Welcome to ITSpecialist.News! Today we’re diving into a feature every IT Specialist working with Intune should know and use: Device Cleanup Rules. If your tenant is full of inactive devices that look like zombies 🧟, this article is your first step toward restoring cosmic order in your Intune portal.
📰 What’s your preference? Video or article?
A few notes to help you get the most out of this content:
If you prefer watching the full video, easy: you’ll find it right above in the header.
If you prefer reading, also easy: just keep scrolling. For each section, I’ve included the relevant video snippet so you’ll only see the screens that matter — no talking head in the way.
Either way, make sure to subscribe to the newsletter so you won’t miss any future tutorials.
Let’s get started!
What are Device Cleanup Rules?
Device Cleanup Rules let you hide devices from the Intune console if they haven’t checked in for a certain number of days.
They’re not deleted, just removed from view, helping you avoid an endless list of zombie devices.
This feature is essential for:
Keeping the console tidy
Improving readability and manageability
Reducing noise in reports and policies
Two things to know before using them
1. Devices can reappear
If a device was hidden due to inactivity but is turned back on and still has a valid Intune management certificate, it will reappear in the console.
So this isn’t permanent cleanup, it’s more like temporary archiving.
2. Cleanup applies only to Intune, not Entra
Device Cleanup Rules only affect Intune. If you want to keep Entra ID clean as well, you’ll need to implement a separate cleanup flow.
Here’s what to do:
For Entra Joined devices: check the
ApproximateLastSignInDateTimeattributeFor Hybrid Joined devices: clean up in Active Directory by deleting stale computer objects or moving them to an OU that’s not synced with Entra Connect
How to configure Device Cleanup Rules
You can set up these rules from the Intune portal and even differentiate them by platform (Windows, iOS, Android, macOS).
This is handy if you have different policies for mobile and desktop devices.
How to check the Intune management certificate expiration
There are two ways to verify if a device still has a valid certificate:
1. On the client
You can check the certificate directly on the device.
2. In the Intune portal
In the device’s section of the Intune portal, you’ll find the certificate expiration date.
Useful documentation
For those who want to dig deeper, here’s a selection of official resources and helpful scripts:
Conclusion
Cleaning up your tenant isn’t just about aesthetics, it’s a solid governance practice.
Intune’s Device Cleanup Rules are a great starting point, but remember: Entra and AD need separate management.
Thanks for reading all the way through!
If you found this helpful, share the article and subscribe to the ITSpecialist.News newsletter so you won’t miss future updates.
Until next time, and keep those tenants clean 💪
Riccardo
