Lost Device Security component
The Lost Device Security Suite [WIN] component for Windows devices is provided in the Systems Management ComStore. It allows users to do the following:
- Wipe the bootloader and force a bugcheck ("blue screen of death"), immediately halting any unauthorized device usage.
- Securely wipe the device by wiping the data, unused space on all local fixed disks, as well as the Recycle Bin in such a way that data cannot be recovered.
- Encrypt this data so that if the device is successfully recovered, it can be decrypted again.
- Regain access to data (if the device is successfully retrieved) by decrypting it.
The data set the component targets is:
- All local profiles and locally cached roaming profiles (Desktop and Documents folders, etc.)
- Google Chrome, Mozilla Firefox, and Microsoft Edge browser password caches
- A single additional path if defined in a variable; for example, if you have a D:\ data drive or another path on the C:\ drive
Five input variables are made available when running the component against an eligible device. Two are mandatory, one is conditional, and the remaining two are optional.
- SayTheMagicWord: due to the highly destructive nature of this component, a specific passphrase must be typed into this variable in order for it to run successfully. The passphrase is visible by hovering over the blue i next to the variable name. The passphrase is not included here for security reasons. It must be copied verbatim.
- SecurityOperation: allows you to specify which of the four operations you want the component to perform against your device:
- Brick the device by wiping the boot loader so that the device cannot be booted and force a "blue screen of death."
- Wipe the device by securely erasing the data set stated above, plus free space on all local fixed disks and the Recycle Bin.
- Encrypt the data set stated above using a randomly generated 75-character key. This key is stored in the StdOut of the script run (and optionally in a UDF) for data retrieval in instances where the device in question is retrieved.
- Decrypt the data set stated above using the password string from the Encrypt operation, effectively undoing it.
- FileSyncShareDisabled: flag to confirm that there are no active file sync/share solutions on the device to avoid impacting any cloud-stored data. This must be set to TRUE if performing a Wipe or Encrypt operation; otherwise, it will instantly fail.
- DecryptPassword: if you are performing a Decrypt operation, enter the password here. You will find this in the StdOut of the Encrypt operation, as well as in the UDF if you declared it.
- AdditionalPath: if you have an additional path for data to Wipe, Encrypt or Decrypt (for example, a D:\ data drive or another folder on the C:\ drive), enter it here; otherwise leave blank. You may only add one additional path.
- UDFNum: enter a number (1-30) to populate that UDF with the encryption password when running an Encrypt operation; otherwise leave blank.
- Eraser renamed winlogon.exe for stealth
- BSOD subscript
- AESCrypt renamed csrss32.exe and csrss64.exe for stealth
IMPORTANT! You may find that the component instantly fails with an "Incorrect function" message in StdErr. This happens when your Antivirus solution quarantines or deletes the entire component file before the Datto RMM Agent is able to launch it. As above, you must add csrss32.exe and csrss64.exe to the allow list or remove them from the component in order to prevent this behavior.
NOTE: Due diligence should be taken with IT Security staff to ensure they are informed about this component in order to reduce the risk of false positives.