I'm trying to figure out how to prove that a device was remotely wiped using Intune. Our internal Audit team is asking for actual proof that this wipe happened. They want to know not just that a wipe command was sent, but that it actually went through successfully. Has anyone else encountered this? How do you provide evidence that a wipe occurred without physically accessing the device?
5 Answers
It's tough because proving the wipe happened is nearly impossible without having the device on hand. I get the need for accountability, but it’s just not reasonable to expect absolute proof of a remote wipe if someone isn’t cooperating. At least you're dealing with an internal team instead of a third-party audit, which makes the conversation easier.
I'd recommend asking the audit team what specific proof they’re looking for. Spending time digging through logs might be a wild goose chase if you aren’t sure what’s acceptable. If you ask upfront, you won’t waste time guessing and potentially coming up short.
Exactly! I used to guess what auditors wanted, and it always backfired. Just go straight to them and ask for specifics.
I wiped over a thousand Windows laptops last year, and this question came up a lot. Unfortunately, there isn't a surefire way to prove it aside from physically having the device.
The only way to really prove a device was wiped is to get the device back and check it physically. There's really no other proof since once wiped, your other tools and services won’t be accessible on it. If the device was disconnected from the internet, it wouldn’t receive the wipe command either, so that complicates things further.
To clarify, the best you could do is see if the device sent back an acknowledgement that it got the wipe command, but that's not proof that the wipe actually took place.
Really, physically getting the device is the best form of proof. There's no law demanding compliance for this kind of verification, so it's an internal policy issue. If they want that level of assurance, consider restricting data on remote devices completely. Use tools like MFA for access every time, and think about implementing VDI for better control.
Even if you had a confirmation that the wipe command was issued, there's no way to verify that the device followed through with it. People really need to understand that.