Guide to managing updates on remote endpoints
Technical advice for agencies, IT managers and engineers managing workstations for people working remotely.
This guide is intended for agencies moving towards a cloud enabled infrastructure or who have people working remotely for extended periods. It focuses on managing updates for Windows machines for staff working from home.
Agencies are likely to have an increased number of people working remotely for the foreseeable future. Operating system and software updates can impose unnecessary load if these updates are channelled through agency networks.
This provides an opportunity for agencies to improve their cloud capability while addressing the immediate need for managing remote endpoints.
A cloud enabled agency infrastructure consists of:
- cloud based endpoint management
- cloud directory and identity federation services
- minimal customisation and restrictions on remote devices
- policy based access controls.
- Reserve VPN capacity for access to legacy applications that require it.
- Apply patches as they become available. Patch testing is unnecessary for the majority of non-critical endpoints.
- Ensure only cryptographically signed updates are permitted to run over the Internet rather than through the VPN.
Similar principles apply to agencies using third party management tools or managing non-Windows endpoints.
This guide assumes that you already have:
- a functioning VPN capability
- secure end-user devices with a VPN client, host-based firewall and up-to-date anti-virus
- the ability to remotely manage end-user devices and push policy and configuration updates
- implemented inverse split tunnelling in line with guide to optimising network traffic for cloud services.
Managing Windows Workstations
Microsoft product update traffic across agency networks by configuring inverse split-tunnelling and Microsoft endpoint management tools.
- Configure VPN inverse split-tunneling as described in the Guide to Optimising Network Traffic for Cloud Services.
- Make sure that the split-tunnel configuration includes Microsoft’s software update and Office update servers.
- Test that the split-tunnel configuration is working using the Office 365 Network Onboarding tool
- If you have people using unmanaged or personal devices for accessing Office 365 you can use Office Cloud Policy Service to create a more secure operating environment while working with Office 365 — Office Cloud Policy Service
- Mike Terrill, Forcing Configuration Manager VPN Clients to get patches from Microsoft Update
- Microsoft Tech Community — Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager
- Microsoft — Software update server URLs
- Microsoft — Configuring Office 365 ProPlus updates
- Microsoft Office 365 — Network Onboarding Tool
- Microsoft — Helping businesses rapidly set up to work securely from personal PCs and mobiles
- Microsoft — How to secure your remote workers with Office Cloud Policy Service
Downloading operating system and software updates can consume a substantial amount of a household’s monthly Internet traffic allowance. You’ll need to consider how you’ll ensure people working from home do not incur additional expense for this traffic.