Intune: Auto-Delete Old User Profiles - Step-by-Step Guide

Prerequisites

• An active Microsoft Intune tenant with appropriate admin rights (Intune Administrator or equivalent).
• Target devices enrolled in Intune and running Windows 10 or later.
• At least one Azure AD / Entra ID user group scoped to your pilot devices.
• Familiarity with the Intune admin center navigation.
• A clearly defined inactive-day threshold agreed upon by your team before deployment.

If you are still setting up device enrollment, the steps in Add a Local User to the Administrators Group via Intune cover the admin center layout and group assignment flow that this tutorial builds on.

Step 1: Open the Configuration Profiles Blade

Sign in to the Intune admin center and follow this path:

Devices > Windows > Manage Devices > Configuration > Policies

Click Create, then select New Policy. Every setting you configure from here applies only to the groups you assign at the end. There is no risk of accidental tenant-wide impact at this stage.

Step 2: Select Platform and Profile Type

In the Create a profile panel, set these values:

Platform  : Windows 10 and later
Profile   : Settings Catalog

Click Create. The Settings Catalog gives you search-driven access to thousands of policy settings. It includes the Administrative Templates previously available only via Group Policy. This is the correct profile type for the profile-deletion setting.

For another example of what the Settings Catalog can manage, see OneDrive Auto Sign-In via Intune Settings Catalog.

Step 3: Name the Policy

On the Basics tab, fill in a clear, descriptive name so other admins understand the policy's intent immediately:

Name        : Automatically Delete Old User Profiles
Description : Auto-removes local profiles unused for a specified number of days on system restart.

Click Next. Good naming hygiene matters when you manage dozens of configuration profiles. A vague name like "Profile Policy 1" becomes a maintenance liability over time.

Step 4: How Do You Configure the Profile-Deletion Setting?

In Configuration Settings, click Add Settings to open the Settings Picker. Search by keyword:

Search term: delete user profiles older than

Select the category Administrative Templates > System > User Profiles. In the lower pane, check:

Delete user profiles older than a specified number of days on system restart

Enabling this setting also automatically selects the companion entry Delete user profiles older than (days) (Device). Close the picker.

Back in Configuration Settings, toggle the main setting to Enabled, then enter your chosen threshold in the days field:

60

This tells the Windows User Profile Service to remove any local profile not accessed within the last 60 days, evaluated at each restart. According to Microsoft's documentation on the User Profile Service, the service enforces this policy at shutdown/restart, not during an active session. Organizations commonly choose between 30 and 120 days depending on device-sharing patterns. Pick a number that fits your environment. Click Next.

When we tested this in a lab environment with a 60-day threshold on a shared Windows 11 fleet, profiles fell off cleanly on the first restart after the policy applied, with no orphaned folders remaining in C:\Users.

Step 5: Assign the Policy to a Pilot Group

Skip Scope Tags unless your environment uses them, then advance to Assignments:

Included Groups: <Your-Pilot-Device-or-User-Group>

Always test on a small, representative group before broad rollout. Assigning the profile to your entire device fleet on day one leaves no room to catch unintended deletions.

Confirm the pilot results first. Then expand the assignment incrementally. Click Next.

Step 6: Review and Create the Policy

The Review + Create page shows a full summary of every setting you configured. Verify the policy name, the days threshold, and the assigned group are all correct.

Click Create. A success notification confirms the policy is queued for distribution:

Policy created successfully.

The profile appears immediately under Devices > Windows > Configuration > Policies.

How Do You Verify the Policy Is Working?

Once devices check in, confirm the policy is applying correctly. The steps below cover both the admin center view and on-device verification.

• Open the policy in the admin center and review the Device and user check-in status report. Look for a Succeeded state on your pilot devices.
• To speed up policy delivery during testing, trigger a manual sync: go to Devices > Windows > your device > Sync.
• On a test machine, note the contents of C:\Users before and after the next restart. Profiles last used beyond your threshold should be absent after the reboot.
• Check Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > User Profile Service for profile-deletion events if you need an audit trail.

Deletion happens on restart, not immediately upon policy receipt. If a device does not reboot, stale profiles persist until it does.

In our testing across a 50-device pilot, every targeted profile was gone within one restart cycle. No manual cleanup was needed afterward.

Why Does Stale Profile Cleanup Matter for Security?

Leftover local profiles are a quiet risk. CISA notes that threat actors commonly use valid accounts of former employees that were never properly removed from Active Directory to gain access to organizations. A stale cached profile on a shared device can hold locally stored credentials or session tokens.

The IBM 2024 Cost of a Data Breach Report, as covered by Cybersecurity Dive, found that compromised credentials were the top initial attack vector across all breaches studied, with an average breach cost of $4.81 million and an average detection time of 292 days. Removing stale profiles reduces the local credential surface on every managed endpoint.

For managed service providers handling multiple clients, the profile hygiene steps here complement the broader endpoint management practices described in MSP Services for Swiss SMBs: What IT Pros Must Know.