Skip to main content

Guide to managing updates on remote endpoints

Technical advice for agencies, IT managers and engineers managing workstations for people working remotely.

This guide is intended for agencies moving towards a cloud enabled infrastructure or who have people working remotely for extended periods. It focuses on managing updates for Windows machines for staff working from home. 

Context

Agencies are likely to have an increased number of people working remotely for the foreseeable future. Operating system and software updates can impose unnecessary load if these updates are channelled through agency networks.

This provides an opportunity for agencies to improve their cloud capability while addressing the immediate need for managing remote endpoints.

A cloud enabled agency infrastructure consists of:

  • cloud based endpoint management
  • cloud directory and identity federation services
  • minimal customisation and restrictions on remote devices
  • policy based access controls.

Principles

  • Reserve VPN capacity for access to legacy applications that require it.
  • Apply patches as they become available. Patch testing is unnecessary for the majority of non-critical endpoints.
  • Ensure only cryptographically signed updates are permitted to run over the Internet rather than through the VPN.

Similar principles apply to agencies using third party management tools or managing non-Windows endpoints.

Assumptions

This guide assumes that you already have:

  • a functioning VPN capability
  • secure end-user devices with a VPN client, host-based firewall and up-to-date anti-virus
  • the ability to remotely manage end-user devices and push policy and configuration updates
  • implemented inverse split tunnelling in line with guide to optimising network traffic for cloud services.

See also:

Guide to Optimising Network Traffic for Cloud Services

Managing Windows Workstations

Microsoft product update traffic across agency networks by configuring inverse split-tunnelling and Microsoft endpoint management tools.

  1. Configure VPN inverse split-tunneling as described in the Guide to Optimising Network Traffic for Cloud Services.
  2. Make sure that the split-tunnel configuration includes Microsoft’s software update and Office update servers.
  3. Test that the split-tunnel configuration is working using the Office 365 Network Onboarding tool
  4. If you have people using unmanaged or personal devices for accessing Office 365 you can use Office Cloud Policy Service to create a more secure operating environment while working with Office 365 — Office Cloud Policy Service

See also:

Other considerations

Downloading operating system and software updates can consume a substantial amount of a household’s monthly Internet traffic allowance. You’ll need to consider how you’ll ensure people working from home do not incur additional expense for this traffic.

Utility links and page information

Did you find what you are looking for?

Your feedback will help us improve this website.

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Page last updated: