We have a big environment (40000+ machines) with some unencrypted PCs we cannot find. A few machines will not “take” the encryption package, but still report to bigfix… They seem to be on autologon so they could be in a basement closet with no screen for all I know… We have popped Bigfix messages, forced reboots, built a little exe that bigfix deploys and does both a scheduled reboot and an annoying top-most “call us” message all day. Nothing doing… Some machines just cannot be located and are not compliant, or their user is ignoring us. What would you recommend to a) disable them temporarily until they contact the help desk or b) worst case, actually break them to force a reimage? Delete a specific OS file and reboot, I imagine? Not your typical request, well intentioned, but I understand if there’s some hesitancy to respond Still we can’t be alone in that, could apply to stolen PCs too…
Well, I suggest not breaking the computers in such a way that forces a reimage-- that seems like asking for trouble and a call to the CIOs office.
You could disable autologon, and then change permissions such that users cannot log on to them. If they are in use, that should prompt a call to the HD without doing anything too sever or irreversible.
Can you trace the Mac address on your network? Ask the Network admins to pull arp tables from the switches and see where the mac address is… this of course only works if you have network admins that have control of managed switches…
Disabling the network interface or turning of the firewall and dropping all traffic except for bigfix would work too and is reversible.
One option would be to change the User Rights Assignments such that their autologon account cannot log on (using secedit.exe for example). You could create a new account with a password known only to your admins, and leave it as the only account that can log on, then reboot it.
If you want to get more firm, you could send an action to use diskpart.exe to set all of the disk partitions to “Not Active”. That doesn’t destroy the drive, but does prevent it from booting until someone boots from a WinPE disk and sets the partition back to Active (bootable) again.
If you have a license for OS Deployment and Bare Metal Imaging (comes with the BigFix Lifecycle Management license), you could reimage the machines with a new OS
You could maybe create an IPSec policy file that blocks internet access and use Bigfix to import it to those system that are non-compliant to company requirements. (its amazing how quickly people contact IT when they can’t access social networking ). I’m can’t offer any advise on how to create the IPSec policy files (a quick Google however gave a MS technet article that may help, https://technet.microsoft.com/en-us/library/cc730656(v=ws.11).aspx) but if you have the file, you could enable/disable policies via the actions below.
Still we can’t be alone in that, could apply to stolen PCs too…