Close Menu
    Saturday, December 21

    Automatically Delete Stale User Profiles with Intune Configuration Profiles

    Eswar KonetiBy 3 Mins Read Intune 799 Views

    Managing user profiles on shared or newly built Windows devices can be challenging, especially when dealing with stale profiles that haven’t been active for a while. This need arises in various scenarios:

      1. Shared Devices: Multiple users use the same device, and old profiles clutter the system.

      1. Desktop Support Validation: Support teams log in to verify device configurations before handing them over.

      1. Security Concerns: Outdated profiles can pose security risks.

      1. Vulnerability Scanning: Applications that require user profiles may still be flagged as vulnerable if users haven’t logged in to update them. Examples such as teams, zoom, and other user based applications.

    For customers using Microsoft Intune, there’s a streamlined way to handle this issue. For customers using Microsoft Intune, there’s a streamlined way to handle this issue. If  you are not using Intune to manage your endpoints yet (if co-managed, make sure the device configuration workload is moved to Intune), you can still leverage GPO to do the same.

    Here’s a step-by-step guide to leveraging Intune for automatically deleting stale user profiles:

    Choosing the Right Method

    Intune offers several methods to manage user profiles, including:

      • Remediation Scripts

      • Scheduled Tasks

      • Configuration Profiles

    Among these, Configuration Profiles (using the Settings Catalogue) is the most straightforward and effective approach.

    Finding the Right Setting in Intune

    Intune features two main options for configuring settings: Administrative Templates and the Settings Catalogue. Given recent changes, Microsoft is migrating settings from Administrative Templates to the Settings Catalogue, making it easier to locate and configure them.

    To find relevant settings, you can refer to the list of device configuration settings available on GitHub. Mike from Microsoft provides a well-organized spreadsheet that is a valuable resource:

    Device Configuration Settings by Mike on GitHub

    Download the latest spreadsheet and look in column (D) for the “Delete user profile” setting. This search will help you find the exact match for your needs.

    Creating a Configuration Profile

    Once you’ve identified the setting, follow these steps to create a new configuration profile in Intune:

      1. Create a New Configuration Profile:

        Go to the Intune, device configurations, create a new policy, with profile type “Settings Catalogue”

      • Search for “Delete user profiles older than”.

    2. Configure the Setting:

    • Set the option to Enabled.

      • Specify the number of days after which profiles should be considered stale. For instance, to delete profiles older than 40 days, enter 40.

    3. Assign the Profile:

    • Click Next to proceed .Assign the profile to your desired device group. Consider running a pilot test before rolling it out to the entire production environment.

      • Click Create to finalize the profile.

    End-results:

    On devices where policy applied successfully.

    Before (5 user profiles excluding default, public user profile):

    After reboot (3 user profiles):

    2 user profiles named administrator and Test1 successfully removed and this can be verified from the event viewer as well.

    Additional Resources

    For more detailed information about cleanup profile settings and related documentation, refer to the ADMX_UserProfiles Policy CSP on Microsoft Learn.

    Share.

    Related Posts

    1 Comment

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.