Forum Discussion

Mathew1's avatar
Mathew1
Copper Contributor
Mar 17, 2026

How to configure Intune to not allow remote wiping of personal devices

I’m a journalist seeking to do a story around best practices for configuring Intune, in the wake of last week’s destructive attack against Michigan-based medical device maker Stryker. It looks like a...
mobile device management (mdm)
jxsh42's avatar
jxsh42
Copper Contributor
Mar 26, 2026

Intune is a MDM (Mobile Device Manager) it is meant to have as much capability to a device as possible so you can manage them remotely. All devices that are in intune require to be enrolled manually or automatically using autopilot. It is not as easy as just putting your device on the network and its on Intune. 

To your first question, when a device is enrolled into Intune, the wipe permission is setup by default, however, stryker forgot to configure multi-admin approval for that command. Any feature in Intune such as wiping, retiring, sending scripts, etc. can all be configured where a specific admin (Whomever the approval is configured for) has to allow it. This forces two admin accounts needing to be compromised, which the likelihood is far less. This was not an Intune issue, this was a misconfiguration and not reading through Microsofts documentation issue. 

BYOD devices do not get enrolled into Intune unless it is misconfigured, there is a setting called MDM Auto discovery, this needs to be disabled or else if its a brand new laptop and a user signs in with their work email, then it will pick up the Intune enrollment via autoenrollment and the laptop will be put into intune. Most experienced administrators turn this off because users sometimes sign into their work email on their new personal laptops. 

Android and iOS it is basically impossible to accidentally get your BYOD device into intune without an administrator. iOS either needs to be bought from the company's Apple Business Manager, or a custom "Company Portal" app gets put on the phone manually and then you sign into your work email and it is enrolled. 

The ditch intune is ridiculous for windows pcs, yes ditch intune when it comes to MacOS and iOS, but Intune is a very powerful tool that needs proper configuration, but when setup correctly it is one of the best MDM's on the market. As I said before this was not an intune problem with stryker, this was a misconfiguration on Strykers side. The multi-admin approval has been a Microsoft standard for intune for a while, but it has only started getting recognition after Stryker. 

Intune has several features beyond just doing a sandbox, the sandbox idea tells me your friend doesn't work with intune much. 

All of these features I mentioned such as the disabling MDM auto discovery, enabling mult admin approval, Company Portal app for mobile devices, restrictig BYOD, etc. These are all very easy to do, but the main issue is people take the stance of "Lets make this work" rather than "Whats the most secure way to make this work"