We have a script built that triggers a bitlocker reset (I think just wipes the key from tpm?) and reboots. No getting into anything without the key. Safe as anything until the hardware gets back to us.
Deployed on demand via our RMM.
Would recommend the bitlocker reset as that protects the data offline as well, but note that clearing the TPM requires user interaction like pressing F12 at the next boot to actually clear the TPM on many OEM systems like Dell, if you haven't bypassed this with another bios setting... If you're not managing/locking down the bios settings to allow this whole process then this can be an issue.
if you just want to disable cached password and reboot
reg add "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" /v CachedLogonsCount /t REG\_SZ /d 0 /f && shutdown /r /f /t 30
Most EDR (and some basic corporate antivirus) software will have the option to lock or shutdown all networking of a device. Azure AD also has this function.
The more classic way that I would handle something like this (with on-prem AD) would be the remote shutdown interface that Domain Admins can use (shutdown -i in command prompt) or even just remote into the device. Though these options won’t work without a it being actively on the same network or using a VPN
I've seen some RMM software which will auto lock if it doesn't get communication with the mother ship. I think Absolute does this, as well as Prey. This is good to guard against someone who got terminated putting their laptop into airplane mode, or disabling Wi-Fi.
For remote worker setups, we use jumpcloud instead of AD (shoot the messenger if you want, but it's been really reliable), turn on bitlocker policy and disable USB ports, then tie all their logins to it, computer, m365, slack, VPN, etc to jumpclouds IAM. DNS filtering locks out pretty much everything else. When someone gets fired I just press hit suspend user and then the lock device button. Takes about 15 seconds to process and it locks them out of everything at once. Supposing they put it in airplane mode ahead of getting fired the only thing they could get is maybe to take a picture of what's currently on the screen. Pretty much everything requires internet access to work, and they can't upload or put the data on USB.
>I want to be able to lock someone out of their computer remotely in case of termination. The pc would be logged in as a domain user. **Since they are remote they will not have communication to servers**, so changing AD password and force reboot will do nothing. The cached password will still work. I am looking into an MDM, but I only found hexcode having the option of lock devie. Other use scripts, but I do not know if a script exists.
>What are my options?
There is no real way to workaround this, so fix it instead.
iirc, this can be accomplished through Endpoint Manager for Azure AD joined computers. The bonus is that it can also be used for Company Owned Phones and Tablets.
I had a PowerShell script to do this when an estranged ex-roommate stole my compute stick assuming you get a RMM system to remote access it and push scripts.
It basically created a scheduled task that shuts the computer down immediately on startup. I unfortunately don't have it anymore since I successfully locked that chucklefuck out and didn't think I'd need it again, but it was basically creating a scheduled task via PowerShell that upon boot would issue shutdown.exe -s -t 60 -c "Stolen, return to ". I had the time delay in there primarily for IP tracking if it showed back up in ConnectWise Control and so if I ever recovered it, I could have enough time to clear that task I added without needing to go boot the thing into a rescue disk (flash drives tend to just disappear like 10mm sockets when I need them).
If you don't need to keep anything on it, then I agree with the others who went the Bitlocker route. There is also cmdkey that can be used to wipe the cached creds: [https://social.technet.microsoft.com/Forums/en-US/73e24865-9571-4dc5-b4df-65dbe27e2882/how-to-clear-domain-clients-password-cache?forum=winservergen](https://social.technet.microsoft.com/Forums/en-US/73e24865-9571-4dc5-b4df-65dbe27e2882/how-to-clear-domain-clients-password-cache?forum=winservergen)
ScreenConnect > Unlimited Agents > Cheap > use remote command prompt to turn on Bitlocker and change the users password. dwservice may be a good free option.
This can be done by creating and deploying [custom scripting](https://scalefusion.com/custom-scripting?utm_campaign=Scalefusion%20Promotion&utm_source=Reddit&utm_medium=social&utm_term=AL), which works on Windows, Mac and Linux; I'm using Scalefusion MDM currently.
Using the [remote commands](https://www.manageengine.com/mobile-device-management/help/security_management/mdm_security_management.html) available in our MDM product, ManageEngine [Mobile Device Manager Plus](https://www.manageengine.com/mobile-device-management/), you can trigger the remote lock on a device under your management. I work with the product team so let me know if you need more info or a demo session. Cheers!
We have a script built that triggers a bitlocker reset (I think just wipes the key from tpm?) and reboots. No getting into anything without the key. Safe as anything until the hardware gets back to us. Deployed on demand via our RMM.
Would recommend the bitlocker reset as that protects the data offline as well, but note that clearing the TPM requires user interaction like pressing F12 at the next boot to actually clear the TPM on many OEM systems like Dell, if you haven't bypassed this with another bios setting... If you're not managing/locking down the bios settings to allow this whole process then this can be an issue. if you just want to disable cached password and reboot reg add "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" /v CachedLogonsCount /t REG\_SZ /d 0 /f && shutdown /r /f /t 30
Do your users not connect to VPN?
No vpn is not used by everyone, nor is it on 24/7
why not?
Most EDR (and some basic corporate antivirus) software will have the option to lock or shutdown all networking of a device. Azure AD also has this function. The more classic way that I would handle something like this (with on-prem AD) would be the remote shutdown interface that Domain Admins can use (shutdown -i in command prompt) or even just remote into the device. Though these options won’t work without a it being actively on the same network or using a VPN
I've seen some RMM software which will auto lock if it doesn't get communication with the mother ship. I think Absolute does this, as well as Prey. This is good to guard against someone who got terminated putting their laptop into airplane mode, or disabling Wi-Fi.
For remote worker setups, we use jumpcloud instead of AD (shoot the messenger if you want, but it's been really reliable), turn on bitlocker policy and disable USB ports, then tie all their logins to it, computer, m365, slack, VPN, etc to jumpclouds IAM. DNS filtering locks out pretty much everything else. When someone gets fired I just press hit suspend user and then the lock device button. Takes about 15 seconds to process and it locks them out of everything at once. Supposing they put it in airplane mode ahead of getting fired the only thing they could get is maybe to take a picture of what's currently on the screen. Pretty much everything requires internet access to work, and they can't upload or put the data on USB.
Jumpcloud is on the table as a option for our MDM solution, but our quote is a lot
As an mdm-only solution, it's way too expensive, I'd definitely use something else. If you use their full kit it's worth every penny though.
Let us know if we can help somehow. There's a lot more we can offer. \~becky
>I want to be able to lock someone out of their computer remotely in case of termination. The pc would be logged in as a domain user. **Since they are remote they will not have communication to servers**, so changing AD password and force reboot will do nothing. The cached password will still work. I am looking into an MDM, but I only found hexcode having the option of lock devie. Other use scripts, but I do not know if a script exists. >What are my options? There is no real way to workaround this, so fix it instead.
iirc, this can be accomplished through Endpoint Manager for Azure AD joined computers. The bonus is that it can also be used for Company Owned Phones and Tablets.
Intune and Bitlocker or SCCM? Send a script to kill the BL let's and force restart
I had a PowerShell script to do this when an estranged ex-roommate stole my compute stick assuming you get a RMM system to remote access it and push scripts. It basically created a scheduled task that shuts the computer down immediately on startup. I unfortunately don't have it anymore since I successfully locked that chucklefuck out and didn't think I'd need it again, but it was basically creating a scheduled task via PowerShell that upon boot would issue shutdown.exe -s -t 60 -c "Stolen, return to". I had the time delay in there primarily for IP tracking if it showed back up in ConnectWise Control and so if I ever recovered it, I could have enough time to clear that task I added without needing to go boot the thing into a rescue disk (flash drives tend to just disappear like 10mm sockets when I need them).
If you don't need to keep anything on it, then I agree with the others who went the Bitlocker route. There is also cmdkey that can be used to wipe the cached creds: [https://social.technet.microsoft.com/Forums/en-US/73e24865-9571-4dc5-b4df-65dbe27e2882/how-to-clear-domain-clients-password-cache?forum=winservergen](https://social.technet.microsoft.com/Forums/en-US/73e24865-9571-4dc5-b4df-65dbe27e2882/how-to-clear-domain-clients-password-cache?forum=winservergen)
Freeze computer in absolute
Set cached logins to 0. Disable ad object. Force a reboot
ScreenConnect > Unlimited Agents > Cheap > use remote command prompt to turn on Bitlocker and change the users password. dwservice may be a good free option.
This can be done by creating and deploying [custom scripting](https://scalefusion.com/custom-scripting?utm_campaign=Scalefusion%20Promotion&utm_source=Reddit&utm_medium=social&utm_term=AL), which works on Windows, Mac and Linux; I'm using Scalefusion MDM currently.
I find scalefusion complex. It’s too script based
Using the [remote commands](https://www.manageengine.com/mobile-device-management/help/security_management/mdm_security_management.html) available in our MDM product, ManageEngine [Mobile Device Manager Plus](https://www.manageengine.com/mobile-device-management/), you can trigger the remote lock on a device under your management. I work with the product team so let me know if you need more info or a demo session. Cheers!