Windows - Security - Remote Wipe

What the Remote Wipe Worklet does

This Automox Worklet™ executes a complete factory reset on Windows endpoints by invoking the doWipeMethod from Microsoft's MDM_RemoteWipe class. The Worklet connects to the Windows CIM namespace root\cimv2\mdm\dmmap, retrieves the RemoteWipe instance, and triggers an immediate wipe operation that erases all data on the target endpoint.

When executed, the Worklet deletes all user accounts, files, installed applications, and system configurations. The endpoint immediately reboots and enters the Windows Out-of-Box Experience (OOBE) "Resetting this PC" process, returning the system to its original factory state. This operation is permanent and irreversible.

The Worklet uses PowerShell to create a CIM session, construct the method parameters, and invoke the remote wipe command through the Windows Endpoint Management infrastructure. No user interaction is required on the target endpoint.

Why remotely wipe lost or compromised endpoints

When an endpoint disappears from your control, whether through loss, theft, or employee termination, every minute that passes increases your risk exposure. That missing laptop contains cached credentials, VPN configurations, customer records, and internal documents that an unauthorized party can access, copy, or exploit. A single compromised endpoint can lead to network infiltration, data exfiltration, or regulatory violations that cost millions in fines and remediation.

Standard security measures like password policies and disk encryption become irrelevant when an attacker has physical access and unlimited time to bypass them. Waiting for an endpoint to connect to your network or hoping a user takes action wastes critical hours while your data remains at risk. You need the ability to destroy data immediately, regardless of network connectivity or user cooperation.

Advanced malware and ransomware infections sometimes resist all remediation attempts, leaving persistent backdoors even after apparent removal. When an endpoint is severely compromised and you cannot verify its integrity, a factory reset provides the only reliable path to a clean state. Remote wipe eliminates uncertainty by destroying everything and forcing you to rebuild from known-good sources.

Compliance frameworks including HIPAA, PCI-DSS, SOC 2, and GDPR require documented procedures for protecting data when physical control is lost. Auditors ask how you prevent unauthorized data access from lost endpoints. This Worklet provides an auditable, immediate response that satisfies those requirements and demonstrates your security posture includes remote data destruction capabilities.

How remote endpoint wiping works

1. Evaluation phase: The Worklet always exits with code 1 during evaluation to indicate remediation is required. No actual system checks are performed because this Worklet is designed for manual execution only, not automated detection.

2. Remediation phase: The Worklet creates a CIM session and connects to the MDM namespace at root\cimv2\mdm\dmmap. It retrieves the MDM_RemoteWipe instance with ParentID './Vendor/MSFT' and InstanceID 'RemoteWipe', then invokes the doWipeMethod with empty parameters. This triggers the Windows built-in factory reset mechanism, which immediately initiates the wipe process, reboots the endpoint, and begins the OOBE reset sequence.

Remote wipe deployment requirements

• Windows 10, Windows 11, or Windows Server with MDM capabilities

• PowerShell 5.0 or later

• Administrator privileges on target endpoints

• Manual execution only - do NOT attach this Worklet to a scheduled policy

• Dedicated endpoint group with endpoints added manually to prevent accidental execution

• Automox install and reboot notifications disabled in policy settings to prevent user warnings before wipe

Expected endpoint state after remote wipe

The endpoint immediately reboots and begins the Windows factory reset process. You see the "Resetting this PC" screen with a progress indicator as Windows erases all partitions, user accounts, installed applications, and system configurations. This process takes 30 to 60 minutes depending on the endpoint's storage capacity and speed.

When the reset completes, the endpoint displays the Windows Out-of-Box Experience (OOBE) initial setup screen. The system prompts for language selection, region settings, network configuration, and account creation, identical to the state when the hardware first left the factory. All previous data, configurations, and user information is permanently destroyed and cannot be recovered through standard forensic methods.

All sensitive data that existed on the endpoint before the wipe is gone. This includes documents, spreadsheets, cached credentials, browser histories, application data, email archives, and any malware that may have infected the system. The storage is wiped clean and returned to its factory state.

The Automox agent is also removed during the wipe. The endpoint no longer appears in your Automox console. If you recover the endpoint and wish to manage it again, you must reinstall the Automox agent and re-enroll the endpoint using your organization's installation key.

How to validate remote wipe changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for remote wipe.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as New-CimSession, New-Object, Get-CimInstance, then rerun evaluation for compliance.