Question:

How to remotely lock Windows devices without using Intune remediation scripts?

I am a Linux system administrator who has been out of touch with the Windows ecosystem for over a decade. I am looking for a MDM solution for Windows 10 and 11 laptops that can support Autopilot and device locking features. Intune seems to be the best option, but it requires Microsoft 365 licenses to use remediation scripts, which I don’t have or need. Remediation scripts are also not reliable for instant execution, as they may take hours to run on the device. I need a way to lock a device in case it is stolen or the employee leaves the company, to prevent unauthorized access to the device and the data on it.

I have found a script that can trigger the BitLocker recovery screen on the device, but I need a tool that can run it remotely and quickly. I have considered other MDM solutions like Scalefusion, Fleet, and Opsi, but they either don’t support this feature or require another MDM layer on top of Intune, which is not feasible. I am open to any suggestions or alternatives that can help me achieve this goal.

Answer:

If you are a system administrator who needs to manage Windows 10 and 11 devices remotely, you may have encountered the challenge of locking them in case of theft or termination of employment. You may have also considered using Intune, Microsoft’s cloud-based MDM solution, but found out that it requires expensive Microsoft 365 licenses to use remediation scripts, which are also not very reliable for instant execution. So, what are your options?

One possible solution is to use a script that can trigger the BitLocker recovery screen on the device, which will prevent anyone from accessing the data on it without the recovery key. BitLocker is a built-in encryption feature of Windows that can protect your data from unauthorized access. However, to run this script remotely and quickly, you need a tool that can execute commands on the device without delay.

There are several tools that can do this, but they may have different features, costs, and compatibility issues. Here are some examples:

• PowerShell Remoting: PowerShell is a scripting language and a command-line shell that can be used to automate tasks and manage systems. PowerShell Remoting is a feature that allows you to run PowerShell commands or scripts on remote computers. You can use PowerShell Remoting to trigger the BitLocker recovery screen on the device by using the `manage-bde` command with the `-forcerecovery` parameter. For example, you can run this command on the remote device:

“`powershell

manage-bde -forcerecovery C:

“`

This will force the device to enter the BitLocker recovery mode the next time it restarts. However, to use PowerShell Remoting, you need to enable it on both the local and the remote computers, and configure the firewall and the authentication settings. You also need to have administrative privileges on both computers. PowerShell Remoting works best in a domain environment, where you can use Group Policy to configure the settings and credentials. If you are working with devices that are not joined to a domain, you may face some challenges in setting up PowerShell Remoting.

• PsExec: PsExec is a free tool from Sysinternals that allows you to run programs or commands on remote computers. You can use PsExec to trigger the BitLocker recovery screen on the device by using the same `manage-bde` command as above, but with the `-s` parameter to run it as the System account. For example, you can run this command on the local computer:

“`cmd psexec \\remotecomputer -s

manage-bde -forcerecovery C:

“`

This will force the device to enter the BitLocker recovery mode the next time it restarts. However, to use PsExec, you need to have administrative privileges on both the local and the remote computers, and you need to copy the PsExec executable to the remote computer. You also need to disable the User Account Control (UAC) on the remote computer, or use the `-h` parameter to run PsExec with the elevated token. PsExec works well with devices that are not joined to a domain, but you may need to provide the credentials of the remote computer when running the command.

• Scalefusion: Scalefusion is a cloud-based MDM solution that can help you manage and secure your Windows devices. Scalefusion supports Autopilot and device locking features, as well as other capabilities such as device location, app management, remote control, and more. You can use Scalefusion to trigger the BitLocker recovery screen on the device by using the Remote Shell feature, which allows you to run commands or scripts on the device from the Scalefusion dashboard. For example, you can run the same `manage-bde` command as above, but without any parameters, as Scalefusion will run it as the System account. However, to use Scalefusion, you need to enroll your devices with Scalefusion, which may require a subscription fee depending on the number of devices and the features you need. You also need to install the Scalefusion agent on the devices, which may require user consent or administrative privileges.

These

are just some of the tools that can help you remotely lock your Windows devices without using Intune remediation scripts. There may be other tools that can do the same or better, but you need to evaluate them based on your needs, budget, and environment. You also need to test them before deploying them to ensure that they work as expected and do not cause any issues or conflicts with your devices or data. Remember, locking your devices is only one aspect of securing them, and you should also implement other measures such as encryption, backup, antivirus, firewall, and more.