85°F Knoxville
Mon–Fri 9–5 ETAnswered by a human
Security · RESOLVED

Laptop Stolen at Airport: Emergency Remote Wipe via RMM

Friday 4:47 PM. Sales rep's laptop stolen with customer data. Device online on a different network. We had minutes to act.

16 minutes from theft
Time to wipe

Incident

Friday, 4:47 PM. Sales rep calls from an airport — laptop bag was sitting next to her seat at the gate, she walked 30 feet to a phone charging station, came back five minutes later, laptop was gone. Ticket came in as "laptop stolen at airport - need help."

Within two minutes of pulling the device up in the RMM console we had the worst-case confirmation: the agent was online, and the public IP was not the airport's WiFi. It had already changed while she was on the phone with us. Whoever took it had it on their own network. We had a connection to it, and we had minutes — not hours.

Assessment

  • theft confirmed: device on a different network than the airport WiFi, IP changed mid-call
  • data at risk: customer contracts, pricing sheets, CRM credentials cached in Chrome
  • BitLocker status: enabled, but the device was in sleep mode — not requiring a boot-time decryption prompt
  • RMM agent: online and responsive — we had a channel

Why standard options weren't good enough

Each "standard" option for a stolen laptop has a critical weakness when the attacker is already running:

  • wait for Intune wipe — only triggers when the device checks in. Default Intune sync schedule is 8 hours. If the thief disables WiFi, it's never.
  • rotate credentials — disabling the user's AD account and revoking CRM tokens is fine, but cached credentials in Chrome still work offline, and local files on disk don't care whether her account is enabled
  • trust BitLocker — the device was in sleep mode, not fully powered off. Opening the lid hits a Windows lock screen, not the BitLocker pre-boot prompt. A competent attacker can boot to recovery and work from there.
  • RMM direct wipe — the agent is online right now. We can push a command to it in the next 60 seconds. No waiting for an MDM sync cycle that might never come.

Decision was made. We got verbal authorization from the sales director and documented it in the ticket. Time from theft report to authorization: 11 minutes.

Resolution

Windows 10/11 ships with an MDM_RemoteWipe CIM class in the root\cimv2\mdm\dmmap namespace regardless of whether the device is MDM-enrolled. It exposes the same factory-reset mechanism Intune uses — which means you can invoke it locally via PowerShell, and if you can invoke it via PowerShell, you can push it through RMM.

Warning — destructive operation

Irreversible factory reset. All data permanently erased. No undo, no confirmation prompt, no recovery. Last-resort for confirmed theft scenarios only.

workstation_remote_wipe.ps1View on GitHub →
$ErrorActionPreference = 'Stop'
<#
██╗     ██╗███╗   ███╗███████╗██╗  ██╗ █████╗ ██╗    ██╗██╗  ██╗
██║     ██║████╗ ████║██╔════╝██║  ██║██╔══██╗██║    ██║██║ ██╔╝
██║     ██║██╔████╔██║█████╗  ███████║███████║██║ █╗ ██║█████╔╝
██║     ██║██║╚██╔╝██║██╔══╝  ██╔══██║██╔══██║██║███╗██║██╔═██╗
███████╗██║██║ ╚═╝ ██║███████╗██║  ██║██║  ██║╚███╔███╔╝██║  ██╗
╚══════╝╚═╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═╝
================================================================================
 SCRIPT   : Remote Wipe                                                  v1.0.3
 AUTHOR   : Limehawk.io
 DATE     : January 2026
 USAGE    : .\workstation_remote_wipe.ps1
================================================================================
 FILE     : workstation_remote_wipe.ps1
 DESCRIPTION : Initiates MDM remote wipe to factory reset Windows device
--------------------------------------------------------------------------------
 README
--------------------------------------------------------------------------------
 PURPOSE

   Initiates a remote wipe of the Windows device using the MDM RemoteWipe CSP.
   This completely erases all data on the device and resets it to factory state.

   *** WARNING: THIS ACTION IS IRREVERSIBLE ***
   *** ALL DATA ON THE DEVICE WILL BE PERMANENTLY DELETED ***

 DATA SOURCES & PRIORITY

   - Local MDM namespace (root\cimv2\mdm\dmmap)
   - MDM_RemoteWipe class instance

 REQUIRED INPUTS

   None - all configuration is internal to the MDM subsystem

 SETTINGS

   - No configurable settings; wipe executes immediately upon script run

 BEHAVIOR

   The script performs the following actions in order:
   1. Creates CIM session to local MDM namespace
   2. Retrieves MDM_RemoteWipe instance
   3. Invokes the doWipeMethod
   4. Device begins factory reset process

 PREREQUISITES

   - Windows 10/11 (MDM enrolled or Azure AD joined)
   - Administrator privileges
   - Device must have MDM RemoteWipe capability

 SECURITY NOTES

   - THIS IS A DESTRUCTIVE OPERATION
   - Use only on lost/stolen devices or for secure decommissioning
   - Cannot be undone once initiated
   - Ensure proper authorization before running
   - No secrets in logs

 ENDPOINTS

   - Not applicable (local CIM/WMI operations only)

 EXIT CODES

   0 = Wipe initiated successfully
   1 = Failure (CIM session, instance not found, or wipe failed)

 EXAMPLE RUN

   [WARN] INITIALIZING REMOTE WIPE
   ==============================================================
   CIM Session          : Created
   MDM Instance         : Found

   [RUN] EXECUTING WIPE
   ==============================================================
   Status               : Invoking doWipeMethod...
   Result               : Wipe initiated successfully

   [OK] FINAL STATUS
   ==============================================================
   REMOTE WIPE INITIATED - DEVICE WILL RESET

   [OK] SCRIPT COMPLETE
   ==============================================================

--------------------------------------------------------------------------------
 CHANGELOG
--------------------------------------------------------------------------------
 2026-01-19 v1.0.3 Updated to two-line ASCII console output style
 2026-01-17 v1.0.2 Fixed framework compliance: header format, section names,
                   removed param() blocks, added missing README sections
 2025-12-23 v1.0.1 Updated to Limehawk Script Framework
 2024-12-01 v1.0.0 Initial release - migrated from SuperOps
================================================================================
#>
Set-StrictMode -Version Latest

# ============================================================================
# HELPER FUNCTIONS
# ============================================================================
function Write-Section {
    param([string]$title, [string]$status = "INFO")
    Write-Host ""
    Write-Host ("[$status] $title")
    Write-Host ("=" * 62)
}

function PrintKV($label, $value) {
    $lbl = $label.PadRight(24)
    Write-Host (" {0} : {1}" -f $lbl, $value)
}

# ============================================================================
# MAIN SCRIPT
# ============================================================================
try {
    # MDM Configuration
    $namespaceName = "root\cimv2\mdm\dmmap"
    $className = "MDM_RemoteWipe"
    $methodName = "doWipeMethod"

    Write-Section "INITIALIZING REMOTE WIPE" "WARN"
    Write-Host ""
    Write-Host " *** WARNING: THIS WILL ERASE ALL DATA ON THIS DEVICE ***"
    Write-Host " *** THIS ACTION CANNOT BE UNDONE ***"
    Write-Host ""

    # Create CIM session
    $session = New-CimSession -ErrorAction Stop

    if (-not $session) {
        PrintKV "CIM Session" "FAILED"
        throw "Failed to create CIM session"
    }

    PrintKV "CIM Session" "Created"

    # Get MDM_RemoteWipe instance
    $instance = Get-CimInstance -Namespace $namespaceName -ClassName $className `
        -Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'" -ErrorAction Stop

    if (-not $instance) {
        PrintKV "MDM Instance" "NOT FOUND"
        throw "MDM_RemoteWipe instance not found. Device may not be MDM enrolled."
    }

    PrintKV "MDM Instance" "Found"

    # Create method parameters
    $params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
    $param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")
    $params.Add($param)

    # Execute wipe
    Write-Section "EXECUTING WIPE" "RUN"

    PrintKV "Status" "Invoking doWipeMethod..."

    $result = $session.InvokeMethod($namespaceName, $instance, $methodName, $params)

    # Check result
    switch ($result.ReturnValue) {
        0 {
            PrintKV "Result" "Wipe initiated successfully"

            Write-Section "FINAL STATUS" "OK"
            Write-Host " REMOTE WIPE INITIATED - DEVICE WILL RESET"
            Write-Host ""
            Write-Host " The device will restart and begin the factory reset process."
            Write-Host " All data will be permanently erased."

            Write-Section "SCRIPT COMPLETE" "OK"
            exit 0
        }
        default {
            PrintKV "Result" "FAILED (Return code: $($result.ReturnValue))"

            Write-Section "FINAL STATUS" "ERROR"
            Write-Host " REMOTE WIPE FAILED"

            Write-Section "SCRIPT COMPLETE" "ERROR"
            exit 1
        }
    }
}
catch {
    Write-Section "ERROR OCCURRED" "ERROR"
    PrintKV "Error Message" $_.Exception.Message
    PrintKV "Error Type" $_.Exception.GetType().FullName
    Write-Host ""
    Write-Host " Common causes:"
    Write-Host "  - Device is not MDM enrolled"
    Write-Host "  - Device is not Azure AD joined"
    Write-Host "  - Insufficient permissions"
    Write-Host "  - MDM policies not configured"
    Write-Section "SCRIPT COMPLETE" "ERROR"
    exit 1
}
finally {
    # Clean up CIM session
    if ($session) {
        Remove-CimSession -CimSession $session -ErrorAction SilentlyContinue
    }
}

How it works

  1. opens a CIM session to the local WMI repository
  2. queries root\cimv2\mdm\dmmap for the MDM_RemoteWipe provider
  3. invokes doWipeMethod — the same method Intune calls remotely
  4. Windows triggers a SYSTEM-level factory reset, bypassing all user permissions
  5. device immediately reboots into Windows RE and begins the secure erase

Critical advantage: this doesn't wait for cloud sync. The RMM agent executes it locally with SYSTEM privileges. If the device is online to your RMM, you can wipe in seconds instead of hours.

Outcome

Script executed at 5:03 PM. RMM confirmed the command was received. 47 seconds later the device dropped offline permanently — exactly what we expected as Windows rebooted into recovery mode to begin the wipe. Whoever was in possession of that laptop got a freshly factory-reset device. We confirmed no data was exfiltrated before the wipe started.

  • time to wipe: 16 minutes from theft report to execution
  • data exposed: 0 records (confirmed, no evidence of exfiltration)
  • compliance status: maintained, no breach notification required

Key takeaways