KB – Enterprise Reset prerequisites

The Enterprise Reset option is not always shown in the Workspace One console. The device must meet certain requirements. If one of the requirements is not met, the Enterprise Reset option will not shown in the console – even if you are able to trigger Enterprise Reset via API.

All those prerequisites need to be met:

  • Windows 10 version on device should be greater than or equal to 1709.
  • Device ownership should be Corporate owned (corporate shared or corporate dedicated).
  • Publish Hub setting is enabled (on console -> All Settings -> Devices & Users -> Windows -> Windows Desktop -> Intelligent Hub Application -> Publish Workspace ONE Intelligent Hub check box enabled and also checkbox enabled for required ownership types).
  • Hub version on Device should be greater than or equal to 18.11.0.0
  • Privacy Setting should allow Device Wipe (on console -> All Settings -> Devices & Users -> General -> Privacy -> check for Device Wipe enabled for ownership type under Commands Section)
  • Device Guard should be disabled on the Device

Especially the last point is interesting and needs more explanation.

Device Guard / Credential Guard

To get the current Device Guard configuration you need to run this PowerShell command:

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

After running the command, you will get the following output:

AvailableSecurityProperties                  : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus         : 0
InstanceIdentifier                           : 4ff40742-2649-41b8-bdd1-e80fad1cce80
RequiredSecurityProperties                   : {0}
SecurityServicesConfigured                   : {0}
SecurityServicesRunning                      : {0}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version                                      : 1.0
VirtualizationBasedSecurityStatus            : 2
PSComputerName                               :

So, what does the properties and values mean?

PropertiesDescriptionValid values
AvailableSecurityPropertiesThis field helps to enumerate and report state on the relevant security properties for Device Guard.0. If present, no relevant properties exist on the device.
1. If present, hypervisor support is available.
2. If present, Secure Boot is available.
3. If present, DMA protection is available.
4. If present, Secure Memory Overwrite is available.
5. If present, NX protections are available.
6. If present, SMM mitigations are available.

Note: 4, 5, and 6 were added as of Windows 10, version 1607.
InstanceIdentifierA string that is unique to a particular device.Determined by WMI.
RequiredSecurityPropertiesThis field describes the required security properties to enable virtualization-based security.0. Nothing is required.
1. If present, hypervisor support is needed.
2. If present, Secure Boot is needed.
3. If present, DMA protection is needed.
4. If present, Secure Memory Overwrite is needed.
5. If present, NX protections are needed.
6. If present, SMM mitigations are needed.

Note: 4, 5, and 6 were added as of Windows 10, version 1607.
SecurityServicesConfiguredThis field indicates whether the Credential Guard or HVCI service has been configured.0. No services configured.
1. If present, Credential Guard is configured.
2. If present, HVCI is configured.
SecurityServicesRunningThis field indicates whether the Credential Guard or HVCI service is running.0. No services running.
1. If present, Credential Guard is running.
2. If present, HVCI is running.
VersionThis field lists the version of this WMI class.The only valid value now is 1.0.
VirtualizationBasedSecurityStatusThis field indicates whether VBS is enabled and running.0. VBS is not enabled.
1. VBS is enabled but not running.
2. VBS is enabled and running.
PSComputerNameThis field lists the computer name.All valid values for computer name.
Source: https://www.tenforums.com/tutorials/68926-verify-if-device-guard-enabled-disabled-windows-10-a.html

In addition Workspace One checks the following properties if Device Guard is active:

SecurityServicesConfigured  is 1 or 2
and SecurityServicesRunning is 1 or 2
and VirtualizationBasedSecurityStatus equals 2

If all of the above values are given, Device Guard is activated and Workspace One will NOT show the Enterprise Reset option!

In conclusion, this also means that if you have Credential Guard and/or Device Guard enabled, the option will also not shown in the console.

Windows RE

If the option is shown in the console but the command failed, make sure Windows RE is enabled.

To get the current status, run the following command:

reagentc /info

Windows RE status as to be “Enabled”, otherwise the Enterprise Reset command will fail:

To enable Windows RE run:

reagentc /enable

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Theme BCF By aThemeArt - Proudly powered by WordPress .
BACK TO TOP