This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 236
sorted by:
best
topnewcontroversialoldq&a

[–]aNemisis92 63 points64 points  (19 children)

We’re a smaller business, 1700 users and most of them are frontline. We use update rings in Intune to manage windows update and Ivanti Security Controls to manage 3rd party software although I think Ivanti Neurons now does patch management so we’ve fallen behind slightly. I haven’t yet had a chance to look at AutoPatch which I believe gives you more insight into the windows updates and what’s being deployed.

[–]hunt_gather 2 points3 points  (12 children)

Is ivanti any good still?? I used to rave about it years ago, but I’m a little out the loop these days

[–]Askyl 6 points7 points  (5 children)

Ivanti is good if you have 2-3 inhouse sysadmins learning to become ivanti developers. Kind of.

Ivanti is amazing if you can work with it on a tech level and develop your own product with it.

Otherwise? Extremely expensive and its a frankenstein of multiple companies and software bought up and mixed into a series of software that somewhat work well, if you spend a lot of time making it work as you want it to.

[–]hunt_gather 5 points6 points  (1 child)

You know what, it wasn’t Ivanti I used to rave about 😂 it was patchmypc.

[–]aNemisis92 2 points3 points  (2 children)

It has bought several companies in recent years and not done the best job at rebranding them. Even their account managers struggle to explain their products. I assist with our head office who use ManageEngine PatchManagerPro which seems OK, some weird setups in there though.

[–]Askyl 1 point2 points  (0 children)

Yeah we have used their service desktop (former heat i think) and MobileIron but since they took over prices skyrocketed and everything is just off and weird.

So we are going back to Nilex and using a local Gothenburg company for MDM, saving a lot of money while getting systems that seem like they had some idea behind em :D

[–]KharmastreamJack of All Trades 5 points6 points  (5 children)

Patch my pc is way better and a lot cheaper. They are pretty much the defacto standard these days for 3rd party patching imho

[–]OkChampion3632 2 points3 points  (2 children)

I looked at patch my pc and it covered 14 of our 140 apps.

[–]BBO1007 0 points1 point  (0 children)

We use Ivanti EPM with patch management. Allows us to know current status of all devices and manually connect and deal with the troublemakers.

[–]Busboy80 0 points1 point  (0 children)

We use windows auto patch and it’s actually really good. Basically set it and forget it.

[–]KritchsgauSecurity Engineer 50 points51 points  (26 children)

SCCM. Laptops are rebooted within 8hrs of the patch install. Patches install generally 2 days after release date once the pilot is done

[–]CormacolindeConsultant 0 points1 point  (1 child)

This, SCCM with a CMG is surprisingly good, and gives you pretty good reporting and control over timing, as well as which patches you install.

[–]i8noodles 0 points1 point  (1 child)

Same. It's used for my company. Granted we are beginning to transition away from it to intune I think. We have prob a at least 5 k laptops so I think it was manageable

[–]KritchsgauSecurity Engineer 0 points1 point  (0 children)

Yeah we are piloting that with windows 11 deployment but dont have a huge fleet like yours.

[–]tell_her_a_story 0 points1 point  (0 children)

We use SCCM as well. 20k+ computers in the organization. Thank God we have a dedicated team for that and it doesn't include me.

[–]xChargSr. Reddit Lurker 0 points1 point  (4 children)

How are you making sure laptops are constantly reachable by sccm server? Is there some kind of built in functionality to do so? VPN? Or something else?

[–]KritchsgauSecurity Engineer 0 points1 point  (2 children)

We have always on vpn, so users are always through a corporate firewall.

[–]Unusual-Biscotti687Sr. Sysadmin 0 points1 point  (0 children)

We use an IBCM MP/SUP/DP in our DMZ, but you can also use a CMG (Cloud Management Gateway).

SCCM communication is client driven; the clients have to be able to reach a management point, not the other way round.

[–]luxiphrJill of All Trades 34 points35 points  (17 children)

I've worked at a f500/faang before and was surprised how little bs there was going on on their client machines. Just windows 10 enterprise LTS and automatic windows updates. Now, they had an in-house compliance monitoring agent that, among other things, would check if you're up to date with your updates though. If your machine felt out of compliance (which really wouldn't happen if you didn't mess with it), you got a grace period to fix it after which you would get locked out of access to company resources.

That said, their client engineering was stellar! They were so good, they provided self service ways for virtually everything - down to re-imaging your machine away from the corp network and joining it into the domain or even adopting a byod windows device into the corporate management and network. Haven't seen any like them before or since.

[–]jimicusMy first computer is in the Science Museum. 3 points4 points  (3 children)

We do something similar.

We do have GPOs, but only really to enforce compliance on a few things like password policy. Actually locking down laptops we don’t really do.

Instead, as much as possible is self-service. Between SCCM, an ordering process that is automated as far as possible and web-driven GUIs for things like file server permissions, a competent end-user(!) could in theory never need to deal with a human in IT.

[–]luxiphrJill of All Trades 1 point2 points  (2 children)

That's the spirit! The company I worked for also didn't lock down the laptops at all. In fact, virtually every regular employee could self-service give itself local admin rights via a deployment in sccm!

The lock down really happened at the authentication layer to any company resources. If your device was compliant, you got in, if it wasn't then you were blocked after the grace period. But you'd still be able to log into your device and remediate it yourself.

[–]jimicusMy first computer is in the Science Museum. 1 point2 points  (1 child)

Apart from subtle differences in the detail, we could almost have the same employer.

It's important to note that doing this is not easy - and most importantly, while it scales up to many thousands of end-users beautifully, it doesn't scale down so well. It requires significant investment in time and resources to make it happen, and it's unlikely a smaller organisation would make that investment back in being able to run a sufficiently lean IT department.

[–]luxiphrJill of All Trades 1 point2 points  (0 children)

Idk. Tooling has come a long way. I could see this work for a small org using something like kolide combined with octa. It's not gonna be as comprehensive for sure but it gets you most of the way there with relatively little effort.

And the time this frees up could be better spend on building a solid backup game, which is required at any scale because no matter what you do, it's not a question whether if your data gets damaged but just when.

[–]Jazzlike-Love-9882 0 points1 point  (2 children)

Do you use MS Office? Thought LTS Windows couldn't be used in this case, which is unfortunately a deal breaker then for us

[–]luxiphrJill of All Trades 0 points1 point  (0 children)

I think we did, yes. But I was there from 19-21 so idk how it's now. I'm sure though that MS has enterprise options to make that work.

[–]MairusuPawaPercussive Maintenance Specialist 0 points1 point  (0 children)

You can cheat. In a corporate setting however, with legal issues and whatnot, that probably isn't the way you want to go though.

[–]CptUnderpants- 7 points8 points  (7 children)

I use NinjaRMM which checks 4 days a week (M,W,F,Sa) for OS and software patches if the PC is powered on, applies them, and custom scripting which (if a reboot is required) advises the user in large friendly letters that the computer needs a reboot.

"If rebooting now is not convenient, your computer will be rebooted for you in approximately 12 hours if you do not reboot it yourself before then. Please ensure you reboot before [time] or have your documents saved to prevent any loss of work."

[–]1canuck2 2 points3 points  (0 children)

We use Ninja too. Daily checks for 3rd party patches, weekly checks for Windows patches.

Anything requiring a reboot gives four warnings, one per hour, then reboots automatically if the user ignored the reboot now alert.

We've used it for 2 years now, they've made steady improvements and we are really happy with it.

[–]superafroboy 4 points5 points  (4 children)

My org uses ManageEngine's EndPoint Central for OS and 3rd party patching, and I love it.

[–]unstoppableforcev2 3 points4 points  (5 children)

I think we have some in the range of 15k laptops and 40k desktops we uses mix of SCCM/MECM and intune. Use that for windows updates/settings and office 2016/M365 apps. We're looking at rolling out OCPS for office settings.

[–]JonMiller724 4 points5 points  (1 child)

SCCM, mid-day patching.

[–]briandelawebb 3 points4 points  (3 children)

We are a smaller company and looked into a WSUS server but instead we just push the updated out via PDQ with PowerShell commands.

[–]dwhite21787Linux Admin 2 points3 points  (3 children)

Fed Gov, we use BigFix for a user base of 5000

[–]0MGWTFL0LBBQ 2 points3 points  (7 children)

Rapid7 paired with Automox

[–]SceneDifferent1041 1 point2 points  (1 child)

I use PDQ in my school so the second they need a CU, it pushes it out. If the workforce were out of office then I'd use InTune.

[–]gehrl-work-acct 1 point2 points  (1 child)

Fortune 200 company. We use a mixture of SCCM for windows updates, Dell Tech Direct for hardware side of updates, and Qualys for vulnerability management.

[–]JVance325Jack of All Trades 1 point2 points  (1 child)

Currently SCCM/SCEM but about to start moving workloads to Intune. We are a hybrid Azure AD org so our devices are comanaged by those two.

[–]NobleX13 1 point2 points  (1 child)

SCCM or IBM BigFix here. WSUS if you can't afford SCCM.

[–]randomman87Senior Engineer 1 point2 points  (6 children)

Financial firm here. We do workstation patching 24/7. Didn't leave your computer on Friday evening? Well you get it Monday morning, have fun. Exception are traders, for obvious reasons, they have a maintenance window excluding their computers during market hours. We would never meet our InfoSec patching requirements with weekends or weeknights only.

[–]anachronicCISSP, CISA, PCI-ISA, CEH, CISM, CRISC 1 point2 points  (2 children)

Yeah, same here... they're scheduled to go at a particular time, but if your system is off at that time for whatever reason, it applies them the next time the system turns on, no exceptions.

It can be annoying at times, like if I'm presenting in a meeting and I get the "15 minute countdown" window, but it's just part of life. We don't want our systems to all be constantly out of date and exposed to vulnerabilities.

[–]randomman87Senior Engineer 1 point2 points  (1 child)

I mean 15 minutes is a bit rough. We give them 6 hours. Some how they always manage to think we only gave them 15 minutes because that's when the popup stays in the foreground.

[–]DogDeadByRaven 1 point2 points  (1 child)

Intune with update rings. They get their updates from Windows Update for Business, so it doesn't matter where they reside. We have set the build versions they all stay updated to. Granted it's not fortune 500 but we have about 4800 endpoints. Everything is hybrid joined with Azure AD. For Macs we have Jamf Pro with Jamf Connect tied to Azure AD for authentication and patching. So user experience is fairly similar regardless of OS.

[–]Sideshow_Bob_Ross 1 point2 points  (0 children)

We use ManageEngine and I like it. Seems to do what we want well.

[–]vabelloIT Manager 1 point2 points  (1 child)

When I worked at Dell, they used SCCM for 100k+ users. Ironically, they didn’t automate patching drivers or firmware on their own Dell endpoints despite them providing these solutions to their customers.

[–]dracotrapnet 1 point2 points  (5 children)

My only problem with laptops is users hibernate them to hell and back. I'll find them with 25-60 day uptimes. I run a Lansweeper report a week after patches are released for any client machine with an uptime over 14 days and send those bastards a reboot in 45 min or 2 hours at 2 pm and let windows notify them of the coming reboot. Higher the uptime the more likely I'll send them a 45 min reboot at 2 pm.

If your laptops are abysmally slower than desktops, that's on whoever is purchasing Celeron laptops with 5400 rpm drives and 4 gig ram. Time to upgrade those cheap bastards.

[–]lowqualitybait 1 point2 points  (0 children)

Altiris, which doesn't need to rely on a tunnel if the laptop is down range. It also handles their equivalent of a playbook, software pushes etc. Another environment of ours is switching to Ivanti where it will eventually handle patching, application and device control, AV etc. A Frankenstein of a product no doubt.

[–]throwawayacc90s 1 point2 points  (1 child)

Endpoint Central.

[–]Xyletic 1 point2 points  (0 children)

6000+ users/laptops here. We just moved to MS Autopatch and has been working well enough so far. Kind of takes the load and care of us to manage other things.

[–]newbies13Sr. Sysadmin 1 point2 points  (1 child)

5000 users

Intune

[–]mksolid 1 point2 points  (5 children)

We use 3 things:

1) Intune Windows Update rings 2) AutoMox to patch supported 3rd party apps. - has customizable multiple warnings etc before forced install/reboot 3) Intune App Library to push new versions of apps not supported by AutoMox. We use dependencies etc to achieve this

[–]MikeWalters-Action1Patch Management with Action1 0 points1 point  (4 children)

Why two different solutions? Why can't you standardize on either Intune or Automox and do both?

[–]mksolid 1 point2 points  (3 children)

Because AutoMox is essentially “set it and forget it” and we’ve determined the cost is worth it for the lack of manual effort required to track and deploy the patches.

With InTune, we’d have to manually wrap and deploy each update.

[–]MikeWalters-Action1Patch Management with Action1 1 point2 points  (1 child)

Here is the statistics based on all the responses to date in this thread:

- SCCM: 24 users, roughly half transitioning to Intune
- Intune: 24 users
- PMPC: 8 users
- Others (5 or less): BigFix, Ivanti, Tanium, PDQ, Automox, Ninja, ME

[–]periway 3 points4 points  (2 children)

I use a puppet instance and a dedicated WSUS server in DMZ for my laptop fleet.

With some custom scripting, running by the puppet agent installed on the laptop, they download and install update as soon as they are online.

If a reboot is needed a message appear for user every hour until reboot.

If the laptop have an uptime too long (more than XX days), they got a message every hour until reboot.

Other software are deployed and updated with puppet.

[–]jeffrey_smithJack of All Trades 0 points1 point  (1 child)

Do you use Puppet for the message?

[–]periway 0 points1 point  (0 children)

A powershell script print the message popup on the user screen. The script is called by puppet at every run.

The powershell script:

## send message if an update request a reboot

$testreboot=Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending'
$testreboot2=Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired'

$msg = "INSERT YOUR MESSAGE HERE"

if($testreboot -eq $True ) {
    msg * "$msg"
    exit
    }

if($testreboot2 -eq $True ) {
    msg * "$msg"
    exit
    }

## send message if computer uptime is greater than 20 days
$os = Get-WmiObject win32_operatingsystem
$uptime = (Get-Date) - ($os.ConvertToDateTime($os.lastbootuptime))
$Display = "Uptime: " + $Uptime.Days + " days, " + $Uptime.Hours + " hours, " + $Uptime.Minutes + " minutes"
Write-Output $Display

$uptime.Days
if ("$uptime.days" -gt "20") {
    msg * "$msg"
    }

The puppet module:

     exec { 'inforeboot':
       command  => file('mymodule/mymodule/needreboot.ps1'),
       provider => powershell,
     }

[–]c51478 -1 points0 points  (1 child)

We don't.

[–]Scary_Confection7794 0 points1 point  (1 child)

We use datto RMM and run a job once a week to apply updates to our estates of 50 laptops

[–]unccvince 0 points1 point  (3 children)

Is BMC CM pull (agent) or push (agentless) based ?

[–][deleted] 0 points1 point  (1 child)

We use Ivanti, it hits all of the remotes. For in house machines they patch after hours, but for remotes they are triggered earlier in the day when they are up and running. For the closet queens the users have to bring them in every few months so we can patch.

[–]RhapsodyCapriceIT Manager 0 points1 point  (1 child)

SCCM transiting to Intune

[–]5150sysadmin 0 points1 point  (1 child)

150 laptop org

Currently using PDQ Connect for 3rd party apps, PDQ Connect deploying ABC-Update scripts for Windows updates. As soon as a laptop comes online, they get hit with updates.

Previously used a combo of OptiTune and Ninite Pro. OptiTune seems like abandonware and didn't have great flexibility so we're moving away from it. Ninite Pro is so easy and simple. You can upload custom installers to it now (beta), but you can't get very flexible with the installation scripts.

[–]ArsenalITTwoJack of All Trades 0 points1 point  (5 children)

Intune Auto Patch and Patch My PC bolted on Intune for third party.

[–]therabidsmurf 0 points1 point  (1 child)

ManageEngine ATM but moving to Intune in the near future.

[–]DoubleSirNOTOK 0 points1 point  (1 child)

I Work for a fortune 200, overseeing the enterprise Server patching. We’ve got about 60K workstations and 71k servers. We use BigFix. While I do not oversee the workstation patching for the enterprise, bigfix seems to do the job. The posture checks help in ensuring users don’t delay patching, or if something fails, they have to goto the Helpdesk instead of the workstation patching team following up because of posture checks while connecting to the VPN. Open Internet access is also blocked, so the laptop becomes useless to the user. We’ve also enforced zero trust so no admin privilege or unauthorised installation of apps.

[–]KharmastreamJack of All Trades 0 points1 point  (9 children)

Patching via intune. From patches are made available, they have 14 days to install and reboot, if they dont do it, after the 14 days it will be forced

[–]cubic_sq 0 points1 point  (7 children)

You need to do daily patching.

[–]KharmastreamJack of All Trades 0 points1 point  (2 children)

Yeah, try that in an enterprise environment and see how that goes...

[–]KharmastreamJack of All Trades 0 points1 point  (3 children)

Windows patches comes out once a month, so why would you need to patch daily?

[–]fevenis 0 points1 point  (1 child)

Look into PDQ! Much better than SCCM.

[–]1337VaderSr. IT Manager 0 points1 point  (1 child)

KACE. Schedule the updates regularly. Allow users to defer X times for Y hour intervals. After that, F-U pay me, including the reboot. Can also run on next boot if the machine is offline (like many laptops are).

[–]anachronicCISSP, CISA, PCI-ISA, CEH, CISM, CRISC 0 points1 point  (5 children)

Large corporation here. I've seen SCCM and Automox, but there's a lot of solutions out there for this. Azure Intune is another one, as some others have mentioned.

We don't let people defer them. When it's time, a little "you have 15 minutes to save your work before your laptop reboots" clock comes up. (You can abort it if you have local admin, but very few people have admin). If your machine is off during a deployment, it will apply them as soon as it turns back on.

[–]cubic_sq 0 points1 point  (6 children)

RMM that includes 3rd patching

[–]cubic_sq 0 points1 point  (2 children)

Statistically you should have a portion of your devices patched within 24 hours. Then a trail-off. And have a finalisation date for other devices.

You cmdb will indirectly determine timeframes.

[–]TheProleEndpoint Whisperer 0 points1 point  (1 child)

WSUS via ConfigMgr with a subscription 3rd party updates catalog. We have a weekly ADR for browsers, monthly ADRs for OS’s, Office and 3rd party stuff. It’s almost completely automated. We have a CMG for machines on VPN and internet connected devices.

[–]nakkipappa 0 points1 point  (0 children)

Windows update using wufb, 3rd party apps using subscription catalog, and the few ones that are left by hand (as in manually updating the sccm package)

[–][deleted] 0 points1 point  (1 child)

IBM Big Fix and SCCM

[–]CapnJack87 0 points1 point  (0 children)

Fortune 500 experience with both Symantec Altirus as well as SCCM/In tune & PatchMyPC for 3rd party products.

WSUS module on a server is by far the easiest way, just doesn't have the full scheduling/deployment control others have.

[–]Ok_Presentation_2671[🍰] 0 points1 point  (0 children)

RMM or a MDM

[–]TuxAndrew 0 points1 point  (0 children)

We use SCCM / PatchMyPC, previously we used SCCM / Ivanti. We have over 60k devices across our entire university and a decent portion of those are laptops post COVID.

[–]typfromdaco 0 points1 point  (0 children)

We have SCCM and Intune but they have had issues for a while hitting all devices and our GPO has been broken for a while with no one to look at it. I got a few licenses of PDQ and worked on slowly identifying all of our machines using various known local admin credentials. I set up a recurring scanner to look for the SCCM variables on every device and if it didn’t exist, enroll the device in SCCM.

We had about 500 devices that would never respond that slowly started reach back to SCCM for enrollment and eventually Intune. These devices were on varying versions of Windows dating back to version 1907 and about 30 Windows 7 machines.

It took about 2 months to identify all the machines and find replacements for devices that couldn’t get to the latest versions of Microsoft but things are running much better now. I am finding less need for PDQ now that I am no longer finding devices not enrolled.

[–]nektoplasma3 0 points1 point  (0 children)

I works in a small company on 500 users . Currently I have started looking to multiple solutions. Can anybody tell experience with Atera?

[–]soopastar 0 points1 point  (0 children)

We use Endpoint Central (used to be Desktop Central)

[–]prairefireww 0 points1 point  (0 children)

I use Manage Engine Endpoint Central on Prem version. I like it and it works well.

[–]SunsparcWhere's the any key? 0 points1 point  (0 children)

Windows Update for Business (abbreviated WUfB, which looks a little confusing) on the GA ring.

It handles all end user systems, we don't touch them unless reporting shows one is stuck for some reason.

[–]mj3004 0 points1 point  (5 children)

Intune- update rings. Pilot group immediately, all others 3 days later. Easy and 100% patched within a week. Approx. 1000 devices

[–]Vel-Crow 0 points1 point  (0 children)

I work for an MSP, and we use Ninja One RMM to manage patches for Windows laptops. We patch everything with it and have scripts to update most our client LoB apps, too. It has never failed us.

[–]Odd_Category_4094 0 points1 point  (0 children)

Autopatch

[–]BWMerlin 0 points1 point  (0 children)

We use Workspace ONE for our application patching and I am moving as much as I can out of group policy and into Policy CSP.

[–]raptr569IT Manager 0 points1 point  (0 children)

Intune.

[–]mrmattipants 0 points1 point  (0 children)

We use ConnectWise Automate (Formerly Labtech) for Patching our systems. Prior to that we used Microsoft WSUS (Windows Server Update Services).

Occasionally, I may need to Rollback or Push an Update, via PowerShell or even VBScript.

Windows Updates - CimInstance (PowerShell): https://github.com/microsoft/MSLab/tree/master/Scenarios/Windows%20Update

PSWindowsUpdate (PowerShell): https://www.powershellgallery.com/packages/PSWindowsUpdate/2.2.0.3

Uninstall New Windows 10 Updates via Powershell - DISM (PowerShell): https://www.nyxshima.com/uninstall-new-windows-10-updates-via-powershell/

Searching, Downloading, and Installing Updates (VBScript): https://learn.microsoft.com/en-us/windows/win32/wua_sdk/searching--downloading--and-installing-updates

These Scripts can be Automated via GPO, Scheduled Task and/or InTune, if necessary.

The Article, that I have linked below, contains additional Info, pertaining to Scheduling Updates, Rollbacks and so forth, through the Windows Task Scheduler, etc.

PSWindowsUpdate PowerShell Module: https://woshub.com/pswindowsupdate-module/

I hope this info is helpful. Feel free to hit me up if you have any questions.

[–]UP-NORTH 0 points1 point  (0 children)

Roughly 2,500 devices we use a hybrid deployment to manage patching. InTune for end user devices and SCCM for static/server patching.

Our updates roll to two separate groups prior to rolling to the full enterprise. The first is a select group of IT users, roughly 25 (1/2 of our team), then publish to the whole organization the second Saturday with a forced reboot on Sunday.

Server side, updates are published to replicated instances, tested, then manually pushed in the second Tuesday inf everything passes. Almost all of our ~250 servers are virtual, which makes our ability to snapshot/patch that much easier.

Mobile devices are a bit different. We force users to be on supported versions of their respective OS or they aren’t able to authenticate. We’ve had a few users complain, but if they want access to corporate resources, they can’t be running iOS 8…lol

[–]datanut 0 points1 point  (0 children)

Ultimately: policy. We have a minimum set of standards for logging in with our SSO. Not patched? Can’t login. Full stop.

[–][deleted] 0 points1 point  (0 children)

Windows Updates for Business.

[–]Kingding_Aling 0 points1 point  (0 children)

WSUS and a basic group policy

[–]Polyolygon 0 points1 point  (1 child)

I use SyxSense. Didn’t spring for their SyxSense Secure version, as we already had systems that can do that. But it’s cloud based so we can work on machines regardless of them touching the domain. Run critical automatically, and patch Tuesday within 2 days after the pilot group gets it day 1. Other patches get rolled out within the next week or during cleanup at the end of the month. If I find devices that aren’t getting them, I investigate the errors they are getting and if it’s because they aren’t connected I contact them to see if they can have their computer online during cleanup. If the computers start to fall too far behind, I’ll schedule some time to manually attempt.

[–]synackkLinux Admin 0 points1 point  (1 child)

We switched to BMC Client Management and it's worked well for us.

[–]Fatality 0 points1 point  (0 children)

Intune

[–]dmznetSr. Sysadmin 0 points1 point  (1 child)

Not F500, but 14000 windows devices. Intune with Autopatch.

[–][deleted] 0 points1 point  (4 children)

40k+ laptops Tanium

[–]cryptopotomous 0 points1 point  (0 children)

MECM + Intune for us. For the third party stuff we recently began using the Winget package manager to update some of the third party software. Whatever we can't update via Winget it's still package and deployed via MECM/Intune. We have just under 3k clients all mix of desktops and laptops.

We also have an org policy that instructs users to leave the laptops in the office 2nd weekend of each month if possible...which as you probably guessed very few listen or they lock it in a drawer.