Erase stolen device fails - "The MDM user needs to log in to the device for settings to be updated"

ChemistryGP
Here to help

Erase stolen device fails - "The MDM user needs to log in to the device for settings to be updated"

Have a Win10 laptop that was fully enrolled (agent and profile).

 

It's been stolen and we are attempting to remotely wipe the device but the command is failing. It appears previous profile updates have failed to update for some time, with the Dashboard reporting "The MDM user needs to log in to the device for settings to be updated"

 

Searching online takes me to this post and response from Meraki - which states that "Agent-based actions can be executed regardless of which user is logged in, however, for MDM commands, the user account used to enrolled in MDM must be logged into the device."

 

Most of our devices are not enrolled with the actual user account (most are setup before we even know who the laptop will be issued to).

 

So is my assumption here that MDM on windows devices is essentially pointless because you can defeat security measures/updates simply by not logging in in the original user that enrolled to the organisation?

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

I can't comment to your specific case as I don't know the answer.

 

My personal opinion is Meraki MDM support for Windows 10 is weak.  I haven't had a good play for a while, because each time I tried testing different things I kept finding gotchas.

We knew it was weak compared to some other offerings, so went in somewhat with our eyes open - but took the advantage of working relatively well across a mixed Win/macOS estate....

 

However, remote MDM wipe was up there and it seems its not valid for us.

T1
Building a reputation

Is device in question even online? I doubt the thief would turn it on, connect to WiFi and leave it sitting at the Windows login screen for you to wipe remotely.

 

We occasionally use remote wipe to quickly reset returned Windows laptop, it is slightly quicker than going through Settings and it works without signing in.

Yes I'm not too concerned about losing anything - data is all encrypted etc - It's more the discovery that Windows MDM only works at all when the specific user account that enrolled the device is logged in. This seems remarkably limited - its user enrolment and management, not device.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels