Hi all,
I have a question about system lockdown.
For a small homeshoring project we want to use system lockdown on laptops so people can only start programs we allowed in the fingerprint.
So what we did:
-Install a laptop with all the applications the agents need to use to do their work.
-Use checksum.exe to create a filefingerprint from this system.
-Create a new group in SEPM, make a new policy for system lockdown with the filefingerprint, move the laptops to this group.
It all worked pretty great until today, we made exclusions so windows update can run. We applied a new Windows update, that changed about 18000 regkeys :) after that the laptops all where bricked totally unusable :) IE cant be started, even sep client didnt start.
For my perspective:
What went wrong, windows update changed files / file paths, the file fingerprint did not had these new locations in its list so the executables were denied to run. So for all new windows update, disable system lockdown, make a new file fingerprint, import it.? right?
Some other questions:
Can i use the same file fingerprint / policy on different hardware?, as long as the software that needs to run is the same?
Is there a way to 'unbrick' bricked devices? Uninstalling Sep will this fix it? I think a new windows install is needed because almost nothing will start and Sep services cant be stopped or removed :)
Thanks,
Levd