none
Retire confusing description RRS feed

  • Question

  • In Intune, the Retire description states

    Are you sure you want to remove company data on this device? This will only remove company data managed by Intune. The user's personal data is not removed. The device will no longer be managed by Intune, and will no longer be able to access corporate resources. Removing company data is not supported for Windows devices that are joined to Azure Active Directory. Any Win32 app deployed using Intune will not be automatically removed from the device, when the device is retired. The Win32 app and the data it contains will remain on the device. If the Win32 app is not removed prior to retiring the device, the end user will need to take explicit action on the device to remove the app.​

    The first statement and fifth statement don't seem to gel together. So we retire because we want to remove company data, yet if the computer is AAD-joined, it's not supported, so no removal of company data? Then there's little point to retiring AAD-joined computers, other than to expressly exclude it from Intune MDM?

    UPDATE

    I initiated a retire command for a test computer. Client side, the OS informed the organisation has disconnect the computer and removed data, and I see from dsregcmd it is no longer AAD-joined. I did not expect this; thought one still had to manually unjoin the computer.

    While Intune (expectedly) no longer list the device, Azure AD continues to list it.

    Is the device supposed to be automatically unjoined after retire? Why the mismatch between client OS and Azure AD?


    The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral


    • Edited by icelava Tuesday, December 3, 2019 8:16 AM update
    Tuesday, December 3, 2019 7:51 AM

Answers

All replies

  • Hello,

    Basically, if the Azure AD joined device is retired from Intune portal, the Azure AD account will be removed from the client device. That means the device has already un-joined from the Azure AD. 

    However, the device record is still listed in the Azure AD. This is by design. Based on my experience, there is no impact for the re-enrollment of this device. 

    For the details about the retire operation, please click the following link. The article introduces the data will be removed by the retire action.

    https://docs.microsoft.com/en-us/intune/remote-actions/devices-wipe#retire


    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 4, 2019 3:01 AM
  • That page states AAD unjoin, and the Azure AD record is removed. Well the client side certainly did unjoin, but Azure AD side the device remains. If you state that is by design, then it does not tally with the documentation. What scenario was considered to deem it a good outcome for deliberately leaving the (misleading) entry to remain in Azure AD? It's a picture that is out of sync.

    Furthermore, the contrasting description text from the Retire button is still not properly explaint.

    "Removing company data is not supported for Windows devices that are joined to Azure Active Directory."

    Why not supported? Is it because the device will be unjoined anyway? No where does it even state an unjoin will happen in the first place.

    That descriptive text needs to be much clearer on what exactly will happen. + any other clean-up actions administrators need to be aware of (e.g. manually deleting Azure AD entry)


    The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral



    • Edited by icelava Wednesday, December 4, 2019 11:02 AM grammar
    Wednesday, December 4, 2019 7:02 AM
  • Hello,

    I'm sorry. Based on the documentation, the Azure AD record should be removed.

    It sounds like the doc and UI is not identical with the actual behavior.

    I would recommend to submit a new feature request on the Intune uservoice site,  or vote the same request below.

    https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/36208801-delete-device-in-azure-intune-option-to-delete-al

    For the documentation, you can add a comment on the page of the documentation.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by icelava Monday, December 9, 2019 8:41 AM
    Monday, December 9, 2019 5:08 AM
  • Thanks but I guess will never understand what the statement even means.

    "Removing company data is not supported for Windows devices that are joined to Azure Active Directory."


    The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral

    Monday, December 9, 2019 8:42 AM