Wiping Remote Machines

  • 20 August 2021
  • 15 replies
  • 1291 views

Userlevel 1
Badge

Hi Everyone,


A large request from my team was the ability to remote wipe machines. As we all know our remote work force is getting larger and sometimes it is hard to get an asset back. Below is a Worklet I created that will wipe a machine with no user interaction. Be CAREFUL and do not run this on your machine. Once it starts it will take a few seconds to run. I recommend creating a group called YourCompanyName - Tech Worklets or Remote Wipe. Then assign machines to the policy that you want to remotely wipe. I would then recommend removing them after a few minutes.


$namespaceName = “root\cimv2\mdm\dmmap”

$className = “MDM_RemoteWipe”

$methodName = “doWipeMethod”


$session = New-CimSession


$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection

$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create(“param”, “”, “String”, “In”)

$params.Add($param)


$instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter “ParentID=’./Vendor/MSFT’ and InstanceID=‘RemoteWipe’”

$session.InvokeMethod($namespaceName, $instance, $methodName, $params)


15 replies

Hey, @Ronald_Freed – that’s a good one/looks legit! Thanks for the warnings, also - to reiterate: THIS WILL WIPE YOUR REMOTE DEVICES, Y’ALL. I can see some interesting use-cases, but take Ronald’s warning(s) seriously…it’ll definitely be a pain to accidentally wipe an endpoint or fifty. 🤘

Userlevel 2
Badge

I tried your script and got the following error:


At C:\ProgramData\amagent\execDir294130823\execcmd339520570.ps1:8 char:75 + … rosoft.Management.Infrastructure.CimMethodParameter]::Create(�?oparam … + ~ Missing ‘)’ in method call. At C:\ProgramData\amagent\execDir294130823\execcmd339520570.ps1:8 char:75 + … gement.Infrastructure.CimMethodParameter]::Create(�?oparam�??, �?o�?? … + ~~~~~~~~~~~ Unexpected token ‘�?oparam�??’ in expression or statement. At C:\ProgramData\amagent\execDir294130823\execcmd339520570.ps1:8 char:86 + … ement.Infrastructure.CimMethodParameter]::Create(�?oparam�??, �?o�??, … + ~ Missing argument in parameter list. At C:\ProgramData\amagent\execDir294130823\execcmd339520570.ps1:8 char:118 + … MethodParameter]::Create(�?oparam�??, �?o�??, �?oString�??, �?oIn�??) + ~ Unexpected token ‘)’ in expression or statement. + CategoryInfo : ParserError: (🙂 [], ParentContainsErrorRecordException + FullyQualifiedErrorId : MissingEndParenthesisInMethodCall COMMAND TIMED OUT.

This is awesome! Thanks!

Userlevel 4
Badge

We also use this, works really well if you wanna lock a termed user out but retain the data


@Mrichards What are the prerequisites for running this script?

I did try running it on a test machine but ran in to some errors such as winrm not being configured and the script not being able to disable cached creds or change local account passwords. I’m assuming not being able to change the local account passwords has something to do with the system.web.security.membership.

Userlevel 1
Badge

exit 0

Anyone managed to get this working?

Userlevel 1
Badge

Hi Tina. Please make sure the Evaluation Code is set to exit 0 and then enter the code above in the Remediation Code.


Thanks,

Ronald Freed

Thank you 🙂

Userlevel 1
Badge

@srheins I am getting the same error, did you ever figure it out?

Userlevel 2
Badge

I never got an answer to my question.

Userlevel 1
Badge

@Ronald_Freed , any thoughts?

Userlevel 1
Badge

@srheins I figured out the problem. The computer (powershell?) doesnt like the formatting for the “” and ‘’ that the automox community page has. Try this.

 

$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_RemoteWipe"
$methodName = "doWipeMethod"
$session = New-CimSession
$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")
$params.Add($param)
$instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'"
$session.InvokeMethod($namespaceName, $instance, $methodName, $params)

 

Badge

No luck getting either of these scripts to work. Got the same error as @srheins above. I found somewhere that powershell needs to be run as “system” (running as admin isn’t enough). Has anyone had any luck with this? 

Userlevel 1
Badge

No luck getting either of these scripts to work. Got the same error as @srheins above. I found somewhere that powershell needs to be run as “system” (running as admin isn’t enough). Has anyone had any luck with this? 

 

The block above your post worked for me. There was a formatting error with the ‘

Reply