Patching laptops out of office
I'm wondering how people manage patching on laptops that are often out of the office. We've got KACE patching our desktops and laptops, and it's working well. We've got a Group Policy to disable Windows Updates, but when laptops are out of the office, they're not getting updates from KACE or Microsoft. We'd like laptops to be able to detect when there's no connection to KACE to use Windows Updates instead, but we're not sure how to do this (or if it's reasonably possible).
I tried setting up a Group Policy to disable Windws Updates if the KACE server can be pinged (using WMI a filter), and another one to enable Windows Updates if KACE can't be pinged. I found out with a bit of testing outside the network Group Policies don't get updated when a Domain Controller can't be contacted (no surprise there, but it was worth testing).
Right now I'm thinking of exporting the registry setting for on-network and off-network computers from
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Then creating an Offline KScript which will import the correct settings based on whether KACE can be pinged or not. This seems like a bad hack, but I'm not sure how else to manage this.
What are other business doing to handle this issue?
(Side question: do Offline KScripts run later if the computer is off at the scheduled time? I don't see that explicit option for Offline KScripts.)
2 Comments
[ + ] Show comments
Answers (0)
Please log in to answer
Be the first to answer this question
I think somehow having Kace available even while not on site, in a secure way would be useful. What do others do in such a case? - itadder 6 years ago
https://support.quest.com/kace-systems-management-appliance/kb/118540/how-to-make-your-k1000-publicly-facing-k1000-integrity-test
and
https://support.quest.com/kace-systems-management-appliance/kb/114132/how-to-setup-external-dmz-connectivity-for-the-kace-sma - Channeler 6 years ago