Hey everyone, I have a quick question about managing the lifecycle of Windows assets. What steps do you take when a device becomes inactive or isn't returned by the user? Right now, we disable the computer object in Active Directory (AD) since that's our trusted source, but I'm looking for the recommended next steps. We do have an Intune cleanup policy that removes devices after 60 days of inactivity, but I've noticed that if a machine comes back online later (like after 90 days), the user can still log in and the device reappears in Intune as Entra-joined. Have you set up a lifecycle process that addresses this situation? For example, do you use Conditional Access, or automate the retirement/deletion of devices through Intune and Entra, or have another method? Any recommendations would be greatly appreciated, thanks!
3 Answers
One approach is to use Conditional Access to block non-compliant devices from authenticating. This way, even if a stale device tries to connect, it won’t be allowed to sign in and rejoin the network.
Our process is pretty straightforward: When a user is terminated, we disable their AD account right away. If a device is inactive for 30 days, we retire it in Intune but don’t delete it just yet. After 90 days, we wipe and decommission the device, and finally, we remove it from Entra after 180 days. It's important to disable the AD account entirely, not just the device itself, to prevent logins during those gaps.
Consider keeping devices in Intune for a longer period, like 1 or 2 years, before wiping them. When necessary, you can also send a 1099 form for the full value of the computer to the user, making it taxable income.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures