Export (0) Print
Expand All

Help protect your data with Remote Wipe, Remote Lock, or Passcode Reset Using Microsoft Intune

Updated: November 21, 2014

Applies To: Microsoft Intune

Microsoft Intune provides selective wipe, full wipe, remote lock, and passcode reset capabilities. Because mobile devices can store sensitive corporate data and provide access to many corporate resources, if a device is lost or stolen, you can issue a remote device wipe command from the Microsoft Intune administrator console. Also, users can issue their own remote device wipe commands from the Microsoft Intune company portal. To protect devices you can issue:

  • A full wipe to restore the device to its factory settings.

  • A selective wipe to remove only company data.

  • A remote lock to help secure a device that might be lost.

  • Reset the device passcode.

This topic includes:

You might issue a wipe command to a device when you need to secure a lost device or when you retire a device from active use.

Issue a full wipe to a device to restore the device to its factory defaults. This removes all company and user data and settings. You can do a full wipe on Windows Phone, iOS, and Android devices.

Issue a selective wipe to a device to remove only company data. The following table describes by platform what data is removed and the effect on data that remains on the device after a selective wipe.

 

Content Type Windows 8.1(enrolled as a mobile device) and Windows RT 8.1 Windows RT Windows Phone 8 and Windows Phone 8.1 iOS Android Android Samsung KNOX

Company apps and associated data installed by Windows Intune.

Files protected by EFS will have their key revoked and the user will not be able to open the files.

Will not remove company apps.

Apps originally installed through the company portal are uninstalled. Company app data is removed.

Apps are uninstalled. Company app data is removed.

Apps and data remain installed

Apps are uninstalled.

Settings

Configurations that were set by Windows Intune policy are no longer enforced and users can change the settings.

Wi-Fi and VPN profile settings

Removed

Removed

Not supported

Removed

Not supported

Not supported

Certificate profile settings

Certificates removed and revoked

Certificates removed and revoked

Not supported

Certificates removed and revoked

Certificates revoked, but not removed

Certificates revoked, but not removed

Management Agent

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Management profile is removed.

Device Administrator privilege is revoked.

Device Administrator privilege is revoked.

Email

Removes email that is EFS enabled which includes the Mail app for Windows email and attachments.

Not supported.

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Not supported.

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Azure Active Directory (AAD) Unjoin

No

No

AAD Record removed

AAD Record removed

AAD Record removed

AAD Record removed

  1. In the Microsoft Intune administration console, click Groups > All Users.

  2. Click the name of the user whose mobile device you want to wipe, and then click View Properties.

  3. On the properties page for the user, click the Devices tab, and then click the name of the mobile device that you want to wipe.

  4. Click Retire/Wipe.

  5. A message appears, prompting you to confirm whether you want to retire the device.

    • To perform a selective wipe which only removes company content, click Yes.

    • To perform a factory reset on a device, select Wipe the device before retiring. This action applies to all platforms except Windows 8.1.

It takes less than 15 minutes for a wipe to propagate across all device types.

Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. The following apply to a selective wipe of EFS-enabled content:

  • Only apps and data that are protected by EFS using the same Internet domain as the Intune account are selectively wiped. For more information, see Windows Selective Wipe for Device Data Management.

  • If there are any changes are made to the domain associated with EFS, the changes can take up to 48 hours before apps and data using the new domain can be selectively wiped.

  • Each domain that is registered with Intune is the domain that will be wiped.

The data and apps that are currently supported by EFS selective wipe are:

  • Mail app for Windows

  • Work Folders

  • Files and folders encrypted by EFS. For more information, see Best practices for the Encrypting File System.

  • If your organization maintains its identity in Active Directory, it must use the Directory Sync (DirSync) tool to sync information into AAD for EFS selective wipe to work correctly. For more information on DirSync, see Directory Sync Scenario in the Azure Active Directory documentation.

If a user forgets their passcode, you can help them by removing the passcode from a device or by forcing a new temporary passcode on a device. The table below lists how passcode reset works on different mobile platforms.

 

Platform Passcode Reset

iOS

Supported for clearing the passcode from a device. Does not create a new temporary passcode.

Android

Supported and a temporary passcode is created.

Windows Phone 8 and Windows Phone 8.1

Supported

Windows RT 8.1 and Windows RT

Not Supported

Windows 8.1

Not Supported

  1. In the Microsoft Intune administration console, click Groups > All Devices > All Mobile Devices.

  2. Click All Direct Managed Devices for devices enrolled to Microsoft Intune or All Exchange ActiveSync Managed Devices.

    TipTip
    You can also navigate to a device by user. Click All Users and on the properties page for the user, click the Devices tab, and then click the name of the mobile device that you want to wipe.

  3. In the list, click the device or devices that you want to lock, and then on the taskbar click Remote Tasks and select Passcode Reset.

If a user loses their device you can lock the device remotely. The table below lists how remote lock works on different mobile platforms.

 

Platform Remote Lock

iOS

Supported

Android

Supported

Windows Phone 8 and Windows Phone 8.1

Supported

Windows RT 8.1 and Windows RT

Supported if the current user of the device is the same user who enrolled the device.

Windows 8.1

Supported if the current user of the device is the same user who enrolled the device.

  1. In the Microsoft Intune administration console, click Groups > All Devices > All Mobile Devices.

  2. Click All Direct Managed Devices for devices enrolled to Microsoft Intune or All Exchange ActiveSync Managed Devices.

    TipTip
    You can also navigate to a device by user. Click All Users and on the properties page for the user, click the Devices tab, and then click the name of the mobile device that you want to wipe.

  3. In the list, click the device or devices that you want to lock, and then on the taskbar click Remote Tasks and select Remote Lock.

See Also

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft