/build/static/layout/Breadcrumb_cap_w.png
03/14/2018 620 views
I'm wondering how people manage patching on laptops that are often out of the office. We've got KACE patching our desktops and laptops, and it's working well. We've got a Group Policy to disable Windows Updates, but when laptops are out of the office, they're not getting updates from KACE or Microsoft. We'd like laptops to be able to detect when there's no connection to KACE to use Windows Updates instead, but we're not sure how to do this (or if it's reasonably possible). 

I tried setting up a Group Policy to disable Windws Updates if the KACE server can be pinged (using WMI a filter), and another one to enable Windows Updates if KACE can't be pinged. I found out with a bit of testing outside the network Group Policies don't get updated when a Domain Controller can't be contacted (no surprise there, but it was worth testing).

Right now I'm thinking of exporting the registry setting for on-network and off-network computers from
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Then creating an Offline KScript which will import the correct settings based on whether KACE can be pinged or not. This seems like a bad hack, but I'm not sure how else to manage this.

What are other business doing to handle this issue?

(Side question: do Offline KScripts run later if the computer is off at the scheduled time? I don't see that explicit option for Offline KScripts.)

2 Comments   [ + ] Show comments

Comments

  • Just a suggestion does this laptop have a VPN connection back to the office? If not, is there another secure way to always have the laptops connect to Kace while inthe office or out?

    I think somehow having Kace available even while not on site, in a secure way would be useful. What do others do in such a case?
    • I would be careful with this, but check:

      https://support.quest.com/kace-systems-management-appliance/kb/118540/how-to-make-your-k1000-publicly-facing-k1000-integrity-test

      and

      https://support.quest.com/kace-systems-management-appliance/kb/114132/how-to-setup-external-dmz-connectivity-for-the-kace-sma
      • We briefly discussed allowing access to the K1000 over the Internet, but none of us on the team liked the idea.
    • Some of the laptops have VPN access, but not all of them need it, so we don't have the client installed on all of them. We don't want to give VPN access to people who don't have a need.
  • We have agent communication enabled from the Internet. We also allow access to the User Portal from the Internet (we use the Service Desk). However, we require VPN connection for the admin login. We have not had any serious problems with this configuration.

There are no answers at this time