Forum Discussion

Eric_Logsdon's avatar
Eric_Logsdon
Copper Contributor
Oct 14, 2024

Locking a computer from use

Our company is going completely remote. We will be providing a hardware setup for our employees to be used at home (Laptop, monitor, printer, scanner, etc.). When an employee leaves the company, we would like to render the laptop "inoperable". I don't necessarily want to remove the, OS. i would just like to keep the user from logging on and remove any data.

 

The computer will be managed by Intune and Entra joined. Would disabling the user logon and doing a "wipe" of the computer be sufficient (the users will not have any admin privileges.)? Most of the work will be done on Azure Virtual Desktop.

 

Thanks,

Eric

  • Hi Eric_Logsdon for your scenario, where you're transitioning to a remote work setup and want to secure company devices (especially laptops) when an employee leaves, using a combination of Microsoft Intune and Azure Active Directory (Entra ID) is an effective approach. Here's a plan that addresses your concerns about rendering the laptop inoperable, while still maintaining control over the device:

     

    -Disable user access so they cannot log in to the device.
    -Remove company data from the device.
    -Preserve the OS but render the device unusable or easily recoverable for future use.

     

    Recommended Approach

     

    Disabling User Logon:

    Since the devices are Azure AD Joined and managed through Intune, you can disable the user's access remotely.
    In Azure AD (Entra ID), disable the user account or remove their sign-in capabilities. This will prevent them from logging into their company-issued laptop.
    You can do this by going into the user's account in Entra and either blocking sign-in or removing the device from the user's allowed devices.
    Wiping the Device:

    Intune's "Wipe" feature is a perfect fit here. This feature can reset the device to factory settings while removing company data and applications, making the device usable again if needed for another employee.
    You can initiate a Selective Wipe or Full Wipe based on your requirements:
    Selective Wipe: Removes company data and policies while leaving personal data intact (if personal data is allowed).
    Full Wipe: Resets the device to its factory default settings, effectively erasing all data, including the OS configuration.
    To ensure the device is still managed after the wipe, use Autopilot Reset in Intune. This allows the device to be wiped and set up for another employee while keeping it enrolled in Intune for future management.
    Removing Data on Azure Virtual Desktop:

    Since most of the work is being done on Azure Virtual Desktop (AVD), data should not be stored locally on the laptop. AVD hosts data and applications in the cloud, so removing access to AVD automatically secures the majority of your sensitive data.
    You can revoke their access to AVD directly from Azure, and the user's sessions will be terminated. Any data they were working on in the AVD environment will no longer be accessible once their account is disabled.
    Remote Lock (Optional):

    Another option you can explore is the Remote Lock command in Intune. This will lock the device immediately and can be used as a temporary solution while you initiate the wipe process.
    Additional Considerations:

    No Admin Privileges: Since employees don't have administrative rights, they can't bypass these security measures. They can't uninstall Intune or modify critical system settings that could prevent you from enforcing these actions.

    Encryption: Make sure the devices are using BitLocker encryption (this can be enforced via Intune). This ensures that even if someone tries to access the device offline or removes the drive, data can't be retrieved without proper credentials.

    Reassigning Devices: When you want to reassign the device to a new user, the Autopilot Reset feature in Intune will help you easily reset and reconfigure it for new employees while keeping it enrolled in the management platform.

     

    I hope I have helped you

  • micheleariis's avatar
    micheleariis
    Steel Contributor

    Hi Eric_Logsdon for your scenario, where you're transitioning to a remote work setup and want to secure company devices (especially laptops) when an employee leaves, using a combination of Microsoft Intune and Azure Active Directory (Entra ID) is an effective approach. Here's a plan that addresses your concerns about rendering the laptop inoperable, while still maintaining control over the device:

     

    -Disable user access so they cannot log in to the device.
    -Remove company data from the device.
    -Preserve the OS but render the device unusable or easily recoverable for future use.

     

    Recommended Approach

     

    Disabling User Logon:

    Since the devices are Azure AD Joined and managed through Intune, you can disable the user's access remotely.
    In Azure AD (Entra ID), disable the user account or remove their sign-in capabilities. This will prevent them from logging into their company-issued laptop.
    You can do this by going into the user's account in Entra and either blocking sign-in or removing the device from the user's allowed devices.
    Wiping the Device:

    Intune's "Wipe" feature is a perfect fit here. This feature can reset the device to factory settings while removing company data and applications, making the device usable again if needed for another employee.
    You can initiate a Selective Wipe or Full Wipe based on your requirements:
    Selective Wipe: Removes company data and policies while leaving personal data intact (if personal data is allowed).
    Full Wipe: Resets the device to its factory default settings, effectively erasing all data, including the OS configuration.
    To ensure the device is still managed after the wipe, use Autopilot Reset in Intune. This allows the device to be wiped and set up for another employee while keeping it enrolled in Intune for future management.
    Removing Data on Azure Virtual Desktop:

    Since most of the work is being done on Azure Virtual Desktop (AVD), data should not be stored locally on the laptop. AVD hosts data and applications in the cloud, so removing access to AVD automatically secures the majority of your sensitive data.
    You can revoke their access to AVD directly from Azure, and the user's sessions will be terminated. Any data they were working on in the AVD environment will no longer be accessible once their account is disabled.
    Remote Lock (Optional):

    Another option you can explore is the Remote Lock command in Intune. This will lock the device immediately and can be used as a temporary solution while you initiate the wipe process.
    Additional Considerations:

    No Admin Privileges: Since employees don't have administrative rights, they can't bypass these security measures. They can't uninstall Intune or modify critical system settings that could prevent you from enforcing these actions.

    Encryption: Make sure the devices are using BitLocker encryption (this can be enforced via Intune). This ensures that even if someone tries to access the device offline or removes the drive, data can't be retrieved without proper credentials.

    Reassigning Devices: When you want to reassign the device to a new user, the Autopilot Reset feature in Intune will help you easily reset and reconfigure it for new employees while keeping it enrolled in the management platform.

     

    I hope I have helped you

    • Eric_Logsdon's avatar
      Eric_Logsdon
      Copper Contributor

      micheleariis, Thank you. That is exactly what I had in mind. Simple, but effective. It's nice to get validation on the process I was considering.

       

      Thanks again.

Resources