How to control roaming laptops using DC

My company is planning to replace all the workstations to the laptop for all the employees in our company to my assumption we need to buy more than 200 laptops. I can see it’s a very big decision by management which is out of topic here to discuss.

I have a DC in an on-site office how can I keep update all of the laptops?

When you say update, do you mean Windows updates, antivirus, etc?

1 Like

Hello @ImranKhan
First of all add all the laptop to Domain and if you want to update, you can use WSUS.
It is a service of Microsoft that update all the Windows from LAN.

Update means I was referring to everything. I need to deploy softwares, new polices, controlling of windows updaters etc.,

If I understand your situation correctly your healthcare environment users only access the domain (through VPN) once a quarter or so. You keep them on the domain so that you can enforce regulatory compliance.

If I were designing your system from scratch I’d make the laptops inexpensive but encrypted devices that are not members of the domain and set up virtual machines for the users to login to through the VPN tunnel. That way all your policies are fully enforced and they still have a word processor/spreadsheet generator on hand for when they’re off the wire. The cost of the virtuals is offset by the lesser costs of the remote devices - and you can let your people use anything to access the virtuals with - including tablets or iMacs.

If you’re stuck with your existing configuration I’d start working on those ‘other things you can do’. Set up a seperate container for those devices and generate a policy set thats as small as possible. Don’t have them access the network for anything by login script network drive mapping (unc via shortcuts on desktop instead), set up split tunneling so that they only access your network for services that are on the network (particularly DNS). Provide them with as little network services as you can - and keep them off your network entirely if they aren’t fully patched and service packed (network access protection via remediation server).