There are no supported paths to do the above in the OS and many of your requirements are ultimately contradictory. If an organizational device is subject to compromise in any way, the proper and recommended path from the OS perspective is to wipe the device. Anything else is not feasible and/or does not meet what you've proposed above.
Completely lock down a laptop
I'm tasked with figuring out a way to completely lockdown a laptop in the event that an employee goes rogue, or the device cannot be recovered. What this should accomplish is preventing any access to the BIOS and removing login capabilities, but the machine should maintain internet connectivity. The laptop will essentially be bricked. Although, this should be reversable in case the laptop can be retrieved. Are there any resources I can look over to learn how to do this. These laptops are registered in Intune and have Azure tenant accounts connected to them. Each device has Windows 10, but the model varies. I'm not too well versed with PowerShell but I'm willing to learn. Are there any books on PowerShell that can point me in the right direction? Any Microsoft learning pathways on Azure/Intune that can point me in the right direction? I have a couple of weeks to figure out a solution, so time isn't of the essence. Any help is greatly appreciated thank you.
2 answers
Sort by: Most helpful
-
Jason Sandys 31,311 Reputation points Microsoft Employee
2022-11-09T18:58:47.12+00:00 -
Pavel yannara Mirochnitchenko 12,621 Reputation points MVP
2022-11-09T22:04:24.023+00:00 Few things which you should consider or be aware of;
- If your Encryption report looks good, you should feel safe that there will be no access to the data on the disk.
- When you delete the device account, slowly everything become unresponsible for that user account and it will end up to local admin account login screen. Wipe is sure better, it will factory reset the device.
- By utilizing your vendor Bios utilities, you could push down the bios configuration using Win32 app, which would set admin password and remove the option to boot from usb and optical media. That will turn the laptop to a brick unless they can overide and clean bios phisycally which is much harder nowadays.