Factory reset, Fresh start, AutoPilot reset, so many options?!

This week something completely different. This time no technical configurations, this time I’ll try to provide some guidance about different Windows 10 features to remotely reset a Windows 10 device by using Microsoft Intune. With the introduction of the remote AutoPilot reset their are now 3 similar features to remotely reset a Windows 10 device: Factory reset , Fresh start and AutoPilot reset. In this post I’ll try to answer questions like “What are the differences between these reset options?” and “When can I use which reset option?”.

Factory reset

Introduction

The Factory reset action returns the device to its factory default settings. This removes all personal and company data and settings from this device. The drive will be securely erased. When triggering this remote action it is possible to select the Retain enrollment state and user account checkbox, to keep the device enrolled and the user account associated with this device. This action cannot be reverted.

By using the Factory reset action, it’s possible to get devices to a factory default state. Also, just like the Remove company data action, it enables administrators to simply remove devices from Microsoft Intune that are no longer needed, being repurposed, or missing.

Win10-Int-FactoryReset

Summary

Retain enrollment state and user account* Retain Intune enrollment Summary of performed actions
Factory reset Not checked No
  • Removes user accounts;
  • Removes user data;
  • Removes MDM policies;
  • Removes non-default settings;
  • Removes user-installed apps;
  • Retains OEM-installed apps;
  • Resets the operating system to its default state and settings.
Factory reset Checked Yes
(Also retains Azure AD join)
  • Retains user accounts
  • Retains user data;
  • Removes MDM policies;
  • Removes non-default settings;
  • Removes user-installed apps;
  • Retains OEM-installed apps;
  • Resets the operating system to its default state and settings.

*Retain enrollment state and user account requires Windows 10, version 1709 or later.

Fresh start

Introduction

The Fresh start action literally gives the user a fresh start. This removes any apps that are installed on the device. Then, it automatically updates the device to the latest version of Windows. This action helps with removing pre-installed (OEM) apps that are typically installed with a new device. When triggering this remote action it is possible to select the Retain user data on this device checkbox, to keep the user data, and only remove apps and settings.

By using the Fresh start action, it’s possible to get devices to an clean state by removing all bloatware and updating to the latest version of Windows 10 at the same time.

Win10-Int-FreshStart

Summary

Retain user data on this device Retain Intune enrollment Summary of performed actions
Fresh start*

 

Not checked No
(Retains Azure AD join)
  • Removes user accounts;
  • Removes user data;
  • Removes MDM policies
  • Removes settings;
  • Removes Win32 apps;
  • Retains Windows Store apps;
  • Updates to the latest version of Windows.
Fresh start* Checked Yes
(Also retains Azure AD join)
  • Retains user accounts
  • Retains user data;
  • Removes MDM policies;
  • Removes settings;
  • Removes Win32 apps;
  • Retains Windows Store apps;
  • Updates to the latest version of Windows.

*Fresh start requires Windows 10, version 1703 or later.

AutoPilot reset

Introduction

The AutoPilot reset action returns the device to a fully configured and/or IT-approved state. This removes personal files, apps, and settings, and applies the original settings and management settings, so the devices are ready to use. The management settings are coming straight from Azure AD ​and Intune device management.

By using the AutoPilot reset action, it’s possible to get the device to a known, good, managed and synchronized state while preserving the management enrollment.

Win10-Int-AutoPilotReset

Summary

Retain Intune enrollment Summary of performed actions
AutoPilot reset* Yes
(Also retains Azure AD join)
  • Retains user accounts;
  • Removes user data;
  • Removes MDM policies;
  • Removes settings;
  • Removes installed apps;
  • Returns the device to the original settings and management settings.

*Remote AutoPilot reset requires Windows 10 Insider Preview Build 17672 or later.

More information

For more information related to Fresh start, Factory reset and AutoPilot reset in combination with Microsoft Intune, please refer to the following articles:

59 thoughts on “Factory reset, Fresh start, AutoPilot reset, so many options?!”

  1. Thanks for this great break down of features and pro and cons of them all. This gives us a great overview of possibilities of the different resets. What is the most used option you/your Company use? Btw i miss the Auto Redeployment Option !?

    Reply
    • Hi RKast,

      That really depends on the use case, but I think that it will be Factory reset (at this moment).

      About the Automatic Redeployment, you really need to reed my previous blog post. Automatic Redeployment is now AutoPilot reset.

      Regards, Peter

      Reply
  2. Thanks for your reply.
    Oops missed the name change 🙂
    Intune changes are going faster than the speed of light.

    Reply
  3. Very useful article, thank you! A couple of questions:
    1) does “fresh start” remove any drivers? I’m concerned if while removing some OEM apps, this might trigger the removal of any associated drivers…
    2) what is the definition of “updates to the latest version of Windows” under fresh start? Does it mean latest “quality updates” or latest “feature update”? If “feature update”, does it consider the “latest version” the semi-channel or semi-channel (targeted) version?

    Thank you again, Rajesh

    Reply
    • Hi Raj,

      Let’s try to answers these questions with how it should be according to my knowledge (haven’t tested all specific details):
      1. Only the INF-based drivers are kept;
      2. The latest broadly available feature update;
      3. Settings are removed in all scenarios.

      Regards, Peter

      Reply
  4. Peter – have you seen the behavior where a reset action won’t ‘start’ if the PC is turned on, but not logged in? It seems like a user has to login to the device first, which then triggers a sync which will then receive the reset command from Intune. Just wondering if this mirrors your experience?

    Reply
  5. What is the best option to use if a user is leaving the organization and you want to prepare the windows 10 device for the next user?

    Reply
  6. Hi Peter, no old user accounts should exist on the device.
    Fresh start is not working. I have tested that and after fresh start Windows Hello is popping up, although we didn’t enable that in Intune

    Reply
  7. Hey Peter,

    I did a “Fresh Start” and did not retain user data. This removed it from intune, after this, it was auto enrolled. As planned.

    However it will now not deploy the Windows apps (win32) again. It deployed my LOB apps however.

    Have you seen this, is there a reason this will not work?

    Reply
  8. Great article. Can you comment on which option preserves the Autopilot machine hash? When the Autopilot machine hash need to be re-imported?

    Reply
  9. Hi Peter. My experience is that Fresh Start does not remove user data and user profiles, with the “retain user data” OFF. Unlike what your table states.

    Reply
  10. Hi Peter

    And thanks for this guide!

    I have tested Fresh Start couple of times. Devices has been company owned AAD joined devices enrolled in Intune MDM. Devices has been Windows 10 Pro 1803 or 1903. They are also Autopilot devices.

    Fresh Start do start, removes device from Intune but retains AAD Join and it installs ok but after that, it doesn’t enroll to Intune anymore. If I try to manually sync via Windows 10 Settings Panel (Accounts -> Work Accounts), I get an error (free translation) “Sync could not be initiated 0x82ab0000”. I can’t try to initiate sync via Intune portal because the device is not in Intune.

    In https://docs.microsoft.com/fi-fi/intune/device-fresh-start it says that “Azure AD joined devices will be enrolled into mobile device management again when an Azure Active Directory enabled user signs into the device.”. It’s just that it doesn’t. At least not in any of my test’s. I think it is because the device failes to sync and in every test, it’s the same result.

    What could be wrong?

    Reply
  11. Hello Peter,

    You have great articles!

    I have a question, we deploy devices for our customers in the following steps:

    * Install latest windows version
    * Install drivers
    * Reset this PC ( remove everything)
    * After the device is ready with deleting get the hardware hash, add in autopilot and assign user

    The part that is difficult for now, how can I have the apps etc installed with admin account and reset the device without losing those things? The idea is to install anything with admin account reset the device, start white glove and reseal and send to the customer.

    I haven’t managed to find the best solution for this.

    Reply
  12. Hi Peter,

    What I try to achieve is to prepare the device as much as possible and un-enroll it somehow ( I want the primary user to be the customer not me as admin) and to have a quick experience for the customer when the device arrives. I called with Microsoft as well and they don’t seem to have an answer for it what really surprises me.

    Thanks in advance.

    Reply
    • Hi Ouss,
      That’s exactly were Autopilot white glove has a place. That enables you to pre-provision device apps, device settings, device policies and user apps (of the assigned user). I’m not sure what else you want to achieve. Once the user logs on, only user settings still need to be applied.
      Regards, Peter

      Reply
      • Hi Peter,

        I played around with white glove and that seems to do most things I want. I still have some issues (what the best step to take when a device needs to be reset on the customer side, wipe the device and deleted it in azure and keep it in the autopilot devices list? I seems to give problems if you do that. I think it generates a new hash after wiping the device that’s why.

        Reply
          • Hi Peter,

            Yes, and somehow it won’t register again in the preparing fase in MDM.

            What I do now:
            I wipe the device
            I delete the device from intune and azure ad
            Delete the device from autopilot devices.
            Add the device again in autopilot and start the whiteglove again.

            It takes a long time this way but I use one device to test with and the rest don’t have to be re -enrolled again.

          • Hi Peter,

            Currently I am using autopilot on 1903 . And I keep the default option (Azure Ad joined) in the deployment profile.

            Any suggestions how to speed up this process? If a user has any problems and I want to remote wipe the device, it will takes ages to help the user for now.

            Regards,
            Ouss

          • Hi Ouss,
            At this moment I don’t anything really useful to add. The scenarios for troubleshooting a failed deployment are sub-optimal, especially when you need to reset the device. The only thing I can say is to figure out what went wrong and try to prevent it from happening the next time…
            Regards, Peter

  13. Hi Peter and great article.

    Right now I have issues on new Dell and Surface devices.
    Reset from Company Portal works great.
    Wipe from the Intune portal leaves the machines in unusable state. The reset fails for some reason and we are left in the recovery environment.
    Are both options supposed to do the same thing? Restore factory defaults they say.
    Have you seen this?

    Best Regards
    Olof

    Reply
      • I’ve tested Wipe before and it is nothing close to a factory reset. It’s highly destructive an action – it’ll render the OS unusable and irrecoverable by itself, regardless of whatever recovery/repair options offered by the basic OS boot UI. Wipe should only be used on the event of device loss or theft.

        Reply
          • Perhaps you didn’t fully comprehend the gravity of my statement.

            Wipe is so destructive to the point of rendering the OS unbootable, unusable – it will _not_ boot up to the OOBE setup UI – thereby making the computer (usually a laptop) unusable either until the thief obtains an OS installation media to format and install over the drive partition. I won’t consider wipe a “factory reset” since there’s no workable OS for a new user to setup with.

            When I performed these tests on Lenovo laptop, had to have on hand recovery media from Lenovo Digital Recovery Download service to reinstall Lenovo’s factroy image of Windows.

            Wipe should never be used for the purposes of re-allocating a computer to another staff; use Autopilot Reset or Fresh Start for that.

          • Hi Aaron,

            That’s definitely not my experience. My experience with most devices, bot physical and virtual, are similar to what was mentioned by Ronald. It will eventually bring the device back to the OOBE.

            Regards, Peter

        • @Peter That is destructive is not our observation.
          When we wipe a device is will reset the device and after that the first screen that appears is the screen were a new user can choose the language.

          Reply
          • Hi Ronald,

            Depends on the interpretation of destructive 🙂
            My interpretation was the expected behavior, as you also described, in a way that the device will start from scratch, but based on the comment of Aaron he has a more destructive experience.

            Regards, Peter

          • This is the consequence for the laptop using Wipe instead of Autopilot Reset.

            https://onedrive.live.com/?authkey=%21AuhL5NfBDPwKRCo&id=B6DFB76AA73EC284%21158651&cid=B6DFB76AA73EC284

            There’s just no workable OS to boot with, no matter which option I tried. I had to reapply Lenovo OS recovery media to install a fresh copy of Windows.

            It differs from the documentation (but oh boy, I lost count of the number of discrepenacies I found in documentation in just the past half year), but considering the scenario for using wipe – the event of theft or loss – this is actually a desired state as it causes the thief or misappropriator more hassle to get OS media to install all over.

          • Okay, Aaron, that’s definitely not my experience and looks like something missing in WinRE. Having said that, it sounds like it’s doing exactly what you need at this moment, so I would leave it at that.
            Regards, Peter

          • Well you better be careful too; backup a full disk image first before executing Wipe, just in case.

  14. Update to the latest version of Windows does not seem to happen by default anymore with Fresh start. Do you know why?

    Reply
  15. Hallo Peter, we hebben een Lenovo notebook die sinds een paar dagen op het inlogscherm drie icoontjes onder de aanmeldopties laat zien. Een daarvan (een ronde pijl, tegen de klok in) is een Autopilot reset. Helaas heeft een van de kinderen daar per abuis op geklikt en vervolgens werd de notebook terug gezet naar fabrieksinstellingen en zijn alle bestanden gewist.

    Het is een particuliere notebook waarop Office365 via een schoolaccount is geïnstalleerd.

    Heb jij enig idee hoe ik deze aanmeldoptie uit kan zetten?

    Reply
  16. I have had issues when I old-school re-image a device and rejoin to AAD ending up with duplicate entries for the same device. Is this an issue with any of the above options as it has proven difficult to delete the duplicates

    Reply
  17. Hi Peter,

    Is there a set of steps to take (including any of the above) to re-enroll a windows device to Intune through AutoPilot but with a different profile? I know to change the Group Tag but am not confident on how to get the device to reset and see the change in assigned profiles to apply.

    Reply
  18. I’m trying to perform a fresh start from the command line on HP factory image machines with some junk on them. No matter what commands I run on the HP, I cannot get it to fresh start in the way it does if enrolled in intune. I’m trying to avoid enrolling all the devices only to fresh start them.

    Deleting the c:\recovery folder brings half the stuff back after a manual fresh start. Deleting the contents of the recovery partition or deleting the partition entirely just means the manual reset fails to even begin.

    I’ve tried every colour of systemreset /cleanpc /factoryreset and also the below powershell to mimic what I thought the Fresh Start from intune was pushing down

    ————————————————————–
    $namespaceName = “root\cimv2\mdm\dmmap”
    $className = “MDM_RemoteWipe”
    $methodName = “doWipeMethod”

    $session = New-CimSession

    $params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
    $param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create(“param”, “”, “String”, “In”)
    $params.Add($param)

    $instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter “ParentID=’./Vendor/MSFT’ and InstanceID=’RemoteWipe'”
    $session.InvokeMethod($namespaceName, $instance, $methodName, $params)

    Reply
    • Hi David,
      I have to admit that I don’t know which actual MDM action would be triggered locally. Don’t think that it’s your current one though. There are more options documented here, but I can’t really link them based on the docs. You might be able to see it locally in the Event Viewer.
      Regards, Peter

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.