How to Use Intune Device Cleanup Rules and Audit Logs to Manage Stale Devices
Intune Device Cleanup Rules help keep your tenant organised, ensuring accurate reporting, faster troubleshooting, and a cleaner device inventory. In this guide, I will walk through how to add a user as an Intune Administrator, set up Device Cleanup Rules, and view Audit Logs to confirm which devices have been hidden.
I’ll also explain what happens behind the scenes, including what cleanup rules do (and don’t do), what happens when a device checks back in, and how this affects Microsoft Entra ID.
Never miss an article and subscribe, and don’t forget to check out my YouTube channel, Control Alt Delete Tech Bits
Add a User as an Intune Administrator
To create or manage cleanup rules, the account you’re using must have the Intune Service Administrator role, or a custom role with permission to update Managed Device Cleanup Rules.
- Go to the Microsoft Entra admin centre: https://entra.microsoft.com
- Select Roles and administrators > Intune Service Administrator > + Add assignments
- Search for the user you want to delegate access to.
- Select the user, click Add, and wait a few seconds for permissions to apply.
Once added, the user will have the rights needed to create and edit Device Cleanup Rules in the Intune admin centre.
Create Intune Device Cleanup Rules
Device Cleanup Rules let you automatically hide inactive or stale devices that haven’t checked in for a defined number of days.
To create a cleanup rule
- Go to the Microsoft Intune admin centre: https://intune.microsoft.com
- In the left-hand menu, select Devices > Device cleanup rules
- Click + Create
- Under Basics, set:
- Name: Cleanup – Windows – 60 days (or whatever you want)
- Description: Hides Windows devices that haven’t checked in for 60 days
- Platform: Windows
- Under Rule settings, configure:
- Use Preview affected devices to see which records will be hidden.
- Click Next > Review + create > Create
You can repeat this process for iOS/iPadOS, Android, and macOS platforms, each with its own retention threshold (30–270 days).
3. View Cleanup Actions in Audit Logs
After a cleanup rule runs, affected devices disappear from the All devices view.
To confirm which devices were hidden:
- Go to Tenant administration > Audit logs
- Search for entries such as Device set to be removed from Intune reports
- These entries show:
The rule name that triggered the action
The device name
The timestamp
The initiating user, which will show as System
This provides full traceability for every cleanup event in your environment.
Intune Device Cleanup Facts You Should Know
Cleanup rules hide; they don’t wipe or delete
Device cleanup rules simply hide devices from the Intune admin centre and reports.
They don’t retire or wipe the device, and they don’t delete the device record when the rule runs.
Hidden devices can reappear
If a hidden device checks in before its management certificate expires, it will show again in Intune. No re-enrolment is needed.
If the device certificate has expired, re-enrolment is required
When the management certificate expires, the device can’t check in to renew. If it later comes online, it must be re-enrolled to be managed again.
Automatic deletion is not part of the cleanup rule
Hiding is all the rule does.
Separately, Intune deletes idle device records 180 days after the MDM certificate expires, not simply 180 days after the last check-in.
Entra device objects are separate
Cleanup rules don’t remove the Microsoft Entra ID device object. Manage stale Entra devices directly in the Entra admin centre if you need to disable or delete them.
You can confirm actions in Audit Logs
Every cleanup action is recorded under Tenant administration > Audit logs, with the system user and timestamp included for traceability.
Per-platform thresholds are supported
You can set different inactivity periods (30–270 days) per platform:
- Windows – 90 days
- iOS/iPadOS – 60 days
- Android – 45 days
- macOS – 120 days
Can I unhide a device that was hidden by a cleanup rule?
There isn’t an “unhide” button. A hidden device will reappear automatically when it checks in again. If it doesn’t, re-enrol the device in Intune to bring it back under management.
Will cleanup rules impact compliance or Conditional Access policies?
No. Hidden devices remain registered in Microsoft Entra ID and retain their compliance history. Cleanup only affects visibility in Intune’s device list and reports.
How often do cleanup rules run?
Cleanup rules typically run automatically once every 24 hours. There’s no manual trigger option. Devices that meet the inactivity threshold during that cycle are hidden until they check in again.
Do cleanup rules apply to co-managed or Hybrid Azure AD-joined devices?
Yes, but visibility changes only apply within Intune. The devices remain visible in Configuration Manager or Entra ID, depending on how they’re managed.
What’s the difference between a hidden device and a retired device in Intune?
A hidden device is still technically enrolled, it’s only removed from reports.
A retired device has had its Intune management profile removed and no longer receives policies or updates
Intune Device Cleanup Rules make it easier to manage stale devices. Cleanup Rules in Intune are a simple but powerful way to keep your environment lean, organised, and easier to manage.
They reduce clutter, improve reporting accuracy, and make troubleshooting compliance much quicker.
Remember, cleanup rules only hide inactive records; they don’t delete or retire devices. If a device checks in again, it automatically reappears.
Check out this article Intune Endpoint Security what each blade does, and YouTube Video
Feel free to buy me a coffee to keep this website up and running
Tags: Intune