Let’s discuss the SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD.
ConfigMgr/SCCM Operating System Deployment (OSD) is a huge topic! Because it is so complex, OSD has much to consider, especially in environments where security is extra important. Things to consider.
Restrict access to the ConfigMgr Console and Media. Only users who should have access to them should have it.
If someone were to gain unauthorized access to your environment, they could deploy Task Sequences to your computers, resulting in accidental data loss, system outages, and the discovery of sensitive information like account credentials and volume licensing keys used by ConfigMgr/SCCM for OSD tasks.
Table of Contents
- SCCM Windows 10 OSD Best Practices with ConfigMgr
- Is Windows Autopilot an Alternate for OSD?
- Free SCCM Training 37 Hours of Latest Technical Content Lab Setup
- Top 50+ Latest SCCM Interview Questions and Answers
Top 10 Best Practices on Windows 10 OSD Configuration Manager ConfigMgr – SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD
Use built-in ConfigMgr Security Roles! Such as the Operating System Deployment Manager and, if necessary, custom security roles to ensure only those OSD users have access and can only deploy to specific collections.
The last thing we want is people who shouldn’t access OSD, causing problems on purpose or because they have features they don’t understand. They deploy to a Collection like All Systems or others, which is a big deal if targeted wrongly.
Collection Variables
Be careful with the use of collection variables! Administrators could maybe read sensitive information they might be in there. SCCM Download Whitepaper on Top 10 Best Practices on Windows 10 OSD Configuration Manager ConfigMgr?
State Migration Points
There’s no way to limit the data a machine stores on a state migration point (SMP). So, can an attacker’s machine take all disk space on the SMP, which would cause a denial of service?
Block the Client Certificate If Compromised
If you discover the client certificate has been compromised (is required to deploy an OS), revoke it if it is a PKI certificate. Also, you block it in the ConfigMgr. Not blocking might let attackers be able to impersonate ConfigMgr Client and have the capability to download Policies that can contain sensitive information.
Don’t Enable Command Support on your Production Boot Images
Enabling Command Support, you can press F8 to start Command Prompt if a machine build fails, so you can perform troubleshooting and look at the smsts.log. It’s a security risk.... The attacker potentially has access to your network, and access to variables in the Task Sequence environment could have sensitive data.
Protect the Client Authentication Certificate during its Capture
If attackers could get the Client Authentication Certificate, they can impersonate a valid Client on your network. This happens because they would have access to the Private Key in the certificate.
Do Not Grant the Network Access Account (NAA) Excessive Rights
The NAA gives you access to this computer from the network right on any Distribution Points or other servers that hold package content the machine needs to access.
Do Not Re-use the Account Configured as the NAA
Ideally, Client computers can only use the NAA when they cannot access the local computer account to access content on DPs. Do not configure the same account used for the NAA for these:
Do not re-use the Account Configured as the NAA |
---|
Capture Operating System Image Account. |
Task Sequence Editor Domain Joining Account. |
Task Sequence Run As Account |
Configure a unique account for those instead!
Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr from Adaptiva – here
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Anoop
I am interested to windows deployment automation options
Windows 7 and Windows 8 windows 10
We need to configure IP and hostname sitting at remote for Windows 7/81/10 preloaded on new PC/Laptops installtion.