0

I am looking for a way to make domain-joined Windows 7 laptops brick themselves after 90 days of no-contact with a domain controller. I do not want the laptop to wipe itself or anything severe like that. Ideally, I would just like it to display an error message and refuse logons until the computer is brought back on campus and has a chance to do updates, SCCM pushes, GPO refresh, etc.

A solution that requires help desk intervention is fine, as long as it only affects computers that have been offline (I don't want the help desk having to touch every laptop every 90 days if they're here on-site).

The reason is because we have a significant problem with disappearing laptops around here. It's not that they are missing; employees are simply checking them out and then never bringing them back. We have a few dozen computers that we can't find; many of which have not been seen on the network for more than a year. Several people have multiple laptops checked out in their name.

I would also prefer a solution that has a pretense of plausible deniability built into it so that we can make the argument that it's a standard security best practice and resist pressure to exempt people from the policy.

We already make employees to sign an appropriate use policy that requires them to notify IT if a laptop gets lost or stolen. It also mandates disciplinary action if an employee fails to turn over equipment when requested by IT. The problem is that upper management folks are the biggest abusers, and they're mostly above the law. The absence of enforcement from our executive team has created a corporate culture wherein managers and directors act like a "free" computer -- with built-in "free" tech support -- is part of their benefits package.

A computer was recently brought into the help desk because it basically exploded after the user powered it up in their office and it downloaded two years' worth of missing updates and SCCM packages.

Since we can't go the low-tech route of spanking people for not following the rules, we're stuck with using technology to force the issue. We just need laptops to check in on a semi-regular basis so we can track them.

Wes Sayeed
  • 1,862
  • 6
  • 27
  • 41
  • 2
    Sounds like this is much more of an inventory tracking and HR problem than it is a technical problem. – EEAA Dec 08 '15 at 23:02
  • We already have an asset management system and all the laptops have property tags with a standard Win7 image. I can't fix the culture problem from where I sit. – Wes Sayeed Dec 08 '15 at 23:09
  • 2
    Disable cached credentials and force users to connect to your VPN in order to log in and use the machines. – EEAA Dec 08 '15 at 23:13
  • "I would also prefer a solution that has a pretense of plausible deniability built into it so that we can make the argument that it's a standard security best practice and resist pressure to exempt people from the policy." you can pretend asset management via some time bomb scheme is best practice but it's not even close. – Jim B Dec 08 '15 at 23:17
  • @EEAA: I was thinking the same thing, but I think that would ultimately be untenable. I can think of many cases where a user would need to log on and work without being connected. I can't think of any other way, though. – joeqwerty Dec 08 '15 at 23:35
  • @joeqwerty Yah, I know. This needs to be solved by HR and management. If they're enabling this behavior, they can pay the price for X number of "lost" laptops every year. Eventually they'll figure it out. – EEAA Dec 08 '15 at 23:36
  • Agreed. It really is a people problem. – joeqwerty Dec 08 '15 at 23:40
  • Our organization uses Computrace (or whatever they call themselves now) pretty sure if you initiate anything with them (or anyone if all you have is an ip address) it will result in being treated as a criminal action, especially with a big institution. – Eddie Dunn Dec 08 '15 at 23:54
  • Not an answer to the question, but this shop sounds like it is in dire need of a chargeback system to account for all of this abuse of IT resources. – blaughw Dec 09 '15 at 04:12
  • Additional to what EEAA said, get Notebooks with an TPM chip and encrypt and lock the BIOS with a password. That will it make harder to use the hardware, too. at least for most of the people. – Daniel Dec 09 '15 at 06:25

0 Answers0