Device Offboarding

  • 6 minutes to read

Purpose

If a device is lost, stolen, broken or simply is being replaced, there are several tasks that must be completed to correctly offboard it. Offboarding simply means removing the device from the Organization Entra ID (previously Azure AD) instance and anywhere else it can be identified within the tenant.

This includes the following tasks:

  • Removal from Entra ID directory,
  • Removal from Microsoft Intune (Formerly Endpoint Manager),
  • Removed as a Windows Autopilot device if Autopilot is used (GCC only).
  • Deprovisioned as a Cloud PC if the device was a Windows 365 endpoint.

Authorized Roles

Reminder: Always review the roles of OSC users to ensure they align with the Authorized Roles. No action should be taken without a request from or approval by a user assigned the appropriate authorized role.

  • Authorized Manager
  • Global Administrator
  • Intune Administrator

Organization seeking certification (OSC) Steps

Step 1: Submit device offboarding request

Request can be made by authorized user by emailing support@nimbus-logic.us with the following information:

  • Impacted User
  • The ID/Device name of the device in question
  • Context of request, i.e. User leaving organization? Device stolen or compromised?

External Service Provider (ESP) IT Team Steps

Offboarding Physical Windows Devices

Step 1: Remove device from Autopilot

This is only required for GCC tenants with devices added to Autopilot.

  1. Navigate to Microsoft Intune https://intune.microsoft.com or https://intune.microsoft.us and click “Devices” in the left hand menu
  2. In the left-hand pane, select “Enroll Devices”. Within Enroll Devices blade, select “Windows enrollment”.
  3. Within the “Windows enrollment” blade, select “Devices” under the “Windows Autopilot Deployment Program” section
  4. Within the “Windows Autopilot devices” screen, identify the device in question from the list or by using the search field.
  5. Once identified, tick the box next to the device, then press “Delete”
    Note: if you require further information about the device, you can click on it, a pane should appear on the right with further information about that specific device.
  6. When prompted to delete, press “Yes”
  7. Confirm that the process has completed successfully in the “Notifications” button in the top right of the screen.

Step 2: Remote wiping device

A remote wipe of a device may be required in the event of a lost or stolen device and can be used as a last resort effort to secure the device. In order for the remote wipe to work correctly the device will need to have been powered on with internet access back to the tenant.

  1. Navigate to Microsoft Intune https://intune.microsoft.com or https://intune.microsoft.us and click “Devices” in the left hand menu
  2. Within the “Devices” blade, select “All Devices”
  3. Either by scrolling through the list, or using the search bar, identify your device. Once identified click on the device name.
  4. With the device selected you should now be able to select “Wipe”
  5. For Windows 10 1709 and above devices the “Wipe device, but keep enrollment state and associated user account” can be used to keep certain data on the device. Not all data is retained.
  6. “Wipe device and continue to wipe even if device loses power” can be used to ensure that the wipe is not circumvented by power cycling the device
    In some instances this setting could render the device unable to power on correctly and should be used with some level of caution
  7. When ready to confirm the wipe select “Yes”

Step 3: Remove Device from Microsoft Intune

Complete the below steps to remove a device from Microsoft Intune.

  1. Navigate to Microsoft Intune https://intune.microsoft.com or https://intune.microsoft.us and click “Devices” in the left hand menu
  2. Within the “Devices” blade, select “All Devices”
  3. Either by scrolling through the list, or using the search bar, identify your device, check the box, then press “Delete”. When prompted, click “Yes” to confirm deletion.

Microsoft Intune only allows 100 devices to be selected at one time. If more than 100 devices need to be deleted at one time deletion can be performed in batches.

  1. Confirm that the process has completed successfully in the “Notifications” button in the top right of the screen.

Offboarding Windows 365 Cloud PC

If offboarding a user with a Windows 365 Cloud PC, follow these additional steps after removing their license.

  1. Navigate to the Microsoft 365 Admin Center https://admin.microsoft.com or https://portal.office365.us/ and go “Admin Center” on the left.
  2. Under “Users”, go to “Active users” and click on the user to deprovision. Ensure the “Windows 365” license is removed for the user.
  3. Navigate to Microsoft Intune https://intune.microsoft.com or https://intune.microsoft.us and select “Devices” from the left-hand menu.
  4. Under “Windows 365”, select “All Cloud PCs”.
  5. Locate the Cloud PC associated with the offboarded user by searching for the device name or user.
  6. Click on the Cloud PC entry to open its device details. Note that if this device has been unlicensed prior to navigating to this area, you’ll need to click on “In grace period” in the “Status” column.
  7. Select “Deprovision” to remove the Cloud PC record from Intune.
  8. Confirm the action to remove the Cloud PC instance permanently.
  9. Verify the deprovisioning process completion by checking the “Cloud PCs” section in Intune.

This process ensures the Cloud PC is fully deprovisioned and removed from the environment, preventing unnecessary resource usage.

Offboarding Mobile devices

If offboarding a user with a mobile device, follow these steps after.

  1. Navigate to Microsoft Intune https://intune.microsoft.com or https://intune.microsoft.us and click “Devices” in the left hand menu
  2. Within the “Devices” blade, select “All Devices”
  3. Either by scrolling through the list, or using the search bar, identify your device, check the box, then press “Delete”. When prompted, click “Yes” to confirm deletion.

    Microsoft Intune only allows 100 devices to be selected at one time. If more than 100 devices need to be deleted at one time deletion can be performed in batches.

  4. Confirm that the process has completed successfully in the “Notifications” button in the top right of the screen.

Review & Maintenance

This SOP will be reviewed on a quarterly basis or as required by changes in compliance regulations or Microsoft cloud services.