Tuesday, May 24, 2022

Mamma Mia! Here we Wipe Again!

This blog will show you the “other paths” available when you want to make sure your device is wiped before it will be trashed or sent back to the supplier.

In this blog, I will also show you what happens on a BitLocker-enabled device, when you don’t perform a remote wipe but just delete the AAD/Intune object . A small hint… it’s still readable!

I will divide this blog into multiple parts

  1. Introduction
  2. The Intune Object and BitLocker
  3. The Idea
  4. My Solution
  5. Wipe Results
  6. Restricting The Reset options
  7. Retire My pc

In my last blogs about the remote wipe functionality, I showed you what was happening behind the “resetting my pc” window when you performed a Remote Wipe from Intune.

Let’s start with a small summary: We noticed that just before Windows would be rebuilt from scratch all of the important data (even while we don’t want to retain it) is moved to Windows.Old folder. Luckily during this process, Bitlocker will be still enabled. When it’s done it will “try” to empty the Windows.old folder and will remove the Bitlocker encryption.

With the #RemoteWipeGate bug I showed you, the data wasn’t removed and we don’t want our data to be “hidden” in plain sight!

Of course, using the resetconfig.xml to remove the Windows.old folder was a pretty good idea of mine because Microsoft also has implemented almost the same idea in the KB5011487 and KB5011493 updates.

When performing a Remote Wipe after those new KBs and running the MSDT troubleshooting tool, the Windows.old folder is indeed “removed” but as shown below that doesn’t mean it can’t be recovered!

You could say it’s pretty sure that after a (remote) wipe, you could still easily recover some data and that’s something we don’t want. I guess we can come up with something better when we want to trash the device!

I guess you always want BitLocker to be enabled and sending a remote wipe, “could” give the user the ability to recover files. Maybe some people could have the wonderfull idea to just delete the device object in Intune and AAD but that’s even stupider.

Let me explain what happens when deleting the Intune object when you have configured some nice BitLocker device configuration policies in Intune as shown below!

As I was telling in the introduction, I was curious what would happen when we delete the Intune Object instead of wiping the device. Before showing you what happens, let’s take a look at the BitLocker protection first to make sure BitLocker is configured and protection is enabled!

The easiest way to get the Bitlocker status would be to open a CMD and enter this command: Manage-bde -status

Instead of Remote wiping the device we are going to remove the Intune and AAD object because when the device is still configured with BitLocker we are safe right?

Let’s start by deleting the Intune object as shown below

After I pressed delete, I just got myself a cup of coffee and waited to see what happened

11 'Mamma Mia' GIFs That Will Always Make You Feel Like a Dancing Queen |  Moviefone

After drinking a cup of coffee and some social talks with some colleagues I took another look at the BitLocker protection status.

When running Manage-bde -status again, it is telling us the Protection status is Off. Looking at the conversion status, it is luckily still fully encrypted.

Please Note: The Bitlocker-Api event log will also mention the event ID 773. Bitlocker was suspended for volume c:

So I decided to leave the device alone for a while and started to look into some other weird issues. But nothing else happened so I decided to perform some tests.

Dismounting the disk and mounting it on another device prompted me for the BitLocker recovery keys. So thats all fine!

After this test I decided to reboot the device but this time I made sure I selected “Troubleshoot” when booting from my USB Windows 11 Installation media

After selecting the CMD option, I was curious if I could access the data but before I could access them I needed to assign it a drive letter. As shown below, while testing the drive was still fully encrypted but the Protection is Off

Normally when the disk is protected with BitLocker its impossible to access the disk and you would be asked to unlock the drive first

Let’s contiune, after assigning a drive letter I was curious if we could access the disk, let’s take a look what we can do with it!

As shown above because the Bitlocker protection is off we are not promped to unlock the drive. We could easily access the disk and open some files!

Should I tell you something funny? Just use Xcopy to copy all of that sensitive data to your USB stick!

After plugging in the USB stick into another device, you will notice that the data is readable!

Okay, so now we know that performing a remote wipe couldn’t be the most secure option we have, and deleting the AAD/Intune object also isn’t the smartest thing to do, what’s left?

I did some more reading and stumbled upon the Microsoft Docs mentioning something about the Bare Metal resets

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bare-metal-resetrecovery-enable-your-users-to-create-media-and-to-recover-hard-drive-space?view=windows-11?id=5004252

I noticed some warning in the part about mentioning the Partition Reset Scripts AKA DiskpartScriptPath

Graphical user interface, text, application  Description automatically generated

As shown above, it’s telling us “the script should not contain commands to select or clean the drive”. Mmm, clean…. Sounds like the drive will be cleaned? Luckily there are enough Microsoft Docs to go through

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clean?id=5004252

Graphical user interface, application  Description automatically generated

So when we enter the Clean All command, “it makes sure each sector on the disk is set to zero, which completely deletes all data contained on the disk”. It does sound like a great idea to me!

Of course, I know there is already a very nice Tool out there to securely wipe your device but still, I wanted to know if I could make sure the hard drive is wiped in a different way.

For my own solution, I used the same idea I used for removing the Windows.old folder as shown in this blog

I used the resetconfig.xml and the commoncustomizations.cmd file to delete that “not cleaned up folder” but what would happen if I add some stuff to the resetconfig.xml to call upon a nice DiskPart Script.

Text  Description automatically generated

I make sure I changed the commoncustomizations.cmd to only execute this DiskPart script. It uses the Diskpart command with the /s Parameter to specify a TXT file with the Diskpart commands in it.

Graphical user interface, text  Description automatically generated with medium confidence

Of course, we could deploy the V1 of this script to the device we want to wipe with PowerShell. But please… pretty please make sure you target your proper device.. otherwise, you have some explaining to do!

15 GIFs that explain my relationship with China's internet

Just like the “retire my pc” tool, I want it to be available in the Company Portal app. So I need to make sure the PowerShell script was converted to a nice Win32app instead of pushing it down the device with PowerShell.

I needed to make sure this simple tool will prompt the user from the System context to make sure you agree with the wipe. To do so I am using “serviceui” to deliver to execute the encrypted PowerShell command and it will show the prompt in the user Context.

Text, letter  Description automatically generated

This encoded command is just a base64 converted script I also showed you in my blog about removing sensitive information from the Intune Log files. If you didn’t have time to read it, please do!

I added it to the script itself but I made sure it will not be executed!

Text  Description automatically generated

If you are good to go, you could click OK to resume the wipe. Instead of the remote wipe functionality in Intune, I will use the local MDM WMI Bridge Provider to perform the “doWipeProtectedMethod”. In the past, I already have written some stuff about choosing between the “DoWipeProtectedMethod” and the normal “DoWipeMethod”

How to wipe your Windows 10 devices without using Intune (call4cloud.nl)

A picture containing application  Description automatically generated

If I woke your interest in the whole script please download It here and test it for yourself! As mentioned above, you don’t need to perform a remote wipe from Intune.

https://call4cloud.nl/wp-content/uploads/2022/03/wipeitall.zip

Of course, I tested my own tool/script multiple times. To be sure the wipe would also proceed during the Wipe and shutting down the VM, I just shut down the VM at the “resetting my pc” part. Good to know is that when using “dowipeprotected” you would normally be good to go!

I made a simple video about how it would look like when you execute this tool from the Company Portal

When the device is wiped, the device will NOT boot anymore!!!. Let’s check out what happens when attaching the disk to another device. We will notice we need to initialize it and it will end up with no partitions or volumes on it.

Graphical user interface, text, application  Description automatically generated

Now let’s check if we could easily recover some data as I showed you in the Remote Wipe technical flow blog.

As shown below, no data is easily recoverable even not with adding the extensive parameter to Winfr!

Graphical user interface, text, application  Description automatically generated

Please Note: When using this option, you still got a lingering Intune object. If you want to use the pre-provisioning autopilot option, you will need to make sure this object is removed manually. Of course, I also need to add, when “trashing” the device or sending it back to the supplier don’t forget to delete the 4k HH hash! from Azure/Intune.

While writing the blog I also received a question out of the blue, if it was possible to make sure only a specific group of users could reset their own devices. Normally when you are a local admin, you could just click on “reset pc”

But if you aren’t a local admin, you don’t have the proper credentials to approve this UAC screen

Of course, you could make sure the “reset button” will be shown on corporate Windows Devices. To do so, make sure this option below isn’t selected!

But by doing so, everyone would have the possibility to “reset” their device from the Company Portal app and that’s also something we don’t want!

I guess we could change the script I showed you earlier on and just remove the parts we don’t need. In this script below I removed the “ResetConfig.xml”, “CommonCustomizations.cmd”, and the “Wipeitall” parts. When those parts are removed we will end up with a PowerShell script that we could convert to a Win32App.

https://call4cloud.nl/wp-content/uploads/2022/03/resetthisdevice.zip

When this Win32App is created you could assign this nice reset app is available to a specific user group to make sure only specific persons could reset their device on their own!

This Retire My PC tool is indeed a wonderful app and does exactly what you want. It performs the wipe just a little bit differently but I love it, I really do 😊. If you are interested please take a look at it

A quick look at the “Retire MY PC” app | just another windows noob ? (niallbrady.com)

Retire My PC – a self-service app to secure company data on old computers | just another windows noob ? (niallbrady.com)

I am not going to explain how it works in my blog, as Niall already explained it all pretty well on his own blogs!

@ncbrady I #StandWithUkraine 🇺🇦 (@ncbrady) / Twitter

You will need to make sure your hard drive is erased before it will be “ditched” or sent back to the supplier. A lot of people are sharing the same opinion… “The Remote Wipe option in Intune is not secure enough for us

Hopefully, this blog showed you some of the options you have to do so. I know my solution is not perfect but I just wrote it, tested it in 24 hours… It’s not the most elegant script but it’s nice to see what you could do when executing a Wipe!

avatar
Rudy Oomshttps://call4cloud.nl/
Rudy is a Modern workplace architect and currently working for a company in the Netherlands, called Deltacom Steenbergen. He has been working in IT since he was 16 years old. Within these years, he gained a lot of experience in different kinds of expertise. I guess like most of you, he started working with active directory environments. In June 2021 he received the MVP status in the category Enterprise Mobility for the first time. The multi-tenant PowerShell scripted Deltacom-Cloud environment is one of his creations.

Related Articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

6,065FollowersFollow
5,933FollowersFollow

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Articles