Sources:
https://docs.microsoft.com/nl-nl/intune/remote-actions/devices-wipe
https://docs.microsoft.com/en-us/intune/remote-actions/device-sync
https://docs.microsoft.com/en-gb/intune/remote-actions/device-fresh-start
https://www.petervanderwoude.nl/post/factory-reset-fresh-start-autopilot-reset-so-many-options/

Overview of all enrolled devices

If you select a device you get a overview

Retire

The Retire action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management. This happens the next time the device checks in and receives the remote Retire action. The device still shows up in Intune until the device checks in. If you want to remove stale devices immediately, use the Delete action instead.

Retire leaves the user’s personal data on the device.

Data typeWindows 10
Company apps and associated data installed by IntuneApps are uninstalled. Sideloading keys are removed.
For Windows 10 version 1703 (Creators Update) and later, Office 365 ProPlus apps aren’t removed. Intune management extension installed Win32 apps will not be uninstalled on unenrolled devices. Admins can leverage assignment exclusion to not offer Win32 apps to BYOD Devices.
SettingsConfigurations that were set by Intune policy are no longer enforced. Users can change the settings.
Wi-Fi and VPN profile settingsRemoved.
Certificate profile settingsCertificates are removed and revoked.
Email Removes email that’s EFS-enabled. This includes emails and attachments in the Mail app for Windows. Removes mail accounts that were provisioned by Intune.
Azure AD unjoinThe Azure AD record is removed.

Wipe

The Wipe action restores a device to its factory default settings. The user data is kept if you choose the Retain enrollment state and user account checkbox. Otherwise, all data, apps, and settings will be removed.

Retain enrollment state and user accountCheckedNot checked
DescriptionWipes all user accounts, data, MDM policies, and settings. Resets the operating system to its default state and settings.Wipes all user accounts, data, MDM policies, and settings. Resets the operating system to its default state and settings.
Retained during a wipeNot retained
User accounts associated with the deviceUser files
Machine state (domain join, Azure AD-joined)User-installed apps (store and Win32 apps)
Mobile device management (MDM) enrollmentNon-default device setting
OEM-installed apps (store and Win32 apps)
User profile
User data outside of the user profile
User autologon

Delete

Delete devices from the Intune portal
Choose Devices > All devices > choose the devices you want to delete > Delete.

You might need to delete devices from Azure AD due to communication issues or missing devices. You can use the Delete action to remove device records from the Azure portal for devices that you know are unreachable and unlikely to communicate with Azure again.
Azure Active Directory > Users > Devices > choose the devices you want to delete > Delete

Sync

The Sync device action forces the selected device to immediately check in with Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned to it. This feature can help you immediately validate and troubleshoot policies you’ve assigned, without waiting for the next scheduled check-in.

Restart

The Restart device action causes the device you choose to be restarted. The device owner isn’t automatically notified of the restart, and they might lose work.

Fresh Start

The Fresh Start device action removes any apps that are installed on a PC running Windows 10, version 1703 or later. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC.

AutoPilot reset

The AutoPilot reset action returns the device to a fully configured and/or IT-approved state. This removes personal files, apps, and settings, and applies the original settings and management settings, so the devices are ready to use. The management settings are coming straight from Azure AD ​and Intune device management.

Retained during a AutoPilot resetNot retained
Intune enrollmentRemoves user data
Azure AD-joinRemoves MDM policies
User accountsRemoves settings
Returns the device to the original
settings and management settings
Removes installed apps

Quick scan

Windows Defender quick scan looks at all the locations on the device where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. A quick scan helps provide strong coverage for both malware that starts with the system and kernel-level malware.

Full scan

Windows Defender full scan checks all files and running programs on the device hard disk for malware. This scan could take longer than one hour.

Update Windows Defender

Windows Defender will update the malware definitions for this device.

Rename device

Enter a new name for this device and restart after rename.

Monitor

If a device is not compliant you can use Monitor to troubleshot