Remote Workforce, Policy for being on?
Posted by Normal-Difference230@reddit | sysadmin | View on Reddit | 8 comments
Anyone on Internal IT, what is your policy if any for remote users having laptops and making sure they are...
1) Powered on weekly for 6-8 hours
2) Being Rebooted weekly
I feel like I am always chasing patches, is this fully patches, is that over there. Is it that the patches are failing, or is it that the user never turns on this laptop? How can I run meaningful patch reports for management if machines can be left off for days/weeks at a time?
Zablo100@reddit
I'm using Action1 for this. I schedule updates to run on some day of the week every x days. If the PC isn't online at that time, update will run when it comes back online. After updating, users can choose whether they want to reboot now or delay it (max 9 hours). If a PC hasn't been online for the last 7 and 30 days, it will show up in my dashboard
disposeable1200@reddit
I don't care
My policies force updates within two weeks of release
If the machine is offline it's not vulnerable
I provide two figures - total patched percentage and offline in 7 days and 30 days percentage
And we only report on this once a month and it goes into a managers report
Easy
Recent_Carpenter8644@reddit
Do you find that causes issues for the users when they finally turn them on? Some users will start forcing reboots if their computer is slow or doing a Windows update during startup.
Hot_Dragonfruit4039@reddit
Not our problem, normally you should schedule updates installation at end of shift, such as if 9 to 5 then patch installation should start at 4 30 and reboot by 5 else it will be automatically rebooted by next morning by user when they turn it on
Funny-Comment-7296@reddit
Combination of things. Apps are packaged so it pushes out updates in real time. Users can postpone them to an extent, depending on severity. Some things get flagged by vulnerability scans, which end up in someone’s dashboard for mitigation. Probably the most challenging is less-technical users with JIT that install their own apps. The packaged version doesn’t always include a full cleanup for versions it didn’t install. Then we have to send someone in remotely to cleanup the trash.
Buddhas_Warrior@reddit
Are you using an RMM or MD tool?
Normal-Difference230@reddit (OP)
RMM
Buddhas_Warrior@reddit
Which one? Do you have configuration policies set? We are using Intune with Conditional Access and set the device to grace period if they don't check in and are up to date.