Introduce the ability to remotely wipe a machine.
We should optionally allow for NOT installing an agent after the wipe.
Currently you can use Immy to generate a PPKG that resets the machine and installs the agent afterwards but sometimes these machines are being retired and an agent is not desireable.
We can do this in the short term by using PowerShell to wipe the machine, there are scripts out there that can call the underlying windows reset API.
Long term, rather than downloading and uploading a PPKG, we should either generate the PPKG dynamically or build it into ImmyMDM as that is how this API is supposed to be called.
Iâm looking to remote wipe a stolen device. It would even be nice to have a company named lost/stolen devices that we could transfer a device to and then onboard it with a provisioning package that wipes it.
1 Like
This would be very easy to facilitate as long as the device is autopilot registered. When it hits the internet and we have it on the stolen list we can have it block enrollment. (Assuming it was already wiped).
In the short term you could create a deployment with a remote wipe ppkg that you target to the devices in question. Perhaps with a stolen tag
In the scenario Iâm looking at, I donât even mind it re-enrolling in Immy briefly just so I can confirm the wipe goes through. In this case, the machine isnât autopilot registered so Iâm counting on Immy to phone in if it reaches internet and begin provisioning with a reset.
I followed directions from support and pushed the package at the given machine, but I did also make a lost/stolen tenant for it to drop into once itâs provisioned. My thinking was that we could also transfer a device to this tenant and tell it to onboard upon connection in future scenarios as well.
I would think the most common use case is it would take me longer to troubleshoot your issue than to re-load windows. Would like a quick way to reinstall windows a-la-autopilot and have Immy auto-install itself and re-onboard the machine
Found this which is supposedly how intune does the remote wipe but you can do it without intune. Seems like we could modify it to the setting that keeps the existing provisioning package in place and ImmyBot would just re-install itself from the provisioning package?
https://techcommunity.microsoft.com/t5/windows-deployment/factory-reset-windows-10-without-user-intervention/m-p/1339823>
$namespaceName= âroot\cimv2\mdm\dmmapâ$className= âMDM_RemoteWipeâ$methodName= âdoWipeMethodâ$session= New-CimSession$params= New-ObjectMicrosoft.Management.Infrastructure.CimMethodParametersCollection
$param= [Microsoft.Management.Infrastructure.CimMethodParameter]::Create(âparamâ,ââ,âStringâ,âInâ)$params.Add($param)$instance= Get-CimInstance-Namespace $namespaceName-ClassName $className-Filter"ParentID=â./Vendor/MSFTâ and InstanceID=âRemoteWipeâ"$session.InvokeMethod($namespaceName,$instance,$methodName,$params)
Hey Brent,
This is most certainly something we plan to implement. For those of you following along, it is currently possible to download a PPKG from Immy with the Reset Windows option checked and then upload it back to Immyâs Apply Provisioning Package task. This works, but it is very clunky.
The script that @Brent_Kenreich provided is PowerShell manually tweaking the MDM API in Windows. Since we are actively working on ImmyMDM, it seems fitting that we should implement this functionality into ImmyMDM as we will be interacting with those APIs directly.
This would be an awesome feature, regardless of stolen, lost device, etc!