Retire azure ad hybrid-joined device from Intune

testuser7 271 Reputation points
2022-09-15T12:38:54.593+00:00

Hello,

I have AAD-hybrid-joined windows10 device that is managed by Intune.

Can I RETIRE this device from Intune by firing RETIRE action ?
If yes, then I believe the retiring task has to take care to turn off the automatic scheduler that puts the device in AAD

Am I right ??

And secondly, will retiring task takes care of unjoining the device from on-prem AD also ??

Appreciate your help.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,901 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,370 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,571 questions
0 comments

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jarvis Sun-MSFT 10,091 Reputation points Microsoft Vendor
    2022-09-16T06:58:34.13+00:00

    Hi @testuser7 Thanks for posting in our Q&A.

    Yes, you are right. One of the unique features of Intune is the fact that it has Selective Wipe. If you simply just retire the device it will:
    remove the device from the portal
    remove the company data from the device (managed applications)
    remove the company email profiles (managed profiles)
    remove management profiles
    If you Retire & Wipe it does all of that but also reset device to factory. You would use that in a case of a stolen device and/or repurposing a device for someone else to use.
    In most cases you will want to just retire the device rather than wipe it.
    https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe?source=recommendations#windows

    And secondly, will retiring task takes care of unjoining the device from on-prem AD also ??
    As far as I know, retire doesn't affect the on-prem AD, just Azure AD disconnected.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. testuser7 271 Reputation points
    2022-09-16T12:24:52.623+00:00

    Thanks @Jarvis Sun-MSFT

    yes, I agree that RETIRE from Intune will NOT affect the on-prem AD
    So after retire is done, the device can be called that it is ONLY AD-domain joined.

    Instead of retire, if I remotely send FULL-WIPE from Intune, I believe the new user will undergo the OOBE
    He will start by putting his region, country, wi-fi etc...
    So in this case, technically from device side the connection to on-prem AD is lost.

    So what happens to the existing device object in on-prem AD ?
    is it called orphaned object ?
    and secondly,
    if this device again gets fully Hybrid-joined, will it utilize this orphaned object or a new device object will be created in on-prem AD ??

  3. testuser7 271 Reputation points
    2022-09-16T16:30:02.677+00:00

    Thanks @Jason Sandys
    I agree with you that Intune has no control on on-prem AD

    Yes, I just found out that WIP is deprecated.
    Now everything is through MIP (you guys change the name one more time :) )

    One question on that note.
    So now, on Intune the app-protection policy for Windows will NOT be needed.
    Right now it is for Enlightened Apps.
    But I believe this is now deprecated.

    Am I right ?

  4. testuser7 271 Reputation points
    2022-09-16T16:40:37.9+00:00

    when I say name change meaning now you added the word "purview" ( Microsoft Purview Information Protection )

    of course MIP is NOT same as WIP

    So "Intune SDK enabled apps" will still stay as they are for Android and iOS
    Right ?

    Thanks.

    0 comments
  5. Jason Sandys 31,161 Reputation points Microsoft Employee
    2022-09-16T19:06:11.453+00:00

    when I say name change meaning now you added the word "purview" ( Microsoft Purview Information Protection )

    Ahh, OK. Yes, you are correct.

    So "Intune SDK enabled apps" will still stay as they are for Android and iOS. Right ?

    Correct. WIP and APP for Android and iOS are two very different things (even though they conceptually overlap); we are fully committed to APP for iOS and Android.

    0 comments