IT Operations & Cybersecurity Encyclopedia

Workstation decommissioning checklist for IT administrators

Workstation decommissioning removes a computer from service without leaving behind business data, active accounts, licenses, certificates, device records, management agents, encryption keys, or asset ownership confusion. A professional checklist protects data, supports compliance, and proves that endpoint retirement was handled correctly.

Data retention, Intune wipe, Entra ID, Active Directory, and asset recordsBitLocker keys, certificates, licenses, backups, and chain of custodyDrive sanitization, evidence, disposal, resale, and audit readiness

Why it matters

Retire endpoints without leaving data, access, or inventory behind

Old workstations often hold cached files, browser data, email profiles, VPN clients, certificates, local admin accounts, BitLocker recovery keys, security agents, and application licenses. If a device is handed off, recycled, donated, or stored without a process, it can create data exposure and asset confusion.

Decommissioning should connect HR/offboarding, IT asset management, Microsoft Intune, Microsoft Entra ID, Active Directory, endpoint security, backup, legal hold, and disposal workflows. The goal is to preserve what the business must keep, securely remove what should not remain, and document the result.

Practical rule: Do not dispose, reassign, donate, or recycle a workstation until data retention, wipe/sanitization, identity cleanup, license recovery, asset update, and chain-of-custody evidence are complete.

Review scope

What workstation decommissioning should cover

Ownership and inventory

Confirm serial number, asset tag, assigned user, department, location, warranty, and decommission reason.

Data retention

Check legal hold, business records, local files, OneDrive sync, backups, and required approvals.

Device management cleanup

Review Intune, Autopilot, Microsoft Entra ID, Active Directory, EDR, RMM, and management agents.

Credential and key cleanup

Remove certificates, VPN profiles, Wi-Fi profiles, local accounts, cached credentials, and BitLocker records as appropriate.

Sanitization or redeployment

Choose wipe, reset, redeploy, sanitize, destroy, recycle, or return-to-vendor based on risk and business need.

Evidence and disposal

Keep wipe status, destruction records, vendor certificates, chain of custody, asset updates, and ticket closure.

Review matrix

Workstation decommissioning decision matrix

AreaWhat to verifyQuestions to answerEvidence
Reassign internallyA workstation will be wiped and given to another employee.Back up required data, wipe/reset, remove old user association, re-enroll, and update asset ownership.Is the prior user's data fully removed?
Dispose or recycleA device is leaving company control.Sanitize or destroy storage using documented method and keep chain-of-custody evidence.Can data be recovered after disposal?
Return to vendorA leased or warranty device must be returned.Capture asset details, remove data, wipe storage, document shipping, and keep proof of return.What proof shows the device was sanitized before return?
Legal holdThe device may contain records needed for legal, HR, or investigation purposes.Preserve data before wiping and coordinate with the appropriate business or legal owner.Who approved data preservation or release?
Lost or unavailable deviceThe workstation cannot be physically recovered.Use remote wipe/retire where possible, revoke sessions, rotate credentials, mark asset status, and document risk.What data or tokens may still be exposed?

Step-by-step review

Workstation decommissioning runbook

1

Confirm device identity

Record serial number, asset tag, hostname, user, department, location, warranty, and decommission reason.

2

Decide data handling

Check legal hold, user data, OneDrive sync, local files, backup needs, and business owner approval.

3

Remove access and management records

Update Intune, Entra ID, Active Directory, Autopilot, EDR, RMM, VPN, certificates, and local accounts.

4

Wipe or sanitize storage

Perform Intune wipe, local reset, secure erase, cryptographic erase, or physical destruction based on risk.

5

Recover licenses and assets

Reclaim software licenses, accessories, docking stations, chargers, warranty records, and inventory status.

6

Close with evidence

Save screenshots, wipe status, destruction certificate, chain of custody, ticket notes, approvals, and final disposition.

Common risks

Common workstation decommissioning mistakes

Data not preserved

Important business or legal records may be lost if retention decisions are skipped.

Device records remain active

Old Entra, AD, Intune, Autopilot, EDR, or RMM records create inventory and security noise.

Storage not sanitized

Deleting files is not the same as sanitizing or destroying storage.

Licenses not recovered

Software, warranty, and subscription costs can remain tied to retired devices.

No chain of custody

Disposal evidence matters when devices leave company control.

Lost devices ignored

Unavailable devices still need remote actions, session revocation, and documented risk review.

Related support

Where IT Perfection can help

IT Perfection can help manage workstation decommissioning through managed IT, endpoint management, Intune, asset inventory, help desk, and data protection support.

When endpoint disposal affects compliance, privacy, legal hold, cyber insurance evidence, or audit readiness, OC Security Audit can assist with endpoint and data security assessment support.

Created by Ali Hassani, CISO

Endpoint decommissioning perspective from Ali Hassani

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

Retiring a workstation is a security process, not only an inventory task

Ali Hassani, CISO and IT infrastructure consultant, has 25+ years of experience across endpoint management, data protection, Microsoft infrastructure, cybersecurity, compliance, and managed IT. Decommissioning should protect data, remove access, update inventory, and preserve evidence.

FAQ

Workstation decommissioning FAQ

What is workstation decommissioning?

It is the controlled process of removing a computer from service while preserving required data, removing access, wiping or sanitizing storage, and updating asset records.

Should data be backed up before wiping a workstation?

Yes, if business records, legal hold, user data, or operational files must be retained.

Is deleting files enough before disposal?

No. Devices leaving company control should follow an appropriate sanitization, cryptographic erase, or destruction process.

Which records should be cleaned up?

Review Intune, Autopilot, Microsoft Entra ID, Active Directory, EDR, RMM, asset inventory, licenses, and warranty records.

Can IT Perfection help with workstation decommissioning?

Yes. IT Perfection can help document, wipe, recover licenses, update device records, and preserve decommissioning evidence.