This blog will show you the “other paths” available when you want to make sure your device is wiped before it will be trashed or sent back to the supplier.
I will divide this blog into multiple parts
- The Intune Object and BitLocker
- The Idea
- My Solution
- Wipe Results
- Restricting The Reset options
- Retire My pc
In my last blogs about the remote wipe functionality, I showed you what was happening behind the “resetting my pc” window when you performed a Remote Wipe from Intune.
Let’s start with a small summary: We noticed that just before Windows would be rebuilt from scratch all of the important data (even while we don’t want to retain it) is moved to Windows.Old folder. Luckily during this process, Bitlocker will be still enabled. When it’s done it will “try” to empty the Windows.old folder and will remove the Bitlocker encryption.
With the #RemoteWipeGate bug I showed you, the data wasn’t removed and we don’t want our data to be “hidden” in plain sight!
Of course, using the resetconfig.xml to remove the Windows.old folder was a pretty good idea of mine because Microsoft also has implemented almost the same idea in the KB5011487 and KB5011493 updates.
When performing a Remote Wipe after those new KBs and running the MSDT troubleshooting tool, the Windows.old folder is indeed “removed” but as shown below that doesn’t mean it can’t be recovered!
You could say it’s pretty sure that after a (remote) wipe, you could still easily recover some data and that’s something we don’t want. I guess we can come up with something better when we want to trash the device!
I guess you always want BitLocker to be enabled and sending a remote wipe, “could” give the user the ability to recover files. Maybe some people could have the wonderful idea to just delete the device object in Intune and AAD but that’s even stupider.
Let me explain what happens when deleting the Intune object when you have configured some nice BitLocker device configuration policies in Intune.
2. The Intune Object and BitLocker
I decided to move this part over to a separate blog because while writing this part I had the feeling it was overshadowing the other also important stuff in this blog!
3. The Idea
Okay, so now we know that performing a remote wipe couldn’t be the most secure option we have, and deleting the AAD/Intune object also isn’t the smartest thing to do, what’s left?
I did some more reading and stumbled upon the Microsoft Docs mentioning something about the Bare Metal resets
I noticed some warning in the part about mentioning the Partition Reset Scripts AKA DiskpartScriptPath
As shown above, it’s telling us “the script should not contain commands to select or clean the drive”. Mmm, clean…. Sounds like the drive will be cleaned? Luckily there are enough Microsoft Docs to go through
So when we enter the Clean All command, “it makes sure each sector on the disk is set to zero, which completely deletes all data contained on the disk”. It does sound like a great idea to me!
4. My Solution
Of course, I know there is already a very nice Tool out there to securely wipe your device but still, I wanted to know if I could make sure the hard drive is wiped in a different way.
For my own solution, I used the same idea I used for removing the Windows.old folder as shown in this blog
I used the resetconfig.xml and the commoncustomizations.cmd file to delete that “not cleaned up folder” but what would happen if I add some stuff to the resetconfig.xml to call upon a nice DiskPart Script.
I make sure I changed the commoncustomizations.cmd to only execute this DiskPart script. It uses the Diskpart command with the /s Parameter to specify a TXT file with the Diskpart commands in it.
Of course, we could deploy the V1 of this script to the device we want to wipe with PowerShell. But please… pretty please make sure you target your proper device.. otherwise, you have some explaining to do!
Just like the “retire my pc” tool, I want it to be available in the Company Portal app. So I need to make sure the PowerShell script was converted to a nice Win32app instead of pushing it down the device with PowerShell.
I needed to make sure this simple tool will prompt the user from the System context to make sure you agree with the wipe. To do so I am using “serviceui” to deliver to execute the encrypted PowerShell command and it will show the prompt in the user Context.
This encoded command is just a base64 converted script I also showed you in my blog about removing sensitive information from the Intune Log files. If you didn’t have time to read it, please do!
I added it to the script itself but I made sure it will not be executed!
If you are good to go, you could click OK to resume the wipe. Instead of the remote wipe functionality in Intune, I will use the local MDM WMI Bridge Provider to perform the “doWipeProtectedMethod”. In the past, I already have written some stuff about choosing between the “DoWipeProtectedMethod” and the normal “DoWipeMethod”
If I woke your interest in the whole script please download It here and test it for yourself! As mentioned above, you don’t need to perform a remote wipe from Intune.
Of course, I tested my own tool/script multiple times. To be sure the wipe would also proceed during the Wipe and shutting down the VM, I just shut down the VM at the “resetting my pc” part. Good to know is that when using “dowipeprotected” you would normally be good to go!
I made a simple video about how it would look like when you execute this tool from the Company Portal
When the device is wiped, the device will NOT boot anymore!!!. Let’s check out what happens when attaching the disk to another device. We will notice we need to initialize it and it will end up with no partitions or volumes on it.
Now let’s check if we could easily recover some data as I showed you in the Remote Wipe technical flow blog.
As shown below, no data is easily recoverable even not with adding the extensive parameter to Winfr!
Please Note: When using this option, you still got a lingering Intune object. If you want to use the pre-provisioning autopilot option, you will need to make sure this object is removed manually. Of course, I also need to add, that when “trashing” the device or sending it back to the supplier don’t forget to delete the 4k HH hash! from Azure/Intune.
6. Restricting the Reset options
While writing the blog I also received a question out of the blue, if it was possible to make sure only a specific group of users could reset their own devices. Normally when you are a local admin, you could just click on “reset pc”
But if you aren’t a local admin, you don’t have the proper credentials to approve this UAC screen
Of course, you could make sure the “reset button” will be shown on corporate Windows Devices. To do so, make sure this option below isn’t selected!
But by doing so, everyone would have the possibility to “reset” their device from the Company Portal app and that’s also something we don’t want!
I guess we could change the script I showed you earlier on and just remove the parts we don’t need. In this script below I removed the “ResetConfig.xml”, “CommonCustomizations.cmd”, and the “Wipeitall” parts. When those parts are removed we will end up with a PowerShell script that we could convert to a Win32App.
When this Win32App is created you could assign this nice reset app is available to a specific user group to make sure only specific persons could reset their device on their own!
7. Retire My Pc
This Retire My PC tool is indeed a wonderful app and does exactly what you want. It performs the wipe just a little bit differently but I love it, I really do 😊. If you are interested please take a look at it
I am not going to explain how it works in my blog, as Niall already explained it all pretty well on his own blogs!
You will need to make sure your hard drive is erased before it will be “ditched” or sent back to the supplier. A lot of people are sharing the same opinion… “The Remote Wipe option in Intune is not secure enough for us“
Also, we need to beware of the fact that when removing the device in Intune, you will end up with a not BitLocker protected device!
Hopefully, this blog showed you some of the options you have to do so. I know my solution is not perfect but I just wrote it, and tested it in 24 hours… It’s not the most elegant script but it’s nice to see what you could do when executing a Wipe!