How to ensure wipe API is executed on Windows 10

Toru Suyama 0 Reputation points
2023-03-06T01:50:21.2066667+00:00

I'm considering to wipe a Windows 10 PC using the APIs in the MDM_RemoteWipe class in the namespace cimv2\mdm\dmmap.

I have basically succeeded in wiping some Windows 10 PCs, but I know that the Windows PC under the following two conditions causes an API error and fails to wipe.

Is there a way to reliably run the wipe even under these conditions?

COND-A: Enabled BitLocker protection (it seems to cause COND-B sometimes)

COND-B: Disabled WindowsRE

See also

https://learn.microsoft.com/en-us/windows/win32/dmwmibridgeprov/mdm-remotewipe-dowipeprotectedmethod

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference?view=windows-10

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-management/remotewipe-fails-sending-dowipe-command

(it says "This can occur if the Windows Recovery Environment (Windows RE) is disabled on the Windows 10 client computer. The RemoteWipe CSP requires Windows RE in order to function.")

I am considering implementing "Reagentc /enable" as a solution.

However, I am not sure the following things:

  • Impact on PCs with WindowsRE already enabled (Or can I determine if WindowsRE is already enabled before running? parse "Reagentc /info"?)
  • Can "Reagentc /enable" always succeed and enable WindowsRE?
  • Impact on PCs with BitLocker protection already enabled
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,815 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,435 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,011 Reputation points
    2023-03-07T08:15:34.33+00:00

    Hello there,

    I would suggest Intune might be the right choice instead of MDM. And Bitlocker situation might create problem in MDM while using the wipe API.

    MDM is device-centric, so device features are configured based on who needs them. For example, you can configure a device to allow access to Wi-Fi, but only if the signed-in user is an organization account.

    In Intune, you create policies that configure features & settings and provide security & protection.

    By using the Retire or Wipe actions, you can remove devices from Intune that are no longer needed, being repurposed, or missing. Users can also issue a remote command from the Intune Company Portal to devices that are enrolled in Intune.

    Remove devices by using wipe, retire, or manually unenrolling the device https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–