When I review a Microsoft 365 tenant before a CMMC readiness effort, stale devices jump out fast. They fill reports with ghosts, blur asset counts, and make old access paths harder to spot.
A good Intune device cleanup policy helps me separate active endpoints from dead records. Still, the setting alone is only housekeeping. The value comes from the workflow, approvals, and evidence around it.
That is where CMMC Level 2 teams turn a simple Intune rule into a cleaner, safer endpoint program.
Why stale endpoint records raise risk
CMMC Level 2, which aligns with NIST SP 800-171 Rev. 2, depends on disciplined device management. If my inventory is wrong, the rest of my security work gets weaker too. That affects compliance reviews, access decisions, response speed, and asset tracking.
An endpoint that has not checked in for months may be harmless, or it may point to a gap. Former employee laptops, field tablets, test systems, and repurposed kiosks often linger in the console after their job is over. If I cannot tell active devices from dead records, I lose trust in the data.
In Small Business IT, stale devices often build up after Cloud Infrastructure changes, Office 365 Migration work, or a Data Center Technology refresh. I also see it in Restaurant POS Support and Kitchen Technology Solutions, where tablets, terminals, and back-office PCs turn over fast.
If those records stay behind, Endpoint Security dashboards get noisy. Device Hardening work loses focus, and Cloud Management becomes guesswork. For compliance managers, that means extra review time and less confidence. For admins, it means chasing devices that may not exist.
I do not treat cleanup as a standalone compliance control. I treat it as a support measure that helps broader CMMC practices work the way they should. A smaller, truer device set makes reviews faster, exceptions clearer, and follow-up actions easier to defend.
What the Intune cleanup rule actually does
As of 2026, Intune lets me set a cleanup rule based on device check-in age. The available range is 30 to 270 days, and 90 days is a common starting point for standard user devices. When a device crosses that threshold, Intune hides the stale record from the admin center and from common reports.
Intune cleanup hides inactive records in Intune. It does not retire, wipe, or delete the endpoint, and it does not remove the device from Entra ID.
That distinction matters. If a device checks in again before its management certificate expires, the record can appear again. Because of that, I never use the cleanup rule as a disposal or offboarding process. I use it to keep the console honest, then I handle the real action through asset management, Entra, Defender for Endpoint, and service desk workflow.
For CMMC work, Microsoft makes the same point in different ways. Its Intune in GCC and GCC High overview explains how Intune supports compliance when paired with other Microsoft controls. Microsoft’s CMMC Level 2 access control guidance also shows that device trust only makes sense as part of a broader access model.
A cleanup rule reduces noise, but it also improves judgment. When I review only active devices, I can see which endpoints still need policy updates, which ones missed compliance, and which records need human review. Cleaner data is the real win.
How I set thresholds, review, and downstream action
I start with a written definition of “stale,” not with the Intune toggle. A daily-use laptop is different from a spare kiosk or a seasonal tablet. If I skip that discussion, the threshold either hides active equipment too early or leaves junk in the portal for months.
Here is the process I use most often:
- I separate device classes first. Corporate laptops, shared workstations, mobile devices, kiosks, lab gear, and POS endpoints do not all check in on the same rhythm.
- Next, I choose a baseline threshold. Most Windows user devices start at 90 days, while shared or high-turnover systems may fit 60 days.
- Then I map the systems of record. Before anything gets hidden, I confirm whether Intune, Entra ID, Autopilot, Defender for Endpoint, an RMM, or the CMDB owns the authoritative record.
- After that, I enable the Intune cleanup rule and create a monthly review report. I want the team to act on stale devices before they disappear from common Intune views.
- I also define the action path. After review, the next step may be to disable the Entra device, retire or wipe the endpoint, remove group membership, recover licenses, and update the asset record.
- Finally, I log exceptions. Seasonal sites, remodels, loaner pools, and special-purpose equipment need owner approval and a clear recheck date.
The table below shows the thresholds I use most often.
| Threshold | Good fit | Main caution |
|---|---|---|
| 30 days | Highly controlled shared devices, short-life test equipment | Too aggressive for travelers and devices that stay offline for long periods |
| 60 days | Kiosks, conference room systems, some POS tablets | Works only if support teams review exceptions quickly |
| 90 days | Most corporate Windows laptops and standard mobile devices | Best default when balance matters |
| 180 days | Seasonal sites, specialized equipment, some kitchen systems | Leaves stale records longer, so follow-up must be tighter |
For most environments I support, 90 days is the right default and 180 days is an approved exception, not the norm. Intune allows up to 270 days, but I rarely recommend pushing that high unless the device lifecycle truly demands it.
This matters even more when access policy relies on device state. If an endpoint has gone dark, I want its trust relationship reviewed, not ignored. That is why I align stale-device handling with Entra access policy, offboarding, and endpoint response, rather than leaving it inside Intune alone.
Governance and audit evidence that hold up
Assessors do not care about a neat portal by itself. They want proof that the policy is documented, reviewed, and followed. Because of that, I assign one owner for the Intune setting, one owner for asset disposition, and one approver for exceptions. In a small team, one person may hold more than one role, but the duties still need to be clear.
My cadence is simple. I review stale-device reports every month, I review exceptions every quarter, and I revisit thresholds after major business changes. That review cycle matters after Office 365 Migration projects, mergers, new sites, or device program changes, because inventory drift rises during those periods.
When I prepare for a CMMC interview, I keep a short evidence pack ready:
- The written policy that defines stale endpoints, thresholds, roles, review frequency, and exceptions.
- A screenshot or export of the active Intune cleanup setting.
- Monthly review tickets or meeting notes that show staff examined inactive devices.
- Proof of downstream action, such as Entra disablement, retire or wipe requests, asset updates, and recovered licenses.
- An exception log with owner, business reason, and expiration date.
That approach matches the point made in this CMMC Level 2 GCC High explanation: evidence has to show that the practice is part of daily operations, not a setting turned on the night before an assessment.
Real examples make the gap obvious. If a former employee laptop shows 97 days inactive, I do not stop after Intune hides it. I verify offboarding, check Defender for Endpoint last seen, disable or remove the Entra device as needed, confirm recovery or wipe, and update the asset system. On the other hand, if a POS tablet has been offline during a restaurant renovation, I record an approved exception with a review date instead of forcing retirement.
When I work as a Business Technology Partner, I place stale-device cleanup inside broader Technology Consulting, Infrastructure Optimization, and IT Strategy for SMBs. It supports Secure Cloud Architecture, Cybersecurity Services, and Business Continuity & Security because inactive devices distort trust decisions across the tenant. For companies that want Managed IT for Small Business or other Tailored Technology Services, this is one of those quiet Innovative IT Solutions that protects Digital Transformation work without adding much overhead.
Conclusion
Ghost endpoints are easy to ignore until audit prep or an incident turns them into a problem. I get the best results when I use the Intune device cleanup policy as a data-hygiene control, then back it with review steps, ownership, and evidence.
A clean Intune console does not prove CMMC Level 2 by itself. Still, it gives me a truer inventory, faster investigations, and fewer blind spots. When the device list tells the truth, the rest of the security program works better.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.