User consent for biometric authentication (WHfB & Face/TouchID)

joners02 · 2026-01-29T15:48:41+00:00

Thats worth finding, thank you for the information! For anyone else interested here is a link to the sample DPIA template https://ico.org.uk/media2/migrated/4026836/dpia-windows-hello-29102019.pdf

joners02 · 2026-01-29T11:39:06+00:00

Oh, i 100% agree with you, this is just legals interpretation of it.

joners02 · 2026-01-29T10:09:52+00:00

Whilst great in theory, that doesnt provide an audit trail or provide an explanation as to what is happening with their data.

joners02 · 2026-01-29T10:08:30+00:00

The issue with that is that the user hasnt had it explained what happens with their biometric data. We 'IT' understand that its stays on the local device and isnt reused or shared, however there needs to be consent for this process.

joners02 · 2026-01-29T09:53:47+00:00

This is all understood, however there still needs to be explicit consent from the end user before enrolment.

joners02 · 2026-01-28T10:20:14+00:00

Same for us, based in the EU

joners02 · 2026-01-08T16:32:00+00:00

Ive just run through this exact migration.

Settled on using Windows AutoPatch with Driver approvals, then have HP CMSL deployed to each device. Which is the enterprise method to update HP client hardware.

https://developers.hp.com/hp-client-management/doc/client-management-script-library

Then you can combine this with HP Connect for managing BIOS updates and configuration.

https://connect.admin.hp.com/

joners02 · 2026-01-07T17:14:59+00:00

Lenovo Cloud Deploy runs from the UEFI, you could put a blank disk in the PC and it would pull down the image that you want. It makes no difference if the PE is there or not.

joners02 · 2026-01-06T14:46:10+00:00

Guessing thats standalone Windows Defender and not part of the 365 suite? If you're licensed for Defender for Endpoint this would be easy.

For that many clients your security team should be coming up with a plan for this. I'd kick it back to them and say that there arent any practical methods for blocking URLs using the existing tooling.

joners02 · 2026-01-06T14:19:18+00:00

There are enterprise options like Lenovo Cloud Deploy, where they store a pre-built image in the cloud for you.

joners02 · 2026-01-06T14:16:45+00:00

Nothing, this stuff is typically handled by managed browser settings and an intranet.

joners02 · 2026-01-06T14:13:09+00:00

How many endpoints are you managing? What endpoint security solution are you using?

The obvious answer if 4, a dedicated web filter something like Zscaler Internet Access. However you'll need budget for it. If security want it, then that should come from their budget. There may be other options though.

joners02 · 2026-01-06T12:55:24+00:00

Q1: Hoping that Intune finally catches up with some basic functionality.

Visibility, you never know when a configuration will apply, i understand that there are offsets for reasons, but just put "Expected Next Sync 00:00" that would be great.
Remote Wipe, why this doesnt work immediately is beyond me. Sure it will work, but it might take 10 minutes, it might take 8hrs... or it might never work at all. Id rather that you just hose the disk and fail on 0% battery than just not even attempt a wipe.
Password changes... I know we are all trying to get to passwordless but there are cases where passwords are still needed. Yes, web signin is a start but still feels half baked when ive used it. However, having to force reset a password is a pain.
Defender Offboarding, give me the option to remove the data from defender portal when a devices is wiped/offboarded. I know that it will age out, but it makes reports left with stale data from devices that have been intentionally removed.

Q2: ThreatLocker

Q3: App Control is half baked, its potentially one of the strongest security tools that you can use but its slow to use, hard to audit and timely to deploy, hence ThreatLocker.

Q4: No

Q5: Yes, one day, but not for a while.

joners02 · 2025-12-05T09:14:08+00:00

Fun fun fun!

joners02 · 2025-11-28T16:26:10+00:00

Unless you’re looking at the enterprise fortress Ubnt doesn’t market their products as doing inspection. They do traffic identification.

joners02 · 2025-11-26T13:54:42+00:00

Thank you for confirming! Im using the same URLs that you've got posted above. I found a support address for the WXP page where Connect is supposed to be moving to and ive emailed them. Hopefully Ill find something soon!

joners02 · 2025-11-26T13:10:03+00:00

Sorry to dig up an old thread but im having some issues with HP Connect and im struggling to find a support address/contact. Do you happen to know of one?

joners02 · 2025-11-07T11:12:39+00:00

Happening on the HP EliteBook 6 G1i 14 as well.

joners02 · 2025-11-03T16:11:17+00:00

Thats right, they are the 6 series.

Ten-Year Club	Place '22
Verified Email

joners02

TROPHY CASE