Wipe and lock devices

On a recent project I needed to be able to lock and wipe devices. I used Microsoft Graph, Power Automate and HTTP requests to get this done. In this post the details.

Big Warning

This post should have a big “Don’t try this at home (or work)” warning as you wouldn’t want to wipe a device that someone is actually using for the wrong reasons.

Lock and wipe devices using Microsoft Graph in Power Automate Microsoft Office 365 1391090938 84834 design

In my case we are managing 1000s of laptops for an organization who should get laptops back and as a last resort the devices that aren’t returned will be wiped.

The Graph API

If you are new to the Graph API then please have a look at my series about the Graph API and the Power Platform.

I’m going to make use of the Managed Devices endpoints in this post. These endpoints can be used to do things to devices that are managed within Intune.

There are many operations possible


On Microsoft Learn you can find the following overview of the operations.

MethodReturn TypeDescription
List managedDevicesmanagedDevice collectionList properties and relationships of the managedDevice objects.
Get managedDevicemanagedDeviceRead properties and relationships of the managedDevice object.
Create managedDevicemanagedDeviceCreate a new managedDevice object.
Delete managedDeviceNoneDeletes a managedDevice.
Update managedDevicemanagedDeviceUpdate the properties of a managedDevice object.
retire actionNoneRetire a device
wipe actionNoneWipe a device
resetPasscode actionNoneReset passcode
remoteLock actionNoneRemote lock
requestRemoteAssistance actionNoneRequest remote assistance
disableLostMode actionNoneDisable lost mode
locateDevice actionNoneLocate a device
bypassActivationLock actionNoneBypass activation lock
rebootNow actionNoneReboot device
shutDown actionNoneShut down device
recoverPasscode actionNoneRecover passcode
cleanWindowsDevice actionNoneClean Windows device
logoutSharedAppleDeviceActiveUser actionNoneLogout shared Apple device active user
deleteUserFromSharedAppleDevice actionNoneDelete user from shared Apple device
syncDevice actionNoneNot yet documented
windowsDefenderScan actionNoneNot yet documented
windowsDefenderUpdateSignatures actionNoneNot yet documented
updateWindowsDeviceAccount actionNoneNot yet documented

So how do we use this in Power Automate.

List managed devices

In my examples, I will skip the authentication part. But please do remember to setup the App Registration in Azure. This App registration will require the DeviceManagementManagedDevices.PrivilegedOperations.All permission.

Now we can look at listing all devices using the GET method with following end point


However if you are using more than 1000 devices you will need to enable paging on this HTTP action as you can only collect 1000 items at a time.

In my case I’m after just one device that I want to lock and I have the serialNumber of the device in question available to me. As shown below I can query the devices using a simple filter query,

Lock and wipe devices using Microsoft Graph in Power Automate Microsoft Office 365 image 4

Now that I’ve got the device I can collect the id of the device.

Get Device

Although the above will give me the device details, I could also query the device using the id of the device.

Lock and wipe devices using Microsoft Graph in Power Automate Microsoft Office 365 image 5

Once again it is all quite easy to configure.

Wipe and Lock devices

Now depending on if you want to wipe a device or if you want to lock a device I’ve created a switch. You will find that for the remote lock, there is no need to supply any parameters in the body, but for a wipe you can control what is removed from the device and what isn’t.

Wipe and lock devices

Notice that if you call the wipe method without any body all parameters are assumed false. So once again be very careful as you might want to keep you autopilot image to re-utilize your laptop at some point.


I’ve noticed that the remote lock often return the following error. However the wipe is very effective.


  “error”: {

    “code”: “BadRequest”,

    “message”: “{\r\n  \”_version\”: 3,\r\n  \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 6010c011-c21e-4724-b937-c87626fc1215 – Url: https://fef.amsub0202.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices(‘e83b9c69-f34c-404c-bc34-2af1dc84f645’)/microsoft.management.services.api.remoteLock?api-version=5023-03-10\”,\r\n  \”CustomApiErrorPhrase\”: \”\”,\r\n  \”RetryAfter\”: null,\r\n  \”ErrorSourceService\”: \”\”,\r\n  \”HttpHeaders\”: \”{}\”\r\n}”,

    “innerError”: {

      “date”: “2023-04-25T13:23:04”,

      “request-id”: ” 6010c011-c21e-4724-b937-c87626fc1215″,

      “client-request-id”: ” 6010c011-c21e-4724-b937-c87626fc1215″




The above error is quite annoying as it isn’t locking the device. If you come across this error and do find the cause of it then please let me know. The wipe operation however is very effective!


Ok, so we’ve got a bit of an issue with the locking of the devices. I found out that remoteLock is supported on Android devices but not on Windows. Hmm, that is a pain.

The best solution I have found so far is the /rebootNow endpoint. It works in a similar way as the other operations, but it will reboot the device instead of locking.

Avatar for Pieter Veenstra

By Pieter Veenstra

Business Applications Microsoft MVP working as a Principal Architect at HybrIT Services Ltd. You can contact me using contact@sharepains.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from SharePains by Microsoft MVP Pieter Veenstra

Subscribe now to keep reading and get access to the full archive.

Continue Reading