Being able to remotely wipe a device is one of the core reasons organisations use Intune. Whether a laptop is lost, stolen, or being decommissioned, Intune gives you several remote actions to remove company data or perform a full factory reset. This guide covers all the remote wipe options, when to use each, and what happens to BitLocker keys and user data.
Remote actions available in Intune
Full wipe (factory reset)
You will be asked to confirm with two options:
- Wipe device, but keep enrolment state and associated user account - the device resets but Autopilot registration and user assignment are kept, so it re-enrols automatically after reset
- Wipe device and continue to wipe even if device loses power - recommended for lost/stolen devices. Marks a flag that makes the device continue wiping even if restarted mid-process
Retire (remove company data)
Retire is the correct action for BYOD devices or employees leaving. It removes:
- Company email profiles and data
- Company apps deployed via Intune
- Wi-Fi and VPN profiles
- Certificates deployed via Intune
- Compliance policies
It does not remove personal apps, photos, documents, or the operating system.
Fresh Start
Fresh Start reinstalls a clean version of Windows while optionally keeping the user's personal files. It removes all apps installed by the previous MDM enrolment. Useful for devices that have accumulated too much cruft but where the user's documents need to be preserved.
Autopilot Reset
Autopilot Reset returns the device to a business-ready state without a full OS reinstall. It keeps the Entra ID join, Autopilot hardware hash registration, and any Autopilot deployment profile settings. Use this when reassigning a company device to a new employee.
BitLocker keys before wiping
Before wiping any BitLocker-encrypted device, retrieve the recovery key from Entra ID in case you need it later:
Copy and store the recovery key securely before triggering the wipe. Once the wipe completes, the key stored against that device ID in Entra ID is no longer valid.
Monitor the wipe status
After triggering a remote action, monitor its status under:
The action shows as Pending until the device checks in, then transitions to Complete. For online devices this typically happens within 15 minutes.
Frequently Asked Questions
Wipe performs a full factory reset of the device, removing all data and reinstalling Windows. Retire removes the device from Intune management and removes company data (apps, policies, email profiles) but leaves personal data intact. Use Retire for BYOD devices and Wipe for company-owned devices being decommissioned or re-imaged.
By default, yes. The Wipe action removes the BitLocker recovery key from Entra ID. If you need to recover data before wiping, retrieve the BitLocker key from the Entra ID portal first under Devices > select device > Recovery keys.
The wipe command is delivered to the device at its next Intune check-in, which is typically within 15 minutes for online devices. The Windows reset itself takes 20-40 minutes depending on hardware. For offline devices, the command queues and executes when the device next connects.
The wipe command queues in Intune and is delivered when the device next comes online. For a device that is lost or stolen and may never come back online, also consider contacting your mobile carrier to block the SIM (for cellular devices) and filing a police report.