Any suggestions? Export (0) Print
Expand All

Help protect your data with remote wipe, remote lock, or passcode reset using Microsoft Intune

 

Updated: February 5, 2016

Microsoft Intune provides selective wipe, full wipe, remote lock, and passcode reset capabilities. Because mobile devices can store sensitive corporate data and provide access to many corporate resources, you can issue a remote device wipe command from the Microsoft Intune administrator console to wipe a lost or stolen device. Also, users can issue a remote device wipe command from the Microsoft Intune company portal on privately owned devices enrolled in Intune.

System_CAPS_ICON_note.jpg Note


This topic is only about wiping devices managed by Intune. You can also use the Azure preview portal to wipe company data from apps.

Use Retire/Wipe to help secure a lost device or to retire a device from active use

Full wipe restores a device to its factory default settings, removing all company and user data and settings. The device is removed from Intune. You can do a full wipe on Windows Phone, iOS, Android, and Windows 10 devices. Be careful about selecting full wipe; your data cannot be recovered.

Selective wipe removes company data from a device. The device is removed from Intune. The following tables describe by platform what data is removed and the effect on data that remains on the device after a selective wipe.

iOS

Data typeiOS
Company apps and associated data installed by Microsoft Intune.Apps are uninstalled. Company app data is removed.

App data from Microsoft apps that use mobile app management is removed. The app is not removed.
SettingsConfigurations that were set by Intune policy are no longer enforced and users can change the settings.
Wi-Fi and VPN profile settingsRemoved
Certificate profile settingsCertificates removed and revoked.
Management AgentManagement profile is removed.
EmailEmail profiles that are provisioned through Intune are removed and cached email on the device is deleted.
Azure Active Directory (AAD) UnjoinAAD Record removed
ContactsContacts synced directly from the app to the native address book are removed. Any contacts synced from the native address book to another external source cannot be wiped.
 
Currently, only Outlook app is supported.

Android

Data typeAndroidAndroid Samsung KNOX
Web linksRemoved.Removed
Unmanaged Google Play appsApps and data remain installedApps and data remain installed
Unmanaged line of business appsApps and data remain installedApps are uninstalled and data local to app is removed as a result. No data outside the app (SD card, etc.) is removed.
Managed Google Play appsApp data is removed. App is not removed. Data protected by MAM encryption outside the app (SD card, etc.) remain encrypted but aren't removed.App data is removed. App is not removed. Data protected by MAM encryption outside the app (SD card, etc.) remain encrypted but aren't removed.
Managed line of business appsApp data is removed. App is not removed. Data protected by MAM encryption outside the app (SD card, etc.) remain encrypted but aren't removed.App data is removed. App is not removed. Data protected by MAM encryption outside the app (SD card, etc.) remain encrypted but aren't removed.
SettingsConfigurations that were set by Intune policy are no longer enforced and users can change the settings.Configurations that were set by Intune policy are no longer enforced and users can change the settings.
Wi-Fi and VPN profile settingsRemovedRemoved
Certificate profile settingsCertificates revoked, but not removed.Certificates removed and revoked.
Management AgentDevice Administrator privilege is revoked.Device Administrator privilege is revoked.
EmailEmail received by the Microsoft Outlook app for Android app is removed.Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.
Azure Active Directory (AAD) UnjoinAAD Record removedAAD Record removed
ContactsContacts synced directly from the app to the native address book are removed. Any contacts synced from the native address book to another external source cannot be wiped.
 
Currently, only Outlook app is supported.
Contacts synced directly from the app to the native address book are removed. Any contacts synced from the native address book to another external source cannot be wiped.
 
Currently, only Outlook app is supported.

Windows

Data typeWindows 8.1 (enrolled as a mobile device) and Windows RT 8.1Windows RTWindows Phone 8 and Windows Phone 8.1Windows 10
Company apps and associated data installed by Microsoft Intune.Files protected by EFS will have their key revoked and the user will not be able to open the files.Will not remove company apps.Apps originally installed through the company portal are uninstalled. Company app data is removed.Apps are uninstalled and sideloading keys are removed.
SettingsConfigurations that were set by Intune policy are no longer enforced and users can change the settings.Configurations that were set by Intune policy are no longer enforced and users can change the settings.Configurations that were set by Intune policy are no longer enforced and users can change the settings.Configurations that were set by Intune policy are no longer enforced and users can change the settings.
Wi-Fi and VPN profile settingsRemovedRemovedNot supportedRemoved
Certificate profile settingsCertificates removed and revoked.Certificates removed and revoked.Not supportedCertificates removed and revoked.
EmailRemoves email that is EFS enabled which includes the Mail app for Windows email and attachments.Not supportedEmail profiles that are provisioned through Intune are removed and cached email on the device is deleted.Removes email that is EFS enabled which includes the Mail app for Windows email and attachments. Removes mail accounts that were provisioned by Intune.
Azure Active Directory (AAD) UnjoinNoNoAAD Record removedAAD Record removed

To remotely wipe a device from the Intune administrator console

  1. Select devices to be wiped. You can find them either by user or by device.

    • By user:

      1. In the Intune administrator console, click Groups > All Users.

      2. Click the name of the user whose mobile device you want to wipe. Click View Properties.

      3. On the user's Properties page, click Devices, and then click the name of the mobile device you want to wipe. Use Ctrl+click to multi-select devices.

    • By device:

      1. In the Intune administrator console, click Groups > All Mobile Devices.

      2. Click Devices, and then click the name of the mobile device you want to wipe. Use Ctrl+click to multi-select devices.

  2. Click Retire/Wipe.

  3. A message appears, prompting you to confirm whether you want to retire the device.

    • To perform a Selective wipe which only removes company apps and data, click Yes.

    • To perform a Full wipe that erases all apps and data and returns the device to factory default settings, select Wipe the device before retiring. This action applies to all platforms except Windows 8.1. You cannot recover data removed by a full wipe.

It takes less than 15 minutes for a wipe to propagate across all device types.

Wiping Encryption File System (EFS)-enabled content

Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. The following apply to a selective wipe of EFS-enabled content:

  • Only apps and data that are protected by EFS using the same Internet domain as the Intune account are selectively wiped. For more information, see Windows Selective Wipe for Device Data Management.

  • If there are any changes are made to the domain associated with EFS, the changes can take up to 48 hours before apps and data using the new domain can be selectively wiped.

  • Each domain that is registered with Intune will be wiped.

The data and apps that are currently supported by EFS selective wipe are:

  • Mail app for Windows

  • Work Folders

  • Files and folders encrypted by EFS. For more information, see Best practices for the Encrypting File System.

  • If your organization maintains its identity in Active Directory, it must use the Directory Sync (DirSync) tool to sync information into AAD for EFS selective wipe to work correctly. For more information on DirSync, see Directory Sync Scenario in the Azure Active Directory documentation.

Monitor retire, wipe, and delete actions

To get a report of devices that have been retired, wiped, or deleted, and who performed the action:

  1. In the Intune administrator console, click Reports > Device History Reports.

  2. Provide a start and end date for the report, then click View Report.

Reset the passcode on a device

If a user forgets their passcode, you can help them by removing the passcode from a device or by forcing a new temporary passcode on a device. The table below lists how passcode reset works on different mobile platforms.

PlatformPasscode reset
iOSSupported for clearing the passcode from a device. Does not create a new temporary passcode.
AndroidSupported and a temporary passcode is created.
Windows 10 MobileSupported
Windows Phone 8 and Windows Phone 8.1Supported
Windows RT 8.1 and Windows RTNot Supported
Windows 8.1Not Supported
To reset the passcode on a mobile device remotely through the Microsoft Intune console
  1. In the Intue administrator console, click Groups > All Devices > All Mobile Devices.

  2. Click All Direct Managed Devices for devices enrolled in Intune or All Exchange ActiveSync Managed Devices.

    System_CAPS_ICON_tip.jpg Tip


    You can also navigate to a device by user. Click All Users. On the user's properties page, click Devices, and then click the name of the mobile device you want to wipe.

  3. In the list, click the device or devices that you want to lock. On the taskbar, click Remote Tasks, and select Passcode Reset.

Lock a device remotely

If a user loses their device you can lock the device remotely. The table below lists how remote lock works on different mobile platforms.

PlatformRemote lock
iOSSupported
AndroidSupported
Windows 10 MobileSupported
Windows Phone 8 and Windows Phone 8.1Supported
Windows RT 8.1 and Windows RTSupported if the current user of the device is the same user who enrolled the device.
Windows 8.1Supported if the current user of the device is the same user who enrolled the device.
To lock a mobile device remotely through the Microsoft Intune console
  1. In the Intune administrator console, click Groups > All Devices > All Mobile Devices.

  2. Click All Direct Managed Devices for devices enrolled in Intune or All Exchange ActiveSync Managed Devices.

    System_CAPS_ICON_tip.jpg Tip


    You can also navigate to a device by user. Click All Users. On the user's properties page, click Devices, and then click the name of the mobile device you want to wipe.

  3. In the list, click the device or devices that you want to lock. On the taskbar, click Remote Tasks, and select Remote Lock.

See Also

Retire data and devices from Microsoft Intune management
Windows Selective Wipe for Device Data Management

Show:
© 2016 Microsoft