Intune device actions
Manage365 exposes 11 Intune device actions from the tenant device list. They're the same actions you'd find in the Intune admin centre, but runnable in bulk and logged through Manage365's audit trail.
The 11 actions
Sync
Forces the device to check in with Intune immediately. Useful after changing a configuration profile — sync kicks the device into pulling the latest policy rather than waiting for the 8-hour default check-in cadence.
Wipe
Full factory reset. Everything goes — user data, apps, OS personalisation. Options:
- Keep enrollment data — retains the Intune enrollment so the device re-appears after setup. Handy for re-deploying a laptop to a different user.
- Keep user account — preserves the primary user account (Windows only).
Irreversible. Confirm the device ID before hitting the button.
Retire
Softer sibling of wipe — removes company data, app configurations, and the enrollment profile, but leaves personal data alone. The right action for BYOD phones where you want the Outlook data gone but not the user's holiday photos.
Restart
Reboots the device remotely. Windows 10+ only. The user gets a 5-minute countdown notification before the restart fires; no way to override that delay.
Rename
Changes the device's Intune name. Doesn't rename the machine in Entra ID or on the device itself — this is purely the Intune label. Useful for a tenant where device names drift from the naming convention and you want to tidy up the list.
Locate
Returns the device's last known GPS coordinates. Supported on supervised iOS devices, corporate-owned Android devices, and Windows devices that have location services enabled for Intune. The result includes lat/long and a confidence radius in metres.
Lost mode
Locks the device into a kiosk state showing a configurable message (typically “If found, call 03-9xxx-xxxx”) and a phone number. Supervised iOS and corporate-owned Android only. Tracks location automatically while in lost mode.
Disable lost mode
The other half of the lost mode feature — when the device is recovered, take it out of lost mode to restore normal operation.
Rotate LAPS password
Forces a new Windows LAPS (Local Administrator Password Solution) password to be generated and stored in Entra ID. Use when a previous tech may have noted the password or when rotating on a schedule.
Rotate BitLocker recovery key
Generates a new BitLocker recovery key for the Windows device and uploads it to Entra. The old key is retired. Use after exposing the key for a recovery operation.
Delete record
Removes the device record from Intune entirely. Doesn't wipe the device — the device just disappears from management. Use when retiring hardware that won't ever come back online to receive a wipe command.
Platform support
| Action | Windows | macOS | iOS | Android |
|---|---|---|---|---|
| Sync | yes | yes | yes | yes |
| Wipe | yes | yes | yes | yes |
| Retire | yes | yes | yes | yes |
| Restart | yes | no | no | no |
| Rename | yes | yes | yes | yes |
| Locate | yes (with opt-in) | no | supervised only | corporate only |
| Lost mode | no | no | supervised only | corporate only |
| Disable lost mode | no | no | supervised only | corporate only |
| Rotate LAPS | yes (LAPS enrolled) | no | no | no |
| Rotate BitLocker | yes (BitLocker on) | no | no | no |
| Delete record | yes | yes | yes | yes |
Manage365 checks platform compatibility before sending the action — an unsupported combination is rejected client-side with a clear message rather than submitted and silently ignored.
Bulk actions
Most actions can be run in bulk by selecting multiple devices on the device list and picking the action from the toolbar. Exceptions:
- Rename — single-device only (a bulk rename would need a naming template, which isn't in scope yet)
- Lost mode — single-device only (message + phone number per device)
Bulk wipe is available, and yes, it's as powerful as it sounds. Confirmation dialog requires you to type the word WIPE and the count of selected devices.
Audit trail
Every action is audited as a device.action.<actionType> event with:
- Actor (the MSP user who initiated it)
- Target tenant ID + device ID
- Platform + device name at time of action
- Options used (for wipe / rename / lost mode)
- Graph API response — success + request ID, or error + message
Bulk actions emit one audit event per device — so a bulk wipe of 50 devices produces 50 audit entries linked by a shared batchId.
Endpoints
| Method + path | What it does | Permission |
|---|---|---|
POST /intune/tenants/:tenantId/devices/:id/sync | Trigger a check-in | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/wipe | Full factory reset (with options) | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/retire | Remove company data only | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/restart | Remote reboot (Windows) | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/rename | Change Intune label | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/locate | Pull last-known location | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/lost-mode | Enter lost mode (iOS supervised / Android corporate) | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/lost-mode/disable | Exit lost mode | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/rotate-laps | Rotate Windows LAPS password | INTUNE_MANAGE |
POST /intune/tenants/:tenantId/devices/:id/rotate-bitlocker | Rotate BitLocker recovery key | INTUNE_MANAGE |
DELETE /intune/tenants/:tenantId/devices/:id | Remove the Intune record | INTUNE_MANAGE |
End-to-end example: lost laptop
- Customer calls at 4pm — laptop stolen from a café. User is Sarah, device is her Surface Pro 9.
- Open the tenant device list, search “Sarah”, find the Surface Pro.
- Run Locate first. Results: last known coordinates, 50m radius, 2 hours ago. Pass that to Sarah.
- Run Rotate BitLocker — if the thief tries offline recovery, the key they could extract is no longer current.
- Run Wipe with keep enrollment data = false. The device wipes on next check-in (immediately if it's online; queued otherwise).
- Open the compromise remediation playbook on Sarah's user account — revoke sessions, reset password, kill forwarding rules.
Common pitfalls
- Locate returns nothing — usually means location services aren't enabled for Intune on the device, or the device hasn't checked in recently enough to have fresh coordinates. Not a bug, a data gap.
- Wipe stuck in pending — the device isn't online. The command is queued and delivered on next check-in. For a stolen device that will never come back, delete-record after a reasonable wait.
- Bulk wipe targets wrong devices — double-check your device list filter before selecting all. The
WIPE-typing confirmation exists specifically to prevent this. - Restart blocked by user — Windows 10/11 restart commands respect active-hours and user-busy signals. If the user is in a Teams call, the restart may defer for up to 24 hours. For emergency restart, wipe and re-enrol is the harsher alternative.
FAQ
Can I cancel a pending action? On supported actions (sync, restart), yes — until the device picks it up. Wipe and retire can't be cancelled once the device has started acting on them.
Does Locate work if the device is offline? No — it returns the last known location from the last check-in.
What's the difference between Delete and Wipe? Wipe commands the device to factory-reset itself (needs online + obedient). Delete removes the Intune record only — the device is unmanaged but unchanged. Use wipe for device disposal, delete for “this record shouldn't exist any more”.