Recently I’ve ran into the situation where an SCCM (MECM) device needed to be migrated to Intune and the rule was that for AutoPilot to work the device must have:
- Bios Password Wiped
- Secure Boot enabled
- Recovery Partition enabled
- Factory reset to OOBE
The Out of The Box Experience then guides you to the standard process of registering your device and by logging in with your azure account the AutoPilot enrollment is then started.
However, i only knew about the systemreset.exe utility in Windows. This utility can use the following command:
systemreset -factoryreset
However, the utility always show a GUI to the user and there is no possibility to hide that. Apart from that the utility does not work from the NT Authority\System account, meaning the user must have admin rights in order to perform this action.
Digging a bit, I found that you can use the MDM_RemoteWipe class in the WMI to achieve this. Basically, in the root\cimv2\mdm\dmmap you have the MDM_RemoteWipe class which has 4 methods:
I didn’t want any data to be preserved during the operation so the choice was between doWipeMethod and doWipeProtectedMethod. However, when reading about the doWipeProtectedMethod, Microsoft states that “In some device configurations, this command might leave the device unable to boot”.
I didn’t want to have this scenario so I opted for the doWipeMethod. The script to achieve this is:
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_RemoteWipe"
$methodName = "doWipeMethod"
$session = New-CimSession
$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")
$params.Add($param)
$instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'"
$session.InvokeMethod($namespaceName, $instance, $methodName, $params)
For this script to run you must:
- Have the recovery partition enabled
- Run the script from the NT Authority\System account (meaning you need to test it with PSexec)
You can download the script from here:
