Lock and wipe devices using Microsoft Graph in Power Automate

On a recent project I needed to be able to lock and wipe devices. I used Microsoft Graph, Power Automate and HTTP requests to get this done. In this post the details.

Big Warning

This post should have a big “Don’t try this at home (or work)” warning as you wouldn’t want to wipe a device that someone is actually using for the wrong reasons.

In my case we are managing 1000s of laptops for an organization who should get laptops back and as a last resort the devices that aren’t returned will be wiped.

The Graph API

If you are new to the Graph API then please have a look at my series about the Graph API and the Power Platform.

I’m going to make use of the Managed Devices endpoints in this post. These endpoints can be used to do things to devices that are managed within Intune.

There are many operations possible

https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

On Microsoft Learn you can find the following overview of the operations.

Method	Return Type	Description
List managedDevices	managedDevice collection	List properties and relationships of the managedDevice objects.
Get managedDevice	managedDevice	Read properties and relationships of the managedDevice object.
Create managedDevice	managedDevice	Create a new managedDevice object.
Delete managedDevice	None	Deletes a managedDevice.
Update managedDevice	managedDevice	Update the properties of a managedDevice object.
retire action	None	Retire a device
wipe action	None	Wipe a device
resetPasscode action	None	Reset passcode
remoteLock action	None	Remote lock
requestRemoteAssistance action	None	Request remote assistance
disableLostMode action	None	Disable lost mode
locateDevice action	None	Locate a device
bypassActivationLock action	None	Bypass activation lock
rebootNow action	None	Reboot device
shutDown action	None	Shut down device
recoverPasscode action	None	Recover passcode
cleanWindowsDevice action	None	Clean Windows device
logoutSharedAppleDeviceActiveUser action	None	Logout shared Apple device active user
deleteUserFromSharedAppleDevice action	None	Delete user from shared Apple device
syncDevice action	None	Not yet documented
windowsDefenderScan action	None	Not yet documented
windowsDefenderUpdateSignatures action	None	Not yet documented
updateWindowsDeviceAccount action	None	Not yet documented

So how do we use this in Power Automate.

List managed devices

In my examples, I will skip the authentication part. But please do remember to setup the App Registration in Azure. This App registration will require the DeviceManagementManagedDevices.PrivilegedOperations.All permission.

Now we can look at listing all devices using the GET method with following end point

https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

However if you are using more than 1000 devices you will need to enable paging on this HTTP action as you can only collect 1000 items at a time.

In my case I’m after just one device that I want to lock and I have the serialNumber of the device in question available to me. As shown below I can query the devices using a simple filter query,

Now that I’ve got the device I can collect the id of the device.

Get Device

Although the above will give me the device details, I could also query the device using the id of the device.

Once again it is all quite easy to configure.

Wipe and Lock devices

Now depending on if you want to wipe a device or if you want to lock a device I’ve created a switch. You will find that for the remote lock, there is no need to supply any parameters in the body, but for a wipe you can control what is removed from the device and what isn’t.

Notice that if you call the wipe method without any body all parameters are assumed false. So once again be very careful as you might want to keep you autopilot image to re-utilize your laptop at some point.

Errors

I’ve noticed that the remote lock often return the following error. However the wipe is very effective.

{

  “error”: {

    “code”: “BadRequest”,

    “message”: “{\r\n  \”_version\”: 3,\r\n  \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 6010c011-c21e-4724-b937-c87626fc1215 – Url: https://fef.amsub0202.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices(‘e83b9c69-f34c-404c-bc34-2af1dc84f645’)/microsoft.management.services.api.remoteLock?api-version=5023-03-10\”,\r\n  \”CustomApiErrorPhrase\”: \”\”,\r\n  \”RetryAfter\”: null,\r\n  \”ErrorSourceService\”: \”\”,\r\n  \”HttpHeaders\”: \”{}\”\r\n}”,

    “innerError”: {

      “date”: “2023-04-25T13:23:04”,

      “request-id”: ” 6010c011-c21e-4724-b937-c87626fc1215″,

      “client-request-id”: ” 6010c011-c21e-4724-b937-c87626fc1215″

    }

  }

}

The above error is quite annoying as it isn’t locking the device. If you come across this error and do find the cause of it then please let me know. The wipe operation however is very effective!

RebootNow

Ok, so we’ve got a bit of an issue with the locking of the devices. I found out that remoteLock is supported on Android devices but not on Windows. Hmm, that is a pain.

The best solution I have found so far is the /rebootNow endpoint. It works in a similar way as the other operations, but it will reboot the device instead of locking.