As them to list the specific things that "might" occur to cause the problem they speak of.
And ask them to list the average probability of each one occurring. If you are a hospital or government agency that something so negligible could be catastrophic in terms of liability if it occurred, you are better off implementing a configuration verification and audit platform because there are a lot more problems to be worried about with configuration (such as web facing servers) than certain desktop GPO's applying or not. That kind of platform, meaning a configuration verification and audit platform, can solve all those problems. Why is the consultant fixated only on the minor GPO issue and not the larger realm of issues that can occur? Sincerely, Jim Aloye From: [email protected] [mailto:[email protected]] On Behalf Of Ramirez, Christopher Sent: Thursday, February 11, 2016 5:12 PM To: [email protected] Subject: [MDT-OSD] RE: Adding GPO to reference image They are concerned there will be a problem with applying GPO and there might be an instance where a device goes through the imaging process but fails to apply the appropriate GPO restrictions. I tried to explain to them the improbability of that scenario. This is a consultant firm (Protiviti) pushing for these changes. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aloye, Jim Sent: Thursday, February 11, 2016 3:29 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Adding GPO to reference image Are they concerned a stand-alone machine might be imaged up and exit the building without ever being connected to the domain? What is driving their question exactly? We image up stand-alone machines for a number of different off-site tasks so we lock those down very tightly as part of the OS build/image using a number of different methods since those machines will never connect to or operate as domain workstations. Local Policy (local version of group policy) is one of ways we control the security of those machines in addition to some others. Sincerely, Jim Aloye From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ramirez, Christopher Sent: Thursday, February 11, 2016 3:59 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] Adding GPO to reference image Security has asked me about hardening our base image by adding our AD GPO settings to the reference WIM file. I think this is unnecessary as GPO comes down as soon as the device is joined to the domain during the SCCM TS. I was unable to find any articles discussing this approach. Anyone have thoughts on why adding the same GPO's applied by AD locally to the reference image is a good or bad idea? Christopher Ramirez CHRISTUS Health AI Client Device Engineer II - Team Lead (210) 703 - 2981 CONFIDENTIALITY NOTICE: Confidential information, such as identifiable patient health information or business information, is subject to protection under state and federal law. If you are not the intended recipient of this message, you may not disclose, print, copy or disseminate this information. If you have received this in error, please reply and notify the sender (only) and delete the message. Unauthorized interception of this e-mail is a violation of federal criminal law. CONFIDENTIALITY NOTICE: Confidential information, such as identifiable patient health information or business information, is subject to protection under state and federal law. If you are not the intended recipient of this message, you may not disclose, print, copy or disseminate this information. If you have received this in error, please reply and notify the sender (only) and delete the message. Unauthorized interception of this e-mail is a violation of federal criminal law.
