Problem solve Get help with specific problems with your technologies, process and projects.

Configure Windows Mobile devices to local wipe after failed logons

Learn how to configure security policies on a Windows Mobile device to local wipe Exchange Server data after several failed logon attempts have occurred.

Excessive failed logon attempts may signal that a wireless device has been lost or stolen -- a serious security risk. Find out how to configure your Windows Mobile 5 and 6 devices for local wiping, so they automatically destroy their data after a specified number of failed logons.

Most security policies for Windows Mobile devices are what I call "scorched-earth" policies. Essentially, an Exchange administrator remote wipes a mobile device to mitigate a specific security risk, such as a lost or stolen device. All Exchange Server data is completely erased when a wireless device is "wiped clean."

You can trigger a remote wipe of a mobile device through Exchange Server 2007 and Outlook Web Access (OWA) 2007, but that presumes the wireless device will contact the Exchange server at some point.

It makes sense to allow mobile devices to wipe themselves when certain prerequisite conditions are met,

More information on securing Exchange mobile devices:

The Exchange Server ActiveSync Web Administration Tool

Mobile messaging enhancements in Exchange 2003 SP2

Exchange ActiveSync tips and tutorials

Exchange Mobile Device Management Learning Guide

How to secure mobile devices in Exchange Server 2007

Mobile Device Management Reference Center
such as a specified number of failed personal identification number (PIN) entries or incorrect password attempts. This mobile security feature is called a local wipe.

Windows Mobile 5 and 6 devices have provisions for performing local wipes. However, this setting is not enabled by default, and for good reason. Discovering that your Windows Mobile device has committed digital suicide after you messed up your fifth attempt to punch in your PIN can be aggravating -- especially if you didn't know such a policy was in place to begin with.

But if your organization wants to implement this additional layer of security around Windows Mobile devices, it can be done -- with a little work.

  • First, the Password Required Policy (security policy ID 4131), a Windows Mobile security policy setting, must be enabled for the device in question.
  • Next, a registry entry has to be set on the mobile device to enable this feature. In HKLM\Comm\Security\Policy\LASSD, create the decimal key DeviceWipeThreshold and set it to any positive number. This number will be the number of incorrect password logon attempts to allow before the device's memory is wiped. This setting is also available in the Device Security Settings dialog box in the Exchange Management Console.

NOTE: In Windows Mobile 4, this function did not erase any external memory on the device, such as an SD card or other plug-in memory device. However, Windows Mobile 6 devices will erase external memory cards as well.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Outlook management