You might want to consider enterprise management software. I’m not sure what all is currently out there, but I worked for an MSP that used AutoTask Endpoint Manager. Something to consider as scale grows, and you need a simple way to manage. The software can do a lot of things that might otherwise take a lot of powershell knowledge or some clever GPO management.
Some examples of easy things Autotask did for us:
-Software Deployment (including updates), management, and standization
-Remote Access and deployment (in this case, use one endpoint to deploy the management software to new or other devices)
-Sort by site/location
-IP and networking management
-A whole plethora of other tools
Similar setup to me, though i’m at something like 50-60 remote sites with 10-20 PCs each.
We run SCCM (Microsoft system centre configuration manager) to deploy updates, applications and standard OS images.
It works reasonably well, allows to you control updates, do remote image deployment, pc remote control, compliance, etc. SCCM will also give you anti-malware reports, hardware/software inventory, allow you to monitor for unapproved applications, etc.
WSUS will get you part of the way there, but won’t help with application deployment, or OS re-imaging. But it is definitely step 1 and a LOT less work to configure than SCCM.
WSUS and group policy is something I’d recommend for anyone managing more than about 10 PCs. For your sort of scale though it is worth investing the time into SCCM IMHO.
SCCM includes the use of WIndows update (though SCCM kinda “Takes over” control of it and does a bunch of other stuff).
if you aren’t already using WSUS though it is a fairly low-effort first step and will help your sanity a lot. Definitely set up at least 2-3 deployment groups though - i apply new updates to a pilot group first and then the following week they go out to production. Tends to give you early warning for the latest microsoft fuck-ups rather than come into work on Monday and find half your fleet is fucked…
Thanks guys - this is getting me started down the right path - we’re looking for a software solution - as easy as possible but something that will let us standardize and lock down all of these client PC’s… all they need to be running is Windows, a couple pieces of company software, and chrome. Want to get this stuff all figured out - I’ll report back on what I find.
I don’t manage machines anymore, but at about ~1000 machines per person, machine deaths/reinstalls/replacements are a daily occurrence, and you can’t afford to have to deal with those, and deal with outliers, and provide support, and improve the system and processes to allow for fleet growth, and manage the central machine management system.
a machine queryable inventory system where you can setup individual machines with particular configuration flavors and where you can manage the lifecycle of each machine. SCCM looks like that, but as a Linux person it looks weird to me - does it have an RPC API so you can integrate your own tooling or where you can hookup scripts that integrate your networking with it?
some documentation to allow end users to boot off the network and reimage themselves (they can fix their machine themselves or wait). How to deal with hard drives and their destruction. Document, document, document - then farm stuff out. Use a wiki like system that allows for edits and comments.
machine hard drives should be fungible, you need to provide network storage and backup strategies for folks to use that’s compatible with their day to day workflows.
a vetting process for types of machine hardware configurations you support, the fewer hardware configs the easier to support / swap / manage parts, … or you can farm this out to hp/lenovo/dell as leased subscription hardware.
some monitoring so you can track machines that walk out on you or have weird stuff happening, or are out of compliance - you’ll need to know how many software licenses to provision, etc…
Also, from my experience, managing 10k servers + software on them is easier than managing 500 windows desktops. Do not underestimate the complexity that comes with variety.
SCCM can be extended and/or queried via powershell. SCCM is very extensible. You can even automate to the point where a user opens a web form, requests an app, their manager signs off on purchase and they’re put into the relevant SCCM collection to get the software as soon as the manager approves. If you want to go that far…
Basically with SCCM it is all controlled by collections in the SCCM database. Want someone to be able to be reimaged? Put their PC in the relevant collection, deploy an OS or package to the collection and make it either mandatory or optional. If it’s optional they get a “new software/OS available” message. If mandatory, it will be deployed during a maintenance window (or immediately if you configure that).
You can do OS re-imaging from within the running OS (e.g., upgrade from X to Y platform) or you can do PXE boot, just tell the user to press F12 and SCCM will take care of the rest.
SCCM can also do automatic user state backup/restore across OS re-imaging. Either to the same PC or from one to another.
Re: hard drives and destruction - best way to handle that is to use bitlocker (which SCCM can configure on OS deployment). No need to destroy the drive if the data is encrypted and not recoverable without the keys (though this is something i have not implemented yet).
these days you should probably be pushing Windows users towards ondrive (if you’re an MS shop) otherwise as above, SCCM does user-state migration from PC to PC or from PC to same PC. But yes, definitely you want them storing their data on network shares or cloud, and preferably NOT on the device, other than in the offline file cache.
Definitely, 100% agreed and this is where you want to buy “business grade” systems as they generally maintain a “single image” platform for 1+ years. i.e., the machine you buy in 6 months will be the exact same spec (or compatible with) the image you roll today.
SCCM does all this - reports on which PCs are offline, which are compliant with rules you specify, what machines are out of spec for malware definitions, etc.
Now for the bad news.
SCCM is a bit of a beast to configure. It WILL take you a long time to get everything sorted out. You want to lab that shit up until you figure it out and ideally check out the windows-noob configuration guide(s) for it (google them).
But, you don’t have to set up every component immediately.
I’d start with getting the DB and management servers set up, configure an update point, and start from there. Get comfortable with Windows update control and deploying packages, then start doing apps and OSD.
And i agree 100% on not under-estimating complexity. On the hardware side: keep that shit simple. You want to be maintaining one or two flavours of laptop/desktop if possible. i.e., pick a model that covers all your bases if possible, don’t go penny pinching on every single PC. Your PCs should be exchangable for one another as much as possible. For example we are virtually 100% notebooks and have 3 specs. A 13" (integrated graphics), a 15" (integrated graphics) and a workstation grade 15". Maintain those 3 loose “specs” over 3 years and you’re already going to end up with 6-9 SKUs to support if you get 1-2 years out of a model run on the purchasing side and support them for 3 years.
You want to try and keep to one vendor if possible, and before selecting which one, i’d advise checking how they provide their driver packages and whether they’re in an SCCM compatible format. Microsoft is a bitch for this (surface pro firmware not easily deployed via WSUS for example). HP and Lenovo are much better. I haven’t used DELL for 10 years so can’t comment there. Hardware support is changing with Windows 10 though, Microsoft is encouraging less custom imaging and better hardware support direct from Windows update or the OS via more frequent OS revisions.
You want to be ensuring your users do not have administrator access.
Set up LAPS (local admin password solution) in order to enable ad-hoc admin access via one time/short duration admin password for them as required (e.g., the classic “i need to add a printer”).