Skip to main content

Cornell University

Workstation Configuration (Endpoint Management Tools - Windows)

This article applies to: Endpoint Management Tools

On This Page

This page is intended for IT support professionals. End users should contact local IT support.

This page provides configuration information regarding hardware, software, and security standards for the Endpoint Management Tools service.


Endpoint Management Tools is designed to work best with certain standard hardware. We provide drivers for this hardware, and are able to test extensively using this hardware.

Other hardware MAY work, but, particularly with regard to operating system deployment, results may vary. No guarantees are made if you use non-standard hardware. See our Technical Requirements article for a list of standard hardware.


Operating systems and software are loaded in a "layered" configuration, with a small OS image with Office pre-installed, and then other software is automatically installed following the initial imaging. This allows a flexible, efficient environment where the same software is maintained both for initial installs and later deployments. "Task Sequences" are used to manage the order in which software is installed. There is a standard task sequence for Endpoint Management Tools. Customers can either use the Managed images, packages and task sequences, or create their own custom sequences, which allow units to install additional software packages.

Endpoint Management Tools Windows Software Library PDF: 
Endpoint Management Tools Windows Software Library
(For the most up-to-date list of packages please contact the Desktop Engineering team.)

Security Configuration

The Endpoint Management Tools standard OS image includes security features recommended by Cornell's IT Security Office. These include:

  • Firewall is on and configured for communication with management servers.
  • Administrator account is renamed and disabled.
  • Guest account is renamed and disabled.
  • Do not allow anonymous enumeration of SAM accounts and shares is enabled.
  • Send unencrypted password to third-party SMB servers is undefined (as opposed to disabled).
  • LAN Manager authentication level is set to Send NTLMv2 response only.
  • Deny log on locally is set to Guests and Cornell\AD Administrators.
  • Maximum Log Size is set to 20480 KB for event logs.
  • Audit logon events is set to Success,Failure.
  • Audit account logon events is set to Success,Failure.
  • Audit privilege use is set to Success,Failure.
  • Audit system events is set to Success,Failure.
  • Audit process tracking is set to Success,Failure.

Security (Firewall) Configuration Details


Endpoint Management Tools service includes System Center Endpoint Protection (SCEP). SCEP is the campus standard antivirus solution for Windows (following the retirement of SEP). See our Deploy SCEP article for the procedure units should follow. After deployment, a unit can run a number of reports via the Configuration Manager console.


Endpoint Management Tools works with many common peripherals. Currently there are no specific standards for peripherals. Peripheral management is done by local IT support at this time.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.