Managing user profiles on shared or newly built Windows devices can be challenging, especially when dealing with stale profiles that haven’t been active for a while. This need arises in various scenarios:
-
- Shared Devices: Multiple users use the same device, and old profiles clutter the system.
-
- Desktop Support Validation: Support teams log in to verify device configurations before handing them over.
-
- Security Concerns: Outdated profiles can pose security risks.
-
- Vulnerability Scanning: Applications that require user profiles may still be flagged as vulnerable if users haven’t logged in to update them. Examples such as teams, zoom, and other user based applications.
For customers using Microsoft Intune, there’s a streamlined way to handle this issue. For customers using Microsoft Intune, there’s a streamlined way to handle this issue. If you are not using Intune to manage your endpoints yet (if co-managed, make sure the device configuration workload is moved to Intune), you can still leverage GPO to do the same.
Here’s a step-by-step guide to leveraging Intune for automatically deleting stale user profiles:
Choosing the Right Method
Intune offers several methods to manage user profiles, including:
-
- Remediation Scripts
-
- Scheduled Tasks
-
- Configuration Profiles
Among these, Configuration Profiles (using the Settings Catalogue) is the most straightforward and effective approach.
Finding the Right Setting in Intune
Intune features two main options for configuring settings: Administrative Templates and the Settings Catalogue. Given recent changes, Microsoft is migrating settings from Administrative Templates to the Settings Catalogue, making it easier to locate and configure them.
To find relevant settings, you can refer to the list of device configuration settings available on GitHub. Mike from Microsoft provides a well-organized spreadsheet that is a valuable resource:
Device Configuration Settings by Mike on GitHub
Download the latest spreadsheet and look in column (D) for the “Delete user profile” setting. This search will help you find the exact match for your needs.
Creating a Configuration Profile
Once you’ve identified the setting, follow these steps to create a new configuration profile in Intune:
-
- Create a New Configuration Profile:
-
- Create a New Configuration Profile:
-
- Search for “Delete user profiles older than”.
2. Configure the Setting:
- Set the option to Enabled.
-
- Specify the number of days after which profiles should be considered stale. For instance, to delete profiles older than 40 days, enter 40.
3. Assign the Profile:
- Click Next to proceed .Assign the profile to your desired device group. Consider running a pilot test before rolling it out to the entire production environment.
-
- Click Create to finalize the profile.
End-results:
On devices where policy applied successfully.
Before (5 user profiles excluding default, public user profile):
After reboot (3 user profiles):
2 user profiles named administrator and Test1 successfully removed and this can be verified from the event viewer as well.
Additional Resources
For more detailed information about cleanup profile settings and related documentation, refer to the ADMX_UserProfiles Policy CSP on Microsoft Learn.
5 Comments
Please help on How to remove this delete user profiles CSP policy on all devices deploy because people goes on FMLA and might login for almost a year. Help with a script to detect and remediate script
If the ask is to exclude certain users or devices from the policy, you can simply add the group to exclusion so that the policy will not apply.
thanks,
Eswar
Thank you for this article, and Please make an article on the company portal flow and applications that failed to install
Microsoft has documented the workflow of win32 apps and troubleshooting method, does this help? https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/develop-deliver-working-win32-app-via-intune
Thanks,
Eswar
Thanks for the article, it is very useful and cleanup the old profiles to make the systems clean.