cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mysterious DEP Device Wipe

Stuart King
Iron Contributor

‎May 15 2020 03:11 AM

‎May 15 2020 03:11 AM

Mysterious DEP Device Wipe

Hi All

 

I am investigating the unexplained wipe of a DEP enrolled device. This is the 3rd case of this.

 

From the logs, I can see nothing obvious except for an AD password change synced via AADC.

 

So, if the password was changed in AD and synced to AA, surely the Intune Company Portal would recognize the password change and prompt for the new password?

 

And what if the user entered the old / wrong password multiple times? Would the DEP device wipe?

 

Info greatly appreciated.

2,299 Views
0 Likes
6 Replies
Reply
6 Replies
eglockling

‎May 15 2020 09:54 AM

‎May 15 2020 09:54 AM

Re: Mysterious DEP Device Wipe

@Stuart King  Do you have the "Number of sign-in failures before wiping device" setting configured in the iOS restrictions profile? I suspect that the end-user entered the device passcode incorrectly too many times, especially if there's no log of it in Endpoint Manager. Failed authentication attempts against the AAD account would not cause the device to wipe.

0 Likes
Reply
Stuart King

‎May 15 2020 02:14 PM

‎May 15 2020 02:14 PM

Re: Mysterious DEP Device Wipe

@eglockling 

 

"Failed authentication attempts against the AAD account would not cause the device to wipe." - Even on the Intune Company Portal app? Do you have a reference to that info?

 

I have loads of Sign-in failures against the Intune Company Portal app around the same time as the password change, then the device re-enrolling.

 

Regards

 

 

0 Likes
Reply
eglockling

‎May 18 2020 02:45 PM

‎May 18 2020 02:45 PM

Re: Mysterious DEP Device Wipe

@Stuart King  Yes, the Microsoft Intune and Intune Company Portal apps do not define this, it is a configuration that can be deployed to managed devices that leverages the existing built-in OS feature. Once the config is deployed, it is the device itself that evaluates the failed device password (passcode) attempts, not the MDM agent. Failed sign-in attempts to the Company Portal would only affect the user account (eg. lock the account, block additional sign-ins from this device, whatever your organization has defined...). Do you have any compliance actions set that would be contributing to this behaviour?

0 Likes
Reply
Stuart King

‎May 19 2020 05:49 AM

‎May 19 2020 05:49 AM

Re: Mysterious DEP Device Wipe

@eglockling 

 

Hi There

 

Many thanks for your reply.

 

I can't see anything in Device Compliance that would cause this.

 

There is  Device Config setting, wipe after 6 incorrect PIN attempts.

 

Apart from that, I can see no obvious reason why this DEP device, the 3rd separate one has suddenly wiped.

 

Regards

0 Likes
Reply
Stuart King

‎May 19 2020 08:30 PM

‎May 19 2020 08:30 PM

Re: Mysterious DEP Device Wipe

@eglockling 

 

Hey buddy

 

On further investigation of the iOS Device Compliance and Configuration policies, I have noticed the following setting:

 

Password expiration (days): = 90

 

As roll-out was approx mid-February, 90 days would take it to mid-May, when the reset occurred.

 

Could this be the culprit?

1 Like
Reply
eglockling

‎May 25 2020 05:47 AM

‎May 25 2020 05:47 AM

Re: Mysterious DEP Device Wipe

@Stuart King  This would definitely make sense. The end-user probably updated the passcode when prompted, then attempted to use the old one incorrectly too many times.

0 Likes
Reply