This blog will show you the “other paths” available to ensure that your device is wiped before it is trashed or sent back to the supplier.
1. Introduction
In my last blog about the remote wipe functionality, I showed you what was happening behind the “resetting my pc” window when you performed a Remote Wipe from Intune.
Let’s start with a small summary: We noticed that just before Windows is rebuilt from scratch, all of the important data (even while we don’t want to retain it) is moved to the Windows.Old folder. Luckily, Bitlocker is still enabled during this process. When it’s done, it will “try” to empty the Windows.old folder and will remove the Bitlocker encryption.
As I showed you with the #RemoteWipeGate bug, the data wasn’t removed, and we don’t want our data to be “hidden” in plain sight!
Of course, using the resetconfig.xml to remove the Windows.old folder was a pretty good idea of mine because Microsoft also has implemented almost the same idea in the KB5011487 and KB5011493 updates.
When performing a Remote Wipe after those new KBs and running the MSDT troubleshooting tool, the Windows.old folder is indeed “removed,” but as shown below, that doesn’t mean it can’t be recovered!
You could say it’s pretty sure that after a (remote) wipe, you could still easily recover some data and that’s something we don’t want. I guess we can develop something better when we want to trash the device!
I guess you always want BitLocker enabled, and sending a remote wipe “could” allow the user to recover files. Maybe some people have the wonderful idea of just deleting the device object in Intune and AAD, but that’s even stupider.
Let me explain what happens when you delete the Intune object after configuring some nice BitLocker device configuration policies in Intune.
2. The Intune Object and BitLocker
I decided to move this part to a separate blog because while writing it, I felt it was overshadowing the other important stuff in this blog!
3. The Idea
Okay, so now we know that performing a remote wipe couldn’t be the most secure option we have, and deleting the AAD/Intune object is alson’t the smartest thing to do. What’s left?
I did some more reading and stumbled upon the Microsoft Docs mentioning something about the Bare Metal resets
I noticed some warning in the part about mentioning the Partition Reset Scripts AKA DiskpartScriptPath
As shown above, it’s telling us “the script should not contain commands to select or clean the drive”. Mmm, clean…. It sounds like the drive will be cleaned. Luckily, there are enough Microsoft Docs to go through
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clean?id=5004252
So when we enter the Clean All command, “it makes sure each sector on the disk is set to zero, which completely deletes all data contained on the disk”. It does sound like a great idea to me!
4. My Solution
Of course, I know there is already a very nice Tool out there to wipe your device securely but still, I wanted to know if I could make sure the hard drive is wiped differently.
For my own solution, I used the same idea I used for removing the Windows.old folder as shown in this blog
I used the resetconfig.xml and the commoncustomizations.cmd file to delete that “not cleaned up folder” but what would happen if I add some stuff to the resetconfig.xml to call upon a nice DiskPart Script.
I made sure I changed the common customizations.cmd to only execute this DiskPart script. It uses the Diskpart command with the /s Parameter to specify a TXT file with the Diskpart commands in it.
Of course, we could deploy the V1 of this script to the device we want to wipe with PowerShell. But please… pretty please make sure you target your proper device.. otherwise, you have some explaining to do!
Just like the “retire my pc” tool, I want it to be available in the Company Portal app. So I need to make sure the PowerShell script was converted to a nice Win32app instead of pushing it down the device with PowerShell.
I needed to ensure that this simple tool prompts the user from the System context to ensure you agree with the wipe. To do so, I am using “service” to deliver to execute the encrypted PowerShell command, and it will show the prompt in the user Context.
This encoded command is just a base64 converted script I also showed you in my blog about removing sensitive information from the Intune Log files. If you didn’t have time to read it, please do!
I added it to the script but ensured it would not be executed!
If you are good to go, you could click OK to resume the wipe. Instead of the remote wipe functionality in Intune, I will use the local MDM WMI Bridge Provider to perform the “doWipeProtectedMethod”. In the past, I already have written some stuff about choosing between the “DoWipeProtectedMethod” and the normal “DoWipeMethod”
How to wipe your Windows 10 devices without using Intune (call4cloud.nl)
If I woke your interest in the whole script please download It here and test it for yourself! As mentioned above, you don’t need to perform a remote wipe from Intune.
https://call4cloud.nl/wp-content/uploads/2022/03/wipeitall.zip
5. Results
Of course, I tested my own tool/script multiple times. To be sure the wipe would also proceed during the Wipe and shutting down the VM, I just shut down the VM at the “resetting my pc” part. Good to know is that when using “dowipeprotected” you would normally be good to go!
I made a simple video about how it would look like when you execute this tool from the Company Portal
When the device is wiped, it will NOT boot anymore!!!. Let’s check out what happens when we attach the disk to another device. We will notice we need to initialize it, and it will end up with no partitions or volumes on it.
Now, let’s check if we can easily recover some data, as I showed you in the Remote Wipe technical flow blog.
As shown below, no data is easily recoverable even without adding the extensive parameter to Winfr!
Please Note: When using this option, you still got a lingering Intune object. If you want to use the pre-provisioning autopilot option, you will need to make sure this object is removed manually. Of course, I also need to add, that when “trashing” the device or sending it back to the supplier don’t forget to delete the 4k HH hash! from Azure/Intune.
6. Restricting the Reset options
While writing the blog, I also received a question out of the blue: Was it possible to make sure only a specific group of users could reset their own devices? Normally when you are a local admin, you could just click on “reset pc”
But if you aren’t a local admin, you don’t have the proper credentials to approve this UAC screen
Of course, you could make sure the “reset button” will be shown on corporate Windows Devices. To do so, make sure this option below isn’t selected!
However, by doing so, everyone would be able to “reset” their device from the Company Portal app, and that’s also something we don’t want!
I guess we could change the script I showed you earlier on and just remove the parts we don’t need. In this script below I removed the “ResetConfig.xml”, “CommonCustomizations.cmd”, and the “Wipeitall” parts. When those parts are removed we will end up with a PowerShell script that we could convert to a Win32App.
https://call4cloud.nl/wp-content/uploads/2022/03/resetthisdevice.zip
When this Win32App is created, you can assign this nice reset app to a specific user group to make sure only specific persons can reset their devices on their own!
Conclusion
You must ensure your hard drive is erased before it will be “ditched” or sent back to the supplier. A lot of people share the same opinion. “The Remote Wipe option in Intune is not secure enough for us“
Also, we need to beware that removing the device in Intune will result in a device that is not BitLocker protected!
Hopefully, this blog will show you some of the options you have. I know my solution is not perfect, but I just wrote it and tested it in 24 hours… It’s not the most elegant script, but it’s nice to see what you could do when executing a Wipe!
