You can perform several actions on your organization’s enrolled devices, as shown in Figure 3-16. For computers installed with Windows 11, these actions are:
- Retire Initiates device retirement. When you choose to retire a device, only company data is removed. Intune also no longer manages the device and can no longer access corporate resources and data. You cannot access company data from devices that are joined to Azure AD.
- Wipe Wipes a device. This action performs a factory reset on the device. This removes both company and user data. When you choose Wipe, you can choose additional options:
- Wipe device, but keep enrollment state and associated user account
- Wipe device, and continue to wipe even if device loses power
- Delete Removes the device from Microsoft Intune but does not modify device settings or software.
- Remote Lock Forces a lock on supported devices, even if you do not have the device in your possession.
- Sync Forces the selected device to immediately check in with Intune and receive any pending actions or policies assigned to it.
- Reset Passcode Forces the user to reset the passcode on supported devices.
- Restart Restarts the remote device.
- Collect Diagnostics Instructs Intune to collect available diagnostic data from selected devices. You can access the data from Intune by selecting the Monitor > Device Diagnostics node.
- Fresh Start Removes any apps that were installed on a Windows 11 PC running the Creators Update and updates the PC to the latest version of Windows.
- Autopilot Reset Removes personal files, apps, and settings. Resets Windows devices and applies the original management settings from Azure AD and Intune.
- Quick Scan Runs a quick malware scan on the selected device.
- Full Scan Runs a full malware scan on the selected device.
- Update Windows Defender Security Intelligence Initiates an update of malware definitions for the device.
- Rotate Local Admin Password Rotates the local admin password on the target device according to Local Admin Password Solution (LAPS) policy settings. Requires that you have already enabled and configured LAPS.
- BitLocker Key Rotation Removes all BitLocker encryption keys on the device. A single key is then escrowed to the identity provider (Azure AD or AD DS).
- Rename Device Changes the name of the selected device.
- New Remote Assistance Session Enables remote access to the target device, assuming you have added the Remote Help feature to Intune and that the target device has a user with a Microsoft Intune Remote Help license.
- Locate Device Helps you locate lost or stolen devices.
FIGURE 3-16 Preparing to wipe a Windows device in Intune
The available actions depend on the type of device and whether the device is personal or corporately owned.
Ensure you are familiar with the actions you can perform on all supported operating systems.
