Incident
Friday, 4:47 PM. Sales rep calls from an airport — laptop bag was sitting next to her seat at the gate, she walked 30 feet to a phone charging station, came back five minutes later, laptop was gone. Ticket came in as "laptop stolen at airport - need help."
Within two minutes of pulling the device up in the RMM console we had the worst-case confirmation: the agent was online, and the public IP was not the airport's WiFi. It had already changed while she was on the phone with us. Whoever took it had it on their own network. We had a connection to it, and we had minutes — not hours.
Assessment
- theft confirmed: device on a different network than the airport WiFi, IP changed mid-call
- data at risk: customer contracts, pricing sheets, CRM credentials cached in Chrome
- BitLocker status: enabled, but the device was in sleep mode — not requiring a boot-time decryption prompt
- RMM agent: online and responsive — we had a channel
Why standard options weren't good enough
Each "standard" option for a stolen laptop has a critical weakness when the attacker is already running:
- wait for Intune wipe — only triggers when the device checks in. Default Intune sync schedule is 8 hours. If the thief disables WiFi, it's never.
- rotate credentials — disabling the user's AD account and revoking CRM tokens is fine, but cached credentials in Chrome still work offline, and local files on disk don't care whether her account is enabled
- trust BitLocker — the device was in sleep mode, not fully powered off. Opening the lid hits a Windows lock screen, not the BitLocker pre-boot prompt. A competent attacker can boot to recovery and work from there.
- RMM direct wipe — the agent is online right now. We can push a command to it in the next 60 seconds. No waiting for an MDM sync cycle that might never come.
Decision was made. We got verbal authorization from the sales director and documented it in the ticket. Time from theft report to authorization: 11 minutes.
Resolution
Windows 10/11 ships with an MDM_RemoteWipe CIM class in the root\cimv2\mdm\dmmap namespace regardless of whether the device is MDM-enrolled. It exposes the same factory-reset mechanism Intune uses — which means you can invoke it locally via PowerShell, and if you can invoke it via PowerShell, you can push it through RMM.
Warning — destructive operation
Irreversible factory reset. All data permanently erased. No undo, no confirmation prompt, no recovery. Last-resort for confirmed theft scenarios only.
$ErrorActionPreference = 'Stop'
<#
██╗ ██╗███╗ ███╗███████╗██╗ ██╗ █████╗ ██╗ ██╗██╗ ██╗
██║ ██║████╗ ████║██╔════╝██║ ██║██╔══██╗██║ ██║██║ ██╔╝
██║ ██║██╔████╔██║█████╗ ███████║███████║██║ █╗ ██║█████╔╝
██║ ██║██║╚██╔╝██║██╔══╝ ██╔══██║██╔══██║██║███╗██║██╔═██╗
███████╗██║██║ ╚═╝ ██║███████╗██║ ██║██║ ██║╚███╔███╔╝██║ ██╗
╚══════╝╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═╝
================================================================================
SCRIPT : Remote Wipe v1.0.3
AUTHOR : Limehawk.io
DATE : January 2026
USAGE : .\workstation_remote_wipe.ps1
================================================================================
FILE : workstation_remote_wipe.ps1
DESCRIPTION : Initiates MDM remote wipe to factory reset Windows device
--------------------------------------------------------------------------------
README
--------------------------------------------------------------------------------
PURPOSE
Initiates a remote wipe of the Windows device using the MDM RemoteWipe CSP.
This completely erases all data on the device and resets it to factory state.
*** WARNING: THIS ACTION IS IRREVERSIBLE ***
*** ALL DATA ON THE DEVICE WILL BE PERMANENTLY DELETED ***
DATA SOURCES & PRIORITY
- Local MDM namespace (root\cimv2\mdm\dmmap)
- MDM_RemoteWipe class instance
REQUIRED INPUTS
None - all configuration is internal to the MDM subsystem
SETTINGS
- No configurable settings; wipe executes immediately upon script run
BEHAVIOR
The script performs the following actions in order:
1. Creates CIM session to local MDM namespace
2. Retrieves MDM_RemoteWipe instance
3. Invokes the doWipeMethod
4. Device begins factory reset process
PREREQUISITES
- Windows 10/11 (MDM enrolled or Azure AD joined)
- Administrator privileges
- Device must have MDM RemoteWipe capability
SECURITY NOTES
- THIS IS A DESTRUCTIVE OPERATION
- Use only on lost/stolen devices or for secure decommissioning
- Cannot be undone once initiated
- Ensure proper authorization before running
- No secrets in logs
ENDPOINTS
- Not applicable (local CIM/WMI operations only)
EXIT CODES
0 = Wipe initiated successfully
1 = Failure (CIM session, instance not found, or wipe failed)
EXAMPLE RUN
[WARN] INITIALIZING REMOTE WIPE
==============================================================
CIM Session : Created
MDM Instance : Found
[RUN] EXECUTING WIPE
==============================================================
Status : Invoking doWipeMethod...
Result : Wipe initiated successfully
[OK] FINAL STATUS
==============================================================
REMOTE WIPE INITIATED - DEVICE WILL RESET
[OK] SCRIPT COMPLETE
==============================================================
--------------------------------------------------------------------------------
CHANGELOG
--------------------------------------------------------------------------------
2026-01-19 v1.0.3 Updated to two-line ASCII console output style
2026-01-17 v1.0.2 Fixed framework compliance: header format, section names,
removed param() blocks, added missing README sections
2025-12-23 v1.0.1 Updated to Limehawk Script Framework
2024-12-01 v1.0.0 Initial release - migrated from SuperOps
================================================================================
#>
Set-StrictMode -Version Latest
# ============================================================================
# HELPER FUNCTIONS
# ============================================================================
function Write-Section {
param([string]$title, [string]$status = "INFO")
Write-Host ""
Write-Host ("[$status] $title")
Write-Host ("=" * 62)
}
function PrintKV($label, $value) {
$lbl = $label.PadRight(24)
Write-Host (" {0} : {1}" -f $lbl, $value)
}
# ============================================================================
# MAIN SCRIPT
# ============================================================================
try {
# MDM Configuration
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_RemoteWipe"
$methodName = "doWipeMethod"
Write-Section "INITIALIZING REMOTE WIPE" "WARN"
Write-Host ""
Write-Host " *** WARNING: THIS WILL ERASE ALL DATA ON THIS DEVICE ***"
Write-Host " *** THIS ACTION CANNOT BE UNDONE ***"
Write-Host ""
# Create CIM session
$session = New-CimSession -ErrorAction Stop
if (-not $session) {
PrintKV "CIM Session" "FAILED"
throw "Failed to create CIM session"
}
PrintKV "CIM Session" "Created"
# Get MDM_RemoteWipe instance
$instance = Get-CimInstance -Namespace $namespaceName -ClassName $className `
-Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'" -ErrorAction Stop
if (-not $instance) {
PrintKV "MDM Instance" "NOT FOUND"
throw "MDM_RemoteWipe instance not found. Device may not be MDM enrolled."
}
PrintKV "MDM Instance" "Found"
# Create method parameters
$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")
$params.Add($param)
# Execute wipe
Write-Section "EXECUTING WIPE" "RUN"
PrintKV "Status" "Invoking doWipeMethod..."
$result = $session.InvokeMethod($namespaceName, $instance, $methodName, $params)
# Check result
switch ($result.ReturnValue) {
0 {
PrintKV "Result" "Wipe initiated successfully"
Write-Section "FINAL STATUS" "OK"
Write-Host " REMOTE WIPE INITIATED - DEVICE WILL RESET"
Write-Host ""
Write-Host " The device will restart and begin the factory reset process."
Write-Host " All data will be permanently erased."
Write-Section "SCRIPT COMPLETE" "OK"
exit 0
}
default {
PrintKV "Result" "FAILED (Return code: $($result.ReturnValue))"
Write-Section "FINAL STATUS" "ERROR"
Write-Host " REMOTE WIPE FAILED"
Write-Section "SCRIPT COMPLETE" "ERROR"
exit 1
}
}
}
catch {
Write-Section "ERROR OCCURRED" "ERROR"
PrintKV "Error Message" $_.Exception.Message
PrintKV "Error Type" $_.Exception.GetType().FullName
Write-Host ""
Write-Host " Common causes:"
Write-Host " - Device is not MDM enrolled"
Write-Host " - Device is not Azure AD joined"
Write-Host " - Insufficient permissions"
Write-Host " - MDM policies not configured"
Write-Section "SCRIPT COMPLETE" "ERROR"
exit 1
}
finally {
# Clean up CIM session
if ($session) {
Remove-CimSession -CimSession $session -ErrorAction SilentlyContinue
}
}
How it works
- opens a CIM session to the local WMI repository
- queries root\cimv2\mdm\dmmap for the MDM_RemoteWipe provider
- invokes doWipeMethod — the same method Intune calls remotely
- Windows triggers a SYSTEM-level factory reset, bypassing all user permissions
- device immediately reboots into Windows RE and begins the secure erase
Critical advantage: this doesn't wait for cloud sync. The RMM agent executes it locally with SYSTEM privileges. If the device is online to your RMM, you can wipe in seconds instead of hours.
Outcome
Script executed at 5:03 PM. RMM confirmed the command was received. 47 seconds later the device dropped offline permanently — exactly what we expected as Windows rebooted into recovery mode to begin the wipe. Whoever was in possession of that laptop got a freshly factory-reset device. We confirmed no data was exfiltrated before the wipe started.
- time to wipe: 16 minutes from theft report to execution
- data exposed: 0 records (confirmed, no evidence of exfiltration)
- compliance status: maintained, no breach notification required