Remote wipe a stolen laptop

We have a customer with a laptop that’s been stolen, and somehow still being used. I’d like to wipe it remotely. Has anybody got any ideas for how I could set up a script to do that the next time the machine is used?

If I set up a tool to run ‘queued’, isn’t that supposed to just run the next time that computer is started? I’ve tried things like deltree /y c:\users*.* and various things involving diskpart, but I can’t get them to run and I can’t get any log as to whether they’ve run or not. I’m not bothered whether it’s a secure wipe. Or is there an executable someone knows about that could do it?

The way I would do it…

  1. Transfer over to it’s own folder ( c:\files\ ) the program sdelete ( https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete )
  2. Read up on the command lines, but I think you would use: /s /q /p 2
  3. Jump into command line and use sdelete to wipe sensitive data (docs/pics/email/etc)
  4. Then I would let it loose on the users profile folder ( c:/users/laptopuser ) - This should work because the program should be running as SYSTEM
  5. Then I’d probably just wipe program files and then move onto windows folder - eventually it will fail or laptop will freeze up, but you will have all sensitive data gone

I want to test this and create a toolbox for it.
Has anyone tried something like this:

$namespaceName = “root\cimv2\mdm\dmmap”
$className = “MDM_RemoteWipe”
#$methodName = “doWipeMethod”
$methodName = “doWipeProtectedMethod”
$session = New-CimSession
$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create(“param”, “”, “String”, “In”)
$params.Add($param)
$instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter “ParentID=‘./Vendor/MSFT’ and InstanceID=‘RemoteWipe’”
$session.InvokeMethod($namespaceName, $instance, $methodName, $params)

So this whole thing took me down a heck of a rabbit hole.

I was playing with diffrent scenarios. If the laptop is bitlocker protected you could retrieve the key for it if you dont have it, and then clear the TPM. Essentially locking the computer and data.

Or you could do a combination of things.
Pull the needed information like,
Geolocation, serial number, Take a picture with the webcam, then wipe or clear the tpm.

and Erase all user data with sdelete, and then wipe the machine.

Or/and Erase user data with sdelete, run bitlocker to encrypt the drive, then wipe it.

That would help you recover it and make sure the data is not recoverable.

I am hoping to make a toolbox if I have time for those options.
I have everything working individually, but not scripted together in sequence.

One thing I have not been able to figure out, is how to inject SimpleHelp into the recovery image so that it reinstalls simplehelp after the PC is wiped using doWipeMethod.
It seems to use install.wim, but i am not sure and dont know what I need to do to get simplehelp back on the machine so it can continue to be tracked after the wipe.