Friday 4:47 PM. Sales rep calls from airport - laptop bag stolen while charging phone at gate. Device contained customer contracts, pricing databases, and saved CRM credentials. BitLocker enabled but device in sleep mode. RMM showed device online with different IP than airport WiFi - thief already on the move. We had minutes, not hours.

Employee set laptop down next to seat, walked 30 feet to phone charger, came back 5 minutes later to find it gone.

Decision made. Got verbal authorization from sales director, documented in ticket. Time from theft report to authorization: 11 minutes.

Windows 10/11 includes MDM_RemoteWipe CIM class regardless of MDM enrollment. Same factory reset Intune uses, but invokable locally via PowerShell through RMM.

  ⚠ DESTRUCTIVE OPERATION
  Irreversible factory reset. All data permanently erased.
  No undo, no confirmation, no recovery.
  Last-resort for confirmed theft only.

1. opens CIM session to local WMI

2. queries root\cimv2\mdm\dmmap for RemoteWipe

3. invokes doWipeMethod (same as Intune)

4. triggers SYSTEM-level factory reset

5. reboots into Windows RE, secure erase

Critical advantage: No cloud sync wait. RMM agent executes locally with SYSTEM privileges. If device online to RMM, wipe in seconds - not hours.

Script executed 5:03 PM. Command received, device dropped offline 47 seconds later as Windows rebooted into recovery. Thief got freshly factory-reset laptop.

Need endpoint security automation? We protect data when every second counts.