Remotely Wipe an Intune-Managed Device via Microsoft Graph

A remote wipe is one of the most powerful — and destructive — actions available to an Intune administrator. It returns a managed device to its factory default state, removing the OS configuration, user data, installed apps, and Intune enrollment. Use this recipe when:

• A device has been reported lost or stolen and contains corporate data.
• An employee has left the organization and their company-owned device must be reset before reassignment.
• A device is being decommissioned or recycled and you need assurance that no residual data remains.
• A device has been compromised (malware, unauthorized access) and you need to return it to a known-good state.

For BYOD scenarios where you only want to remove corporate data and leave personal content intact, use a retire action instead of wipe.

After completing this recipe you will have:

• Located a specific managed device by name, serial number, or primary user.
• Verified device ownership and the primary user before taking a destructive action.
• Issued a remote wipe command via Microsoft Graph, the Intune portal, or PowerShell.
• Confirmed the command was accepted (HTTP 204 No Content) and understand when it will execute on the endpoint.

The device will begin the wipe on its next Intune check-in (typically within 15 minutes when online). Progress can be monitored under Intune › Devices › All devices › [Device] › Device actions status.

⚠️ Destructive and largely irreversible

• Data loss is permanent. Once the device checks in and starts the wipe, all local data, user profiles, and applications are destroyed. There is no undo.
• Always verify the target device. Device names can be similar (e.g. DESKTOP-GORGEOUS-OPTIMAL458 vs DESKTOP-GORGEOUS-OPTIMAL485). Confirm the device ID and primary user before sending the command.
• Do not wipe BYOD devices. Wiping a personally owned device destroys the user's personal photos, apps, and data and can create legal/HR exposure. Use retire instead.
• keepUserData vs keepEnrollmentData flags — choose deliberately. Setting both to false performs a full factory reset. Setting keepEnrollmentData: true preserves Autopilot enrollment so the device can re-provision automatically.
• BitLocker / FileVault recovery keys should be backed up before wipe if there is any chance the device may go offline mid-wipe and need recovery.
• Approval and audit. Require ticket or manager approval before wiping company assets. All wipe actions are logged in the Intune audit log and Entra sign-in logs — review them for compliance.