in this case, the main (actually the only) reason to use SBL is to allow users to log on to the domain first time from a new laptop, without the cached credentials. the customer also uses folder redirection which must work during this first logon. But because the system scan does not run, the posture is uknown and they get restrictive ACL, which prevents folder redirection from working. We can't make the Non-compliant/uknown dACL more permissive to allow foder redirection as that would mean allowing access to file servers (where the folders reside). Ideally, we would check for things like registry kyes, files, AV, disc encryption before giving them more permissive dACL.
You also have to take into consideration of Mobile work force's password expiration if it applies, so SBL comes in handy without requiring them to come into the office to change the password or by some other means. However you also have to allow certain access for Drive mapping / gpo ( as was in our case ) or it takes forever for all the polices to fail before user gets authenticated and then re-exec of gpo.
Actually, the states/ levels of trust could be a good idea. The new laptops must have machine cert and have a posture module installed as part of the build so if the user is uknown it can only mean that the system scan did not run initially, most likely because of the SBL.
We could try to restrict it futher but creating an AD group for the "new laptop users" so that only these users can can have a less restrictive dACL with uknown posture, if necessary.
This would prevent a user from moving the machine cert to a diffrent non-corp laptop and trying to log in from it.
What do you think?
OK understood. Unfortunately not possible since we only run in user space and that’s where all of the other systems run as well I believe.
You can ask for an enhancement by reaching out to our product managers
You could have machine auth have some basic sort of trust, this would help some?
State 1 Machine auth + unknown
State 2 user auth + unknown
State 3 user auth + non-compliant (most restrictive?)
State 4 user auth + compliant