Windows Autopilot – Preventing Stolen Devices From Being Beused
In the event of a Windows 10 device being lost or stolen, what’s preventing someone resetting or re-imaging the device in order to have full use of the device? A managed device should be protected with all data and the company network protected. The device would be locked with a password or pin and all drives encrypted. In the event a device is lost/stolen the device can be remotely wiped or restarted and the user would have to enter the password / pin to unlock it. However without the correct security measures there would be nothing stopping someone re-imaging the device and configuring the device with an offline account.
However there are Windows 10 restrictions profiles and settings within Autopilot that can be configured to protect the device from reuse.
- Require users to connect to network during device setup
Once a device has this restriction profile applied it requires users to connect to network during device setup.
2. Hide change account options
On the autopilot profile ensure that Hide change account options is set. This will stop the user having the ability to configure the device with a local account instead.
What is interesting is that this setting is applied as a UEFI variable on a device, so even if a device is re-imaged this setting will be carried forward.
Another consideration would be to use a Device Firmware Configuration Interface restriction to lock users out of the device firmware / UEFI. This could also be used to limit the device boot options, disabling external and network boot media.
Author: Cathal Henry – Senior Solution Architect