SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD

Let’s discuss the SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD.

ConfigMgr/SCCM Operating System Deployment (OSD) is a huge topic! Because it is so complex, OSD has much to consider, especially in environments where security is extra important. Things to consider.

Restrict access to the ConfigMgr Console and Media. Only users who should have access to them should have it.

If someone were to gain unauthorized access to your environment, they could deploy Task Sequences to your computers, resulting in accidental data loss, system outages, and the discovery of sensitive information like account credentials and volume licensing keys used by ConfigMgr/SCCM for OSD tasks.

SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD - Fig.1
SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD – Fig.1

Top 10 Best Practices on Windows 10 OSD Configuration Manager ConfigMgr – SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD

Use built-in ConfigMgr Security Roles! Such as the Operating System Deployment Manager and, if necessary, custom security roles to ensure only those OSD users have access and can only deploy to specific collections.

The last thing we want is people who shouldn’t access OSD, causing problems on purpose or because they have features they don’t understand. They deploy to a Collection like All Systems or others, which is a big deal if targeted wrongly.

Collection Variables

Be careful with the use of collection variables! Administrators could maybe read sensitive information they might be in there. SCCM Download Whitepaper on Top 10 Best Practices on Windows 10 OSD Configuration Manager ConfigMgr?

State Migration Points

There’s no way to limit the data a machine stores on a state migration point (SMP). So, can an attacker’s machine take all disk space on the SMP, which would cause a denial of service?

Block the Client Certificate If Compromised

If you discover the client certificate has been compromised (is required to deploy an OS), revoke it if it is a PKI certificate. Also, you block it in the ConfigMgr. Not blocking might let attackers be able to impersonate ConfigMgr Client and have the capability to download Policies that can contain sensitive information.

Don’t Enable Command Support on your Production Boot Images

Enabling Command Support, you can press F8 to start Command Prompt if a machine build fails, so you can perform troubleshooting and look at the smsts.log. It’s a security risk.... The attacker potentially has access to your network, and access to variables in the Task Sequence environment could have sensitive data.

Protect the Client Authentication Certificate during its Capture

If attackers could get the Client Authentication Certificate, they can impersonate a valid Client on your network. This happens because they would have access to the Private Key in the certificate.

Do Not Grant the Network Access Account (NAA) Excessive Rights

The NAA gives you access to this computer from the network right on any Distribution Points or other servers that hold package content the machine needs to access.

Do Not Re-use the Account Configured as the NAA

Ideally, Client computers can only use the NAA when they cannot access the local computer account to access content on DPs. Do not configure the same account used for the NAA for these:

Do not re-use the Account Configured as the NAA
Capture Operating System Image Account.
Task Sequence Editor Domain Joining Account.
Task Sequence Run As Account
SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD – Table 1

Configure a unique account for those instead!

Download

Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr from Adaptiva here

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

2 thoughts on “SCCM Download Whitepaper on Top 10 Best Practices Windows 10 OSD”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.