Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use the Wipe remote action in Intune to factory reset a device, restoring it to its default settings. This action removes all personal and organizational data, apps, and configurations. It's commonly used when a device needs to be retired, repurposed, reset for troubleshooting, or securely erased if lost or stolen.
Depending on the platform, you can customize the wipe behavior to meet your organization's needs.
Requirements
Platform requirements
This remote action supports the following platforms:
- Android Enterprise corporate-owned fully managed (COBO)
- Android Enterprise corporate-owned dedicated (COSU)
- Android Enterprise corporate-owned work profile (COPE)
- Android Open Source Project (AOSP)
- ChromeOS
- iOS/iPadOS (corporate-owned)
- macOS
- Windows
Role and permission requirements
To run this remote action, use an account with at least one of the following roles:
- Help Desk Operator
- School Administrator
- Custom role that includes:
- The permission Remote tasks/Wipe
- Permissions that provide visibility into and access to managed devices in Intune (e.g. Organization/Read, Managed devices/Read)
Before wiping a device
Review the requirements for erasing macOS devices available on the Apple Support site.
Factory Reset Protection (FRP) considerations
Whether a device requires Google account credentials after reset depends on ownership (Android Enterprise corporate-owned work profile/fully managed/dedicated), the reset method (Settings, Recovery, or admin wipe), and whether FRP is configured. By default, Intune's admin wipe doesn't preserve FRP data.
For more information, see Factory reset protection emails setting isn't enforced after you reset an Android Enterprise device.
Samsung devices
For Android Enterprise fully managed Samsung devices, make sure the Factory Reset setting under Device Restrictions isn't set to Block.
If Factory Reset is blocked and a Wipe action is initiated, the device loses contact with Intune and be unable to complete the factory reset.
Zebra devices
On Zebra Android devices, the Wipe remote action is designed to remove only corporate data. It doesn't perform a factory reset.
To factory reset a Zebra Android device, use one of the following methods:
How to wipe a device from the Intune admin center
- In the Microsoft Intune admin center, select Devices > All devices.
- From the devices list, select a device.
- At the top of the device overview pane, find the row of remote action icons. Select Wipe.
Enter a 6-digit Recovery PIN. This PIN is required to reinstall the operating system on devices that don't have the T2 security chip—typically models from 2018 or earlier, or devices running macOS 10.14 or earlier. Make sure to record the PIN and share it with the device owner. The PIN won't be visible after the wipe completes.
Select an option from Obliteration Behavior, which is used to define the fallback for devices when Erase All Contents and Settings (EACS) fails. The following options can be configured:
- Default: If Erase All Content and Settings (EACS) preflight fails, the device responds to Intune with an Error status and then attempts to erase itself. If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
- Do not obliterate: If Erase All Content and Settings (EACS) preflight fails, the device responds to Intune with an Error status and doesn't attempt to erase itself. If EACS preflight succeeds but EACS fails, then the device doesn't attempt to erase itself.
- Obliterate with warning: If Erase All Content and Settings (EACS) preflight fails, the device responds with a Success status and then attempts to erase itself. If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
- Always obliterate: The system doesn't attempt Erase All Content and Settings (EACS). T2 and later devices always obliterate.
Select Wipe to erase the device.
You can customize the wipe behavior with the following options:
- Wipe device, but keep enrollment state and associated user account
- When selected, the wipe removes all MDM policies but retains user accounts and data. User settings are reset to default, and the device remains enrolled in Intune.
- When not selected, the wipe removes all user accounts, data, MDM policies, and settings. The device is reset to its factory default state.
- Wipe device, and continue to wipe even if device loses power
Ensures the wipe continues even if the device loses power during the process. This prevents users from interrupting the wipe, which is useful in high-security scenarios such as lost or stolen devices.
Important
Selecting this option might prevent some devices from starting up again. The wipe process can interfere with boot recovery or firmware protections, potentially leaving the device in an unrecoverable state. Use this option only on corporate-owned devices where full data destruction is required and recovery procedures are in place.
When not selected, if the wipe is interrupted, the device attempts to roll back to its previous state. If rollback fails, the device may become unusable and require a full reinstallation of Windows.
- Wipe device, but keep enrollment state and associated user account
To confirm the wipe, select Yes.
- For iOS/iPadOS eSIM devices, the cellular data plan is preserved by default when you wipe a device. If you want to remove the data plan from the device when you wipe the device, select the Also remove the devices data plan... option.
Select on of the following options:
- Remove user profiles only: To remove all user account data. Device and enrollment policies remain on the device.
- Factory reset (powerwash): To restore a device to its factory state, removing all personal and work data. Before using this action, deprovision the device. Otherwise, once it connects to Wi-Fi, it will automatically enroll again.
For more information about wiping ChromeOS devices, see Wipe ChromeOS device data.
Note
This remote action might be governed by an Intune access policy that requires Multiple Administrative Approval (MAA). If so, a second administrator must approve the action before it can proceed.
For more information, see Use access policies to require multiple administrative approvals.
Remove a device from Windows Autopilot
After executing the remote action on a device from Intune, you might also want to remove its registration from Windows Autopilot, if applicable.
For more information, see Deregister from Windows Autopilot using Intune.
Remove a device from Microsoft Entra ID
After executing the remote action on a device from Intune, you might also want to remove its record from Microsoft Entra ID to fully disconnect it from your organization's identity infrastructure. This step helps ensure that the device no longer appears in your tenant, avoids potential confusion in device inventory, and prevents lingering access permissions or stale records that could affect compliance or reporting.
For more information about removing devices from Microsoft Entra ID, see Manage stale devices in Microsoft Entra ID.
Reference links
- Microsoft Graph API: wipe action
- Configuration service provider (CSP) used to initiate the remote action: RemoteWipe CSP