Microsoft Intune is used by many organisation as a security/admin tool to manage endpoints, ensure they have the correct security controls, the right level of patches, only certain authorised applications, etc.
And, as well, when an endpoint/device may get lost, it allows the company/an admin, to remotely wipe the device for security reason.

So what could go wrong?
In March 2026, Stryker Corporation learned a hard lesson: attackers don't always need malware.
By compromising admin credentials, the threat actors leveraged Microsoft Intune to remotely wipe tens of thousands of devices across the organization: laptops, servers, and mobile endpoints.

The attack caused widespread disruption to operations, from order processing to shipping.

Who would ever need to mass wipe out all endpoints in an organisation besides a hacker?
It looks like Microsoft never asked themselves that question...
Because not only is that option there by default, You cannot fully disable Intune's wipe feature.

That makes securing access and monitoring activity critical.

What can you do to mitagate this risk:

• Limit admin access with least-privilege principles.
• Enforce phishing-resistant multi-factor authentication for all admin accounts.
• Monitor and audit Intune logs for unusual wipe commands.
• Apply conditional access and segmentation to restrict admin actions.
• Implement Privileged Identity Management (PIM) for Microsoft roles, providing Just-in-Time (JIT) elevation of Global Admin or Intune Admin rights.
• Deploy Privileged Access Management (PAM) broadly across critical systems to control and audit all sensitive accounts, including servers and third-party platforms.
• Integrate with SIEM/SOAR tools for real-time alerts and automated response.
• Keep offline backups or device images for rapid recovery.
• Practice regular credential hygiene: rotate passwords and remove inactive accounts.

Stryker's experience is a reminder that administrative tools can be double-edged swords.

Organizations must treat Intune and other endpoint management platforms as critical attack surfaces, securing access, auditing activity, and planning recovery.
Because once a wipe command is issued, there's no undo button.