Whatever policies are applied into and endpoint, can be easily bypassed by only rebooting in SAFEMODE. I know it was designed that way by Microsoft, and it’s not COMODO’s concern.
Additionally, CESM will include also a Internet/Browsing filter in the future.
Again, this could be bypassed by using SAFEMODE with network.
Could it be possible to add an option into ESM Server that restricts the SAFEBOOT option, so the end-user cannot boot in any of those 2 options (with and without network), just as devices such as USB, optical and Floppy can be restricted?
reason is that your standard EP (endpoint) user is
a) unlikely to reboot into Safe Mode
b) unlikely to know what SafeMode is or what it is for
and that
c) if your users are booting into SafeMode you have bigger problems than ESM can solve for you
and that
d) admins need to boot into SafeMode occasionally and those admins are likely to be the ESM admins anyway
so, while restricting rebooting into SafeMode will be a nice-to-have, in the grander scheme of things that can ruin your day, it is not that high in the list.