Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
May 15, 2020

Mysterious DEP Device Wipe

Hi All

 

I am investigating the unexplained wipe of a DEP enrolled device. This is the 3rd case of this.

 

From the logs, I can see nothing obvious except for an AD password change synced via AADC.

 

So, if the password was changed in AD and synced to AA, surely the Intune Company Portal would recognize the password change and prompt for the new password?

 

And what if the user entered the old / wrong password multiple times? Would the DEP device wipe?

 

Info greatly appreciated.

  • eglockling's avatar
    eglockling
    Steel Contributor

    StuartK73  Do you have the "Number of sign-in failures before wiping device" setting configured in the iOS restrictions profile? I suspect that the end-user entered the device passcode incorrectly too many times, especially if there's no log of it in Endpoint Manager. Failed authentication attempts against the AAD account would not cause the device to wipe.

    • StuartK73's avatar
      StuartK73
      Iron Contributor

      eglockling 

       

      "Failed authentication attempts against the AAD account would not cause the device to wipe." - Even on the Intune Company Portal app? Do you have a reference to that info?

       

      I have loads of Sign-in failures against the Intune Company Portal app around the same time as the password change, then the device re-enrolling.

       

      Regards

       

       

      • eglockling's avatar
        eglockling
        Steel Contributor

        StuartK73  Yes, the Microsoft Intune and Intune Company Portal apps do not define this, it is a configuration that can be deployed to managed devices that leverages the existing built-in OS feature. Once the config is deployed, it is the device itself that evaluates the failed device password (passcode) attempts, not the MDM agent. Failed sign-in attempts to the Company Portal would only affect the user account (eg. lock the account, block additional sign-ins from this device, whatever your organization has defined...). Do you have any compliance actions set that would be contributing to this behaviour?

Resources