Direct Inward Dialing: +1 408 916 9892
Intune device actions are remote commands that administrators issue from the Microsoft Intune admin center to manage enrolled devices. They're basically your remote control for every laptop, phone, and tablet in your fleet. You can wipe a lost laptop, restart a frozen kiosk, or strip corporate data from a personal phone, all without physically touching the device.
You'll run into these most often during everyday IT scenarios. When someone leaves the company, you can retire their device to remove corporate data while leaving personal files alone. If a device goes missing, a full wipe restores it to factory defaults so nothing sensitive remains accessible.
For routine troubleshooting, a remote restart or sync can fix configuration drift without a support ticket. To run a device action, you need an appropriate Intune administrator role, and the device has to be enrolled in Intune. Some actions are platform-specific.
Fresh start only works on Windows devices, while Disable Activation Lock is iOS-only.
Here's what you can do from the Intune admin center, along with platform support for each action.
| Action | What it does | Supported platforms |
|---|---|---|
| Wipe | Restores the device to factory default settings and removes all data, apps, and settings | Windows, iOS/iPadOS, macOS, Android |
| Retire | Removes only company data (managed apps, email profiles, certificates) and leaves personal data intact | Windows, iOS/iPadOS, macOS, Android |
| Delete | Removes the device record from the Intune portal; does not change anything on the physical device | All enrolled platforms |
| Restart | Forces an immediate device restart | Windows, iOS/iPadOS |
| Sync | Forces the device to check in with Intune immediately to pick up pending policies or app assignments | All enrolled platforms |
| Fresh start | Reinstalls Windows while optionally preserving user data; removes pre-installed OEM apps | Windows only |
| Rename | Changes the device name in Intune and on the device itself | Windows, iOS/iPadOS |
| Remote lock | Locks the device screen immediately | iOS/iPadOS, macOS, Android |
| Reset passcode | Generates a new passcode or removes the existing one so the user can set a new one | iOS/iPadOS, Android |
| Disable Activation Lock | Removes the Activation Lock from a supervised iOS device without the user's Apple ID | iOS/iPadOS only |
| Autopilot reset | Removes user data and apps and reapplies the original Autopilot provisioning profile | Windows only |
| Custom notification | Sends a custom text notification to the Company Portal app on the device | iOS/iPadOS, Android |
Not every action is available on every device. The Intune admin center grays out unsupported actions based on the device's operating system and enrollment type.
The action status appears on the device's overview page under Device action status. Most actions execute within minutes, though timing depends on the device's network connectivity and check-in schedule.
Bulk device actions let you apply the same command to multiple devices in one operation instead of repeating the process device by device.
Bulk actions support a subset of individual device actions, so not everything in the single-device table above is available in bulk mode. Bulk delete is one of the more common operations, particularly during hardware refresh cycles or when decommissioning a fleet of devices.
Picking the wrong action here can leave corporate data exposed or erase someone's personal files. These differences matter.
| Action | Data removed | Device state after | Best use case |
|---|---|---|---|
| Wipe | All data, apps, and settings | Factory defaults, as if the device were brand new | Lost or stolen device; employee termination where the device is company-owned |
| Retire | Only company data (managed apps, email profiles, Wi-Fi profiles, certificates) | Personal data and apps remain; device is unenrolled from Intune | BYOD offboarding; employee leaves but owns the device |
| Fresh start | Pre-installed OEM apps and optionally user data; reinstalls Windows | Clean Windows installation with optional user data preservation | Repurposing a Windows device that has accumulated software bloat |
| Delete | Nothing on the physical device | Device record removed from Intune; the physical device is unchanged | Cleaning up stale records for devices already decommissioned or wiped |
One thing that trips people up: the difference between wipe and Autopilot reset. Wipe strips everything and returns the device to a generic factory state. Autopilot reset also removes user data and apps, but it preserves the device's Autopilot enrollment profile and Microsoft Entra ID join status, so the device can be reprovisioned without manual setup.
For personal iPhones enrolled in Intune, a full wipe is technically possible, but retire is almost always the better call. Wipe erases the user's personal photos, messages, and apps along with corporate data. Retire removes only the managed layer and leaves everything else untouched.
Device actions carry real security consequences when they go unmonitored. Every wipe, retire, and delete changes your environment's security posture, and an attacker or rogue admin can abuse these commands.
An unauthorized wipe can function as a denial-of-service attack against your own organization. Imagine a compromised admin account with Intune device management permissions wiping production devices across an entire department. Employees go offline, local data that hasn't been backed up is gone, and the damage scales fast with bulk actions.
Retire actions carry a different risk. If a device is retired instead of wiped, corporate data is supposed to be removed, but personal apps that cached corporate files may retain copies. An attacker who compromises a retired BYOD device could access residual corporate data that the retire action didn't fully clean.
Bulk delete actions create a cover-your-tracks problem. After exfiltrating data or planting persistence mechanisms, an attacker could bulk-delete device records from Intune to hide which devices were compromised. Without an audit trail that extends beyond the native 30-day retention window, forensic investigators lose visibility into which devices were removed and when.
ADAudit Plus tracks every Intune device action through the Intune Device Actions report, showing who initiated the action, which device was affected, and when it happened.
Intune logs every device action in its built-in audit log, but the native logging has gaps that make it insufficient for security monitoring and compliance in production environments.
30-day retention. Audit log retention in the Intune admin center tops out at 30 days. After that, device action records are permanently deleted. If an investigation starts more than a month after an incident, the relevant logs are gone.
No real-time alerting. You can't configure Intune to send an email or SMS notification the moment a bulk wipe or suspicious delete action occurs. Detection depends on someone manually reviewing the logs, and that rarely happens fast enough.
No correlation with on-premises AD. Say an attacker compromises an admin account, modifies AD group memberships to gain Intune permissions, and then wipes devices. You're now investigating two separate consoles with no connection between them. Good luck piecing that timeline together.
No scheduled report delivery. You can't configure Intune to email a daily summary of device actions to your security team or compliance auditors automatically.
No user behavior analytics. Intune can't tell you that a single admin account just issued ten times more wipe commands than usual, or that device deletions are happening at 2am on a Saturday. Pattern detection requires a tool that builds behavioral baselines.
ADAudit Plus includes pre-built reports under Cloud Directory > Intune Reports that cover the full range of Intune auditing scenarios. Each report captures who performed the action, which device or policy was affected, and the exact timestamp.
The available reports are:
To access these reports, go to Cloud Directory > Intune Reports and select the report you need.
| Capability | Native Intune audit logs | ADAudit Plus |
|---|---|---|
| Device action tracking | Yes | Yes |
| Audit log retention | 30 days | Unlimited (archival) |
| Real-time alerts on device actions | No | Yes (email/SMS) |
| Scheduled report delivery | No | Yes (daily/weekly/monthly) |
| Correlation with on-premises AD changes | No | Yes (single console) |
| Correlation with Microsoft Entra ID sign-in events | No | Yes |
| User behavior analytics | No | Yes |
| Export formats | CSV | CSV, PDF, HTML, CSVDE, XLSX |
Try ADAudit Plus free for 30 days. No credit card required.
Nothing. Microsoft hasn't announced a replacement. In 2023, Microsoft rebranded Microsoft Endpoint Manager to the Microsoft Intune product family, consolidating Intune and Configuration Manager under one brand.
Intune is still Microsoft's primary cloud-based endpoint management platform.
Yes, if the iPhone is enrolled in Intune, a full wipe is technically possible. But for BYOD devices, retire is almost always the better choice.
Retire removes only corporate data (managed apps, email profiles, certificates) and leaves personal photos, messages, and apps intact. A full wipe erases everything, which is really only appropriate for company-owned hardware.
They solve different problems. Group Policy manages domain-joined Windows devices in an on-premises Active Directory environment.
Intune manages cloud-enrolled devices across Windows, iOS, macOS, and Android, regardless of whether they're domain-joined. Organizations with a hybrid environment often use both: GPO for on-premises domain-joined workstations and Intune for cloud-managed and BYOD devices.
