Whatever policies are applied into and endpoint, can be easily bypassed by only rebooting in SAFEMODE. I know it was designed that way by Microsoft, and it’s not COMODO’s concern.
Additionally, CESM will include also a Internet/Browsing filter in the future.
Again, this could be bypassed by using SAFEMODE with network.
Could it be possible to add an option into ESM Server that restricts the SAFEBOOT option, so the end-user cannot boot in any of those 2 options (with and without network), just as devices such as USB, optical and Floppy can be restricted?
You’re making a good point here but let me note that you have to be local administrator to do some serious harm even is SAFEMODE.
We will add your suggestion to customer wishlist pool.
Thank you! I will be tracking this post to see when it would be applied.
What would be the status of this?
The status is still pending…
reason is that your standard EP (endpoint) user is
a) unlikely to reboot into Safe Mode
b) unlikely to know what SafeMode is or what it is for
c) if your users are booting into SafeMode you have bigger problems than ESM can solve for you
d) admins need to boot into SafeMode occasionally and those admins are likely to be the ESM admins anyway
so, while restricting rebooting into SafeMode will be a nice-to-have, in the grander scheme of things that can ruin your day, it is not that high in the list.