Autopilot Reset – What does it do? How is it different?
You may have noticed that there are a TON of reset options in the Intune portal when looking at a device. Even clicking Wipe now includes an additional checkbox, to retain enrollment state.
So what gives? What’s the difference between all these options, and why do we now have another one with Autopilot Reset?
Let’s start with clarifying the most common options. A Wipe restores a device back to its factory settings (back to OOBE). This is what you should use for a lost or stolen device, since data can’t be restored.
If you select Retain enrollment state and user account, for a Wipe, it removes the MDM settings (configuration profiles, apps, etc.) and resets the OS, but (as the name suggests) retains the MDM enrollment and user profile. This would be the same as selecting “keep my files” in the Settings app.
Retire, on the other hand, removes only managed data & apps. This will in effect remove Intune management from the device. This would be used for a scenario where users have BYOD devices that are enrolled in Intune. Wi-fi, VPN profile, certificates, e-mail accounts, the Azure AD join record, and apps will all be removed. This does exclude O365 and Win32 apps, unfortunately.
One interesting side-effect of Retire option is that for a device provisioned for corporate use (say, Autpiloted), retiring it would remove access to the device entirely. Since the Azure AD join is removed you won’t be able to log in using an Azure AD account – meaning you’ll be stuck on the login screen (there was no local administrator provisioned). Be sure to only use Retire for BYOD devices!
Delete is nearly identical to Retire (because Intune also issues a retire command when you use Delete). Both options will remove the same company data from a device. But while Retire will wait for a device to check-in before removing it from the portal, Delete immediately deletes the record in Intune. This comes down to preference – I use Retire for active devices, and Delete for stale ones.
Regarding stale records… if you’ve noticed the Device cleanup rules under the Devices pane, you’ll see the option to Delete devices based on last check-in date. This action does not issue a Delete command – it just removes the device record. If a removed device checks in before its device certificate expires, it will reappear in the console. Device certs last 1 year.
So we’ve covered most of the “traditional” or common options. Before we get to Autopilot Reset, what about Fresh Start?
Fresh Start is nearly identical to Wipe. Both options will restore a device back to its factory settings (back to OOBE). The one difference here is that Fresh Start will also remove OEM-preloaded applications. For example, most Dell laptops purchased for corporate use will come with Dell Command Update. If you Fresh Start a Dell machine, the only built in applications then will be the ones included with the default from Microsoft Windows 10 .iso.
I personally just really enjoy that this exists at all. It’s quite powerful to be able to reset devices to a clean slate without having to put in the work to remove apps via Intune or PowerShell.
Just like with the Wipe, Fresh Start includes the option to retain user data on the device. And just like before, it removes the MDM settings (configuration profiles, apps, etc.) and resets the OS, but retains the MDM enrollment and user profile.
Finally we get to Autopilot Reset. I wanted to lay the foundation for various resets before we covered it, because like with the other options there are crossover.
Autopilot Reset removes personal files, apps, and settings on a device but retains the connection to Azure AD and Intune (or 3rd party MDM). The key here is personal data; Autopilot Reset basically only removes the user profile instead of wiping the entire OS drive. This makes Autopilot Reset a sort of middle-ground option, where you’re wiping a device and maintaining the enrollment state but not maintaining the user data.
Autopilot Reset also maintains the region/language/keyboard, any provisioning packages applied, and Wi-Fi connections. Autopilot Reset is the best option for re-using a device within your organization. You’re basically removing the last user from a device and (depending on your Intune deployment configuration) handing it right over to the next person with no extra work needed.
You can kick off Autopilot Reset via the Intune portal like any of the other wipe methods. But you can also run it locally at login by disabling the DisableAutomaticReDeploymentCredentials CSP (either via Intune configuration policy or Windows Configuration Designer). When you kick if off locally there will be a prompt for an administrator to log in, as shown here:
When the reset is a complete, the user will be presented with the Windows 10 login screen. All they need to do is login – no OOBE! There is the added security benefit (and our recommendation) of enabling the Enrollment Status Page to restrict users from accessing the desktop until all their apps and settings are installed.
One note to clarify – even though it’s called Autopilot Reset, it doesn’t prepare the device for Autopilot. You’ll have at least noticed that it doesn’t send you back to OOBE, so the device can’t even be Autopiloted. But further it doesn’t sync the device’s hardware hash up to the Autopilot service. So, my hunch at least, is that they’re branding this with Autopilot because it follows the same methodology. Autopilot Reset allows IT admins to get devices ready for productive use without additional infrastructure to manage, with “a process that’s easy and simple.” And Autopilot Reset is certainly simple to use.
Does that clear up all the options? If not post a comment below, and I’m more than happy to explain further.