Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The* Device Offboarding Agent* identifies stale or misaligned devices across Intune and Entra ID, providing actionable insights and requiring admin approval before offboarding any devices. The Device Offboarding Agent complements existing Intune automation by surfacing insights and handling ambiguous cases where automated cleanup may not suffice.
This article provides sample responses to show how the agent helps with device offboarding.
Before you begin
- This feature is in public preview.
- Make sure you meet the requirements detailed in the Get Started with the Device Offboarding Agent article.
- The agent fails to run if no retire, wipe, or deletion actions have occurred in the past 30 days.
Explore the agent options
After configuration, manage the agent from the Device Offboarding Agent pane.
In the Microsoft Intune admin center, select Agents > Device Offboarding Agent (preview):
- On the Overview tab, view the suggestions of devices to offboard, and get more details and remediation steps.
- On the Suggestions tab, view the full list of suggestions of devices to offboard, including the completed suggestions.
- On the Settings tab, review details about the agent's configuration.
Select a tab to learn more about its purpose and available options.
After the Device Offboarding Agent completes a run, the Overview tab updates with the agent's list of top suggestions for devices to offboard. The Overview tab only displays the suggestions that are not started or in progress.
The following information is available on this tab:
- The agent's availability and run status.
- Agent suggestions, which are the list of devices to offboard that are not started or in progress.
- Activity section that tracks the current and past run activity of the agent.
Run the agent
To start using the Device Offboarding Agent, first run an evaluation of your device inventory. This action resets the agent's suggestions and status. The agent doesn't persist suggestions across runs; re-running clears previous recommendations.
To manually run the Device Offboarding Agent:
- In the Microsoft Intune admin center, select Agents > Device Offboarding Agent (preview).
- Select Run.
The agent runs until it completes its evaluation. You can't stop or pause the process.
Note
Each time the agent runs, it uses the identity and permissions of the Intune administrator it's configured to use.
Refresh agent view
Select Refresh to update the agent's view with the latest data from its most recent run. This action doesn't trigger a new evaluation; it only refreshes the displayed information to reflect any changes since the last run.
View and act on suggestions
After running the agent, review its findings to see which devices may need offboarding.
- In the Microsoft Intune admin center, go to Agents > Device Offboarding Agent (preview).
- View the agent's suggestions in the Overview or Suggestions tab.
Each offboarding suggestion includes detailed context and recommended actions. To manage these suggestions:
- View details and take action: Select a suggestion to review its rationale and initiate offboarding steps.
- Update status: Choose Manage suggestion to mark the offboarding action as In progress or Completed.
Device Offboarding Agent logs
You can track agent activity and troubleshoot issues using the available logs.
All agent management actions (create, delete, run) and any permission failures are available in Security Copilot logs. Logs don't include which devices were offboarded or when recommended actions were completed.
Common errors
While the agent run might fail due to insufficient SCUs, there are other possible errors that can occur. This section lists some common error messages you might encounter while using the agent, along with explanations and suggested actions.
The agent doesn't provide accurate suggestions
In this case, the agent may not have enough data to generate accurate suggestions, or its settings might not fully align with your organization's environment.
To help improve future suggestions, use the like/dislike buttons 
available on each suggestion to share your feedback.
You don't have access to this agent - Licenses
Details: You don't have the licenses needed to access this agent.
Check the licensing and plugins requirements for this agent, and make sure the necessary licenses and configurations are assigned in your tenant.
You don't have access to this agent - Workspace
Details: You aren't part of the workspace needed to access this agent.
This message indicates that your account doesn't have permission to view or use the Security Copilot workspace, which is configured at the time Security Copilot is added to your Tenant. Contact the administrator who installed or manages your Security Copilot subscription for assistance in gaining access, and see Understand authentication in Microsoft Security Copilot.
You don't have access to this agent - Permissions
Details: You don't have the permissions needed to access this agent.
Review the roles requirements to use the agent. Work with an Intune Administrator to assign your account the required permissions.
The agent encountered an error and didn't finish the run. Try running the agent again.
Details: The agent instance failed to start or successfully complete its run. Details of the failure can't be identified. Despite failing to run or complete, admins can continue to view and manage the agent suggestions from past runs.
If the agent continues to fail, it's possible that its lost authorization for its identity account and can't run until it's reauthorized. Possible reasons for a loss of authorization include but aren't limited to:
- The agent's authorization period of 90 days was reached.
- The user account that the agent was installed with is subject to a policy that requires periodic reauthentication.
- An access token has been revoked.
Agent reauthorization requires that the agent is removed and then set up again.
Warning
When an agent is removed, all existing agent suggestions are deleted. This includes details about suggestions that were marked as Applied.