Streamlining Endpoint Management: Mastering Device Clean-Up in Microsoft Intune

Device clean-up in Intune automatically hides stale or inactive devices that haven’t checked in for a defined period (e.g., 90 days). It’s required to keep your Intune environment clean, reduce clutter, free up licenses, and improve compliance/security. Below is the step-by-step setup process along with a flowchart and infographic.

🔹 What is Device Clean-Up in Intune?

• Definition: A rule that hides inactive devices from the Intune portal and reports.

• Key Point: It does not wipe or retire devices; it only hides them.

• Reappearance: Devices can reappear if they check in before their certificate expires.

🔹 Why is Device Clean-Up Required?

• Keeps inventory clean – avoids clutter from unused devices.

• Improves compliance & reporting – ensures only active devices are tracked.

• Frees up resources/licenses – prevents inactive devices from consuming Intune licenses.

• Enhances security – reduces visibility of unmanaged or stale devices.

🔹 Step-by-Step Process to Set Up Device Clean-Up in Intune

1. Log in to Microsoft Endpoint Manager Admin Center.

2. Navigate to Devices > Cleanup Rules.

3. Click “Create Rule”.

4. Select Platform (Windows, iOS, Android, etc.).

5. Set Inactivity Threshold (e.g., 90 days).

6. Save & Apply the rule.

7. Result: Devices not checked in within the threshold are hidden automatically.

Here’s a practical PowerShell script example you can use to automate reporting on stale devices in Intune. This script queries Intune via Microsoft Graph API, identifies devices that haven’t checked in for a defined period (e.g., 90 days), and exports the results into a CSV report for review.

# Intune Device Cleanup Reporting Script

# Author: Mrugesh Paralikar

# Purpose: Identify and report inactive devices in Intune

# Connect to Microsoft Graph

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

# Define inactivity threshold (in days)

$thresholdDays = 90

$cutoffDate = (Get-Date).AddDays(-$thresholdDays)

# Get all managed devices from Intune

$devices = Get-MgDeviceManagementManagedDevice -All

# Filter devices that haven't checked in since cutoff date

$inactiveDevices = $devices | Where-Object {

$_.LastSyncDateTime -lt $cutoffDate

}

# Export results to CSV

$reportPath = "C:\Reports\Intune_InactiveDevices.csv"

$inactiveDevices | Select-Object DeviceName, OperatingSystem, LastSyncDateTime, ComplianceState |

Export-Csv -Path $reportPath -NoTypeInformation

Write-Host "Inactive device report generated at $reportPath"

🔹 How This Script Works

• Connects to Microsoft Graph with the required Intune permissions.

• Defines a threshold (default: 90 days).

• Pulls all managed devices from Intune.

• Filters devices that haven’t synced since the cutoff date.

• Exports results into a CSV file for easy review and action.

📊 Suggested Workflow

1. Run this script monthly to generate a fresh report.

2. Review inactive devices with your team.

3. Apply Intune cleanup rules to automatically hide them.

4. Use the CSV report for compliance audits and license optimization.