Completely lock down a laptop

JrFD2121 1 Reputation point
2022-11-09T17:18:22.41+00:00

I'm tasked with figuring out a way to completely lockdown a laptop in the event that an employee goes rogue, or the device cannot be recovered. What this should accomplish is preventing any access to the BIOS and removing login capabilities, but the machine should maintain internet connectivity. The laptop will essentially be bricked. Although, this should be reversable in case the laptop can be retrieved. Are there any resources I can look over to learn how to do this. These laptops are registered in Intune and have Azure tenant accounts connected to them. Each device has Windows 10, but the model varies. I'm not too well versed with PowerShell but I'm willing to learn. Are there any books on PowerShell that can point me in the right direction? Any Microsoft learning pathways on Azure/Intune that can point me in the right direction? I have a couple of weeks to figure out a solution, so time isn't of the essence. Any help is greatly appreciated thank you.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,956 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,945 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jason Sandys 31,311 Reputation points Microsoft Employee
    2022-11-09T18:58:47.12+00:00

    There are no supported paths to do the above in the OS and many of your requirements are ultimately contradictory. If an organizational device is subject to compromise in any way, the proper and recommended path from the OS perspective is to wipe the device. Anything else is not feasible and/or does not meet what you've proposed above.

    1 person found this answer helpful.
    0 comments No comments

  2. Pavel yannara Mirochnitchenko 12,621 Reputation points MVP
    2022-11-09T22:04:24.023+00:00

    Few things which you should consider or be aware of;

    • If your Encryption report looks good, you should feel safe that there will be no access to the data on the disk.
    • When you delete the device account, slowly everything become unresponsible for that user account and it will end up to local admin account login screen. Wipe is sure better, it will factory reset the device.
    • By utilizing your vendor Bios utilities, you could push down the bios configuration using Win32 app, which would set admin password and remove the option to boot from usb and optical media. That will turn the laptop to a brick unless they can overide and clean bios phisycally which is much harder nowadays.
    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.