Last week I posted my thoughts on security after reflecting back on a common choice people make every day in the airport—charging your phone via USB versus Edison plug. We make simple choices every day that can affect our hardware and data security. This got me thinking about how we, in IT, select hardware and software for our company.
Let’s imagine a common IT scenario – you need to roll out new computers for your company. Choosing the right hardware is important, and – as recent chipset and AMT vulnerabilities have demonstrated – a bit of a moving target. The question is not whether your hardware will ever become vulnerable, but how quickly your hardware and software vendors will respond after vulnerabilities are discovered. To that end, it’s best to select business-class devices and an Enterprise SKU of Windows, because these will offer you the best and most responsive support and updates available. But security patches are only useful to you if you keep your OS and software up-to-date – and this is a definite case where choosing the most secure option at deployment time is simple and economical. One of the best security decisions you can make at deployment time is to ensure that the image you’re deploying always has its OS and software up-to-date with the latest security patches from their respective vendors. We recommend building your image in a virtual machine, because this is the simplest way to create a single, hardware-independent image that is always up-to-date. As a general practice, you can run OS and software updates and re-capture this VM regularly, and then you’ll be certain that all of your devices are starting off with the latest and greatest updates when they first roll out to your employees. Major Windows 10 Version updates (such as Version 1709) have complicated this process a bit – to avoid unnecessarily growing the size of your VM with stale Windows Update files, it is generally a cleaner and more reliable option to create a fresh VM with the latest OS media from Microsoft.
Let’s talk security software. Some antivirus and antimalware applications can be preinstalled on the reference VM and will persist through capture, Sysprep, and deployment without issue. However, some security software includes client-specific identifiers and can interfere with Sysprep, so we recommend testing to confirm the best method to deploy and update your security software at deployment time. It is often possible to run a silent/unattended installation as a simple scripted task at deployment time, or using Group Policy to run the installation automatically after the devices join your Active Directory domain. While you’re configuring Group Policy, you may also want to enable BitLocker recovery key escrow in Active Directory, and enable BitLocker via a task at deployment time, using the manage-bde command line utility. This way, if any of your hardware is lost or stolen, your data stands a better chance of being inaccessible to thieves.
These are just a few of the small choices you can make at deployment time to keep your computers and employees started off on the most secure footing.