I need to disable a laptop belonging to an employee who was recently let go from the company. We've been asked by HR to take care of this, but unfortunately, our current remote management software doesn't allow for direct disabling like my last job did. We don't use Intune either.
Right now, I've set up a shutdown command that runs on a loop, but it only checks hourly, which isn't practical. I also scheduled it to run at the next check-in, but that's limited to just one run on startup. I'm considering creating a PowerShell batch file to run it on all users' startup, but I'm worried it might require admin rights, which we might not be able to use.
I heard about a command, manage-bde -forcerecovery, which supposedly invalidates a BitLocker key, making the laptop unusable without the key. I'm looking for a way to either delete a user in a domain environment or remove specific registry keys that might help make the device unusable. Any advice or tested scripts for Windows 11 23h2 and 24h2 would be greatly appreciated!
3 Answers
Have you tried blocking sign-ins and revoking active sessions using PowerShell? It's a quick way to cut them off. Be sure you also revoke any Azure sessions and delete all two-factor authentication methods, especially since you're already using Office 365. It's essential to check both O365 and Azure to fully secure the account.
Using the manage-bde -forcerecovery command is a solid option. It will pretty much lock out access to the device unless they have the BitLocker key. Just set it to run, then force a reboot. They won't be able to boot it up without that key. Of course, they might just wipe Windows and reinstall it, but at least all company data will be gone, so it's a good first step. If you want to go further, you'll need something that interacts more directly with the hardware.
I implemented that practice too! I'm setting it to run on a recurring schedule followed by an immediate reboot. I’m curious if overriding the boot policy might prevent access to the recovery screen. It could be an entertaining outcome if it ends up locking them out completely!
If you had Intune in place, you could link the hardware ID to your account, and then even a fresh Windows install wouldn't bypass it. That's the way to go if you can manage it.
It seems like there are better options out there that some members have suggested. If HR is concerned about disabling laptops for terminated employees, it might be time to bring this up officially. They might need to consider investing in a better remote management solution. Clear documentation and confirmation of actions taken are important for compliance and security. It could lead to a more robust solution for similar issues in the future.
Definitely a good call. Make sure you get both done! People overlook the Azure side, but it's crucial to lock everything down.