This guide is intended for agencies moving towards a cloud-enabled infrastructure or who have people working remotely for extended periods. It focuses on managing updates for Windows machines for staff working from home. 

Context

Agencies are likely to have an increased number of people working remotely for the foreseeable future. Operating system and software updates can impose unnecessary load if these updates are channelled through agency networks.

This provides an opportunity for agencies to improve their cloud capability while addressing the immediate need for managing remote endpoints.

A cloud-enabled agency infrastructure consists of:

• cloud-based endpoint management
• cloud directory and identity federation services
• minimal customisation and restrictions on remote devices
• policy-based access controls.

Principles

• Reserve virtual private network (VPN) capacity for access to legacy applications that require it.
• Apply patches as they become available. Patch testing is unnecessary for the majority of non-critical endpoints.
• Ensure only cryptographically signed updates are permitted to run over the internet rather than through the VPN.

Similar principles apply to agencies using third party management tools or managing non-Windows endpoints.

Assumptions

This guide assumes that you already have:

• a functioning VPN capability
• secure end-user devices with a VPN client, host-based firewall and up-to-date anti-virus
• the ability to remotely manage end-user devices and push policy and configuration updates
• implemented inverse split tunnelling in line with the guide to optimising network traffic for cloud services.

See also:

Guide to optimising network traffic for cloud services

Managing Windows workstations

Microsoft products update traffic across agency networks by configuring inverse split tunnelling and Microsoft endpoint management tools.

1. Configure VPN inverse split tunnelling as described in the Guide to optimising network traffic for cloud services.
2. Make sure that the split tunnel configuration includes Microsoft’s software update and Office update servers.
   • Using Cloud Management Gateway
   • If you’re unable to deploy Cloud Management Gateway it’s possible to use on-premise Configuration Manager
3. Test that the split tunnel configuration is working using the Office 365 Network Onboarding tool
4. If you have people using unmanaged or personal devices for accessing Office 365 you can use Office Cloud Policy Service to create a more secure operating environment while working with Office 365 — Office Cloud Policy Service

See also:

• Forcing Configuration Manager VPN Clients to get patches from Microsoft Update — Mike Terrill
• Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager — Microsoft Tech Community
• Software update server URLs — Microsoft
• Configuring Office 365 ProPlus updates — Microsoft
• Network Onboarding Tool — Microsoft Office 365
• Helping businesses rapidly set up to work securely from personal PCs and mobiles — Microsoft
• How to secure your remote workers with Office Cloud Policy Service — Microsoft

Other considerations

Downloading operating system and software updates can consume a substantial amount of a household’s monthly internet traffic allowance. You’ll need to consider how you’ll ensure people working from home do not incur additional expense for this traffic.