DEV Community

Ranjit Rimal
Ranjit Rimal

Posted on • Edited on

Remote Wipe and Selective Wipe in Microsoft 365

Microsoft 365 Business Premium includes powerful device management capabilities through Microsoft Intune, allowing IT administrators to perform Remote Wipe and Selective Wipe on lost, stolen, or compromised devices. A Remote Wipe completely erases all data from a device, restoring it to factory settings—ideal for company-owned devices that need to be decommissioned securely. On the other hand, Selective Wipe removes only corporate data (such as emails, apps, and documents managed by Intune) while leaving personal files intact, making it perfect for BYOD (Bring Your Own Device) scenarios. These features ensure compliance and data security without requiring physical access to the device.

Automating Remote Wipe with PowerShell

PowerShell enables IT teams to automate remote wipe operations using the Microsoft Graph API and Intune PowerShell modules. Key cmdlets like Invoke-MgGraphRequest or the Invoke-MSGraphRequest (from the Microsoft.Graph.Intune module) allow admins to send wipe commands programmatically. For example, a script can automatically trigger a remote wipe when a device is reported stolen in an IT ticketing system. Additionally, PowerShell can be used to monitor wipe status, ensuring the process completes successfully. This automation minimizes response time in security incidents and reduces manual IT overhead.

Performing Selective Wipe via PowerShell

Selective Wipe is particularly useful for protecting corporate data on employee-owned devices without affecting personal content. Using PowerShell, admins can execute a targeted removal of company data by calling the Microsoft Graph API with commands like:

powershell:

Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{deviceId}/wipe" -Body '{"keepEnrollmentData":false, "keepUserData":true}'

This ensures that only Intune-managed apps, emails, and files are wiped, while personal photos, messages, and apps remain untouched. Admins can also schedule selective wipes for off-hours to minimize user disruption.

Enhancing Security with Conditional Wipe Policies

Beyond manual wipes, Microsoft 365 Business Premium allows automated wipe policies based on conditions like failed sign-in attempts or device inactivity. PowerShell scripts can integrate with Azure AD Conditional Access to enforce these policies dynamically. For example, if a device is offline for 30 days, a script can automatically initiate a selective wipe to protect sensitive data. Combining Remote Wipe, Selective Wipe, and PowerShell automation ensures that businesses maintain control over corporate data while respecting user privacy—making Microsoft 365 Business Premium a robust solution for modern device management.

Top comments (0)