune console once the rule is active.

Complete the rule creation process by reviewing all settings and deploying the rule to your environment.

On the "Review + create" page:

1. Verify all settings are correct:
   • Rule name and description
   • Target platform
   • Inactivity threshold (days)
   • Estimated affected devices
2. If everything looks correct, click Create
3. If you need to make changes, click Previous to go back

After clicking Create, the rule will be active immediately and will run on Microsoft's automated schedule. The system will begin hiding devices that meet the inactivity criteria.

Monitor the rule's impact by returning to Devices > Device cleanup rules. You'll see:

• Rule status (Active/Inactive)
• Number of devices currently hidden by the rule
• Last run timestamp
• Platform targeting information

Create additional cleanup rules for different platforms to optimize your device management strategy. Different device types often have different usage patterns requiring tailored approaches.

Return to Devices > Device cleanup rules and click Create for each additional platform:

Recommended Platform-Specific Thresholds:

For each platform rule:

1. Name: Use format "[Platform] - [Threshold] Day Cleanup" (e.g., "iOS Devices - 120 Day Cleanup")
2. Platform: Select the specific platform
3. Threshold: Use the recommended values above as starting points
4. Preview: Always check affected devices before creating

Create rules in this order of priority:

1. Windows devices (highest volume, most predictable patterns)
2. Android devices (second highest volume)
3. iOS/iPadOS devices
4. macOS devices (if applicable)

Regularly monitor your cleanup rules to ensure they're working effectively and adjust thresholds based on real-world usage patterns.

Set up a monitoring routine by checking these metrics weekly:

Key Metrics to Track:

1. Devices hidden per rule: Navigate to Devices > Device cleanup rules
2. Total device count changes: Compare Devices > All devices counts over time
3. Device reappearance rate: Track how many hidden devices come back online
4. Help desk tickets: Monitor for users reporting "missing" devices

Monthly Review Process:

# Use Microsoft Graph PowerShell to export device data for analysis
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

# Get all managed devices with last sync time
$devices = Get-MgDeviceManagementManagedDevice -All | Select-Object DeviceName, Platform, LastSyncDateTime, ComplianceState

# Export for analysis
$devices | Export-Csv -Path "C:\temp\intune-devices-$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformation

# Analyze devices by platform and last sync
$devices | Group-Object Platform | ForEach-Object {
    $platformDevices = $_.Group
    $staleDevices = $platformDevices | Where-Object { $_.LastSyncDateTime -lt (Get-Date).AddDays(-60) }
    Write-Output "$($_.Name): $($staleDevices.Count) devices older than 60 days"
}

Adjustment Guidelines:

• Too many devices hidden: Increase threshold by 30 days
• Too few devices hidden: Decrease threshold by 15 days
• Frequent reappearances: Consider increasing threshold for that platform
• User complaints: Review specific device patterns and adjust accordingly

Since Intune cleanup rules only hide devices from the Intune console, implement separate procedures to clean up stale devices from Microsoft Entra ID for complete environment hygiene.

Access the Microsoft Entra admin center at https://entra.microsoft.com and navigate to Identity > Devices > All devices.

Identify Stale Entra ID Devices:

1. Use the filter options to find inactive devices:
   • Activity: Set to "Inactive for more than 60 days"
   • Join type: Filter by "Azure AD joined" or "Hybrid Azure AD joined"
   • Device state: Look for "Enabled" devices that are actually stale
2. Export the filtered list for analysis
3. Cross-reference with your Intune hidden devices list

Cleanup Procedures by Join Type:

For Azure AD Joined Devices:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Device.ReadWrite.All"

# Get devices inactive for more than 90 days
$cutoffDate = (Get-Date).AddDays(-90)
$staleDevices = Get-MgDevice -All | Where-Object {
    $_.ApproximateLastSignInDateTime -lt $cutoffDate -and
    $_.TrustType -eq "AzureAd"
}

# Review before deletion
$staleDevices | Select-Object DisplayName, ApproximateLastSignInDateTime, TrustType | Format-Table

# Delete stale devices (uncomment when ready)
# $staleDevices | ForEach-Object { Remove-MgDevice -DeviceId $_.Id }

For Hybrid Azure AD Joined Devices:

• Delete stale computer objects in on-premises Active Directory
• Move stale objects to an OU not synced with Azure AD Connect
• Use Azure AD Connect to sync the deletions to Entra ID

Automated Cleanup Script:

# Weekly cleanup script for Entra ID devices
param(
    [int]$DaysInactive = 90,
    [switch]$WhatIf = $true
)

Connect-MgGraph -Scopes "Device.ReadWrite.All"

$cutoffDate = (Get-Date).AddDays(-$DaysInactive)
$staleDevices = Get-MgDevice -All | Where-Object {
    $_.ApproximateLastSignInDateTime -lt $cutoffDate -and
    $_.TrustType -eq "AzureAd" -and
    $_.AccountEnabled -eq $true
}

Write-Output "Found $($staleDevices.Count) stale devices older than $DaysInactive days"

if ($WhatIf) {
    $staleDevices | Select-Object DisplayName, ApproximateLastSignInDateTime | Format-Table
} else {
    $staleDevices | ForEach-Object {
        Write-Output "Deleting device: $($_.DisplayName)"
        Remove-MgDevice -DeviceId $_.Id
    }
}