Desktop maintenance is one part of automation that is simple to set up but often overlooked. Automating desktop maintenance will help reduce the number of tickets you get by proactively ensuring settings are correctly configured, local accounts are present, the device is secure (by re-enabling User Access Control, aka UAC), and more.
In the past few months, I’ve had the chance to build a desktop maintenance automation policy with two great partners—NetEffect in Las Vegas, U.S., and Aztech IT in Milton Keynes, U.K. I thought I’d share what the maintenance policy does, what our recommendations are, and some other things you could add to it if you want.
Here is a list of what the desktop policy does, and why we added it. If you choose to download and use it, as it’s available for free in the Automation Cookbook www.solarwindsmsp.com/cookbook. You can easily add, modify, or remove anything from the default policy.
|Maintenance Item||Purpose / Need|
|Enable UAC||UAC is often disabled by end users as it’s seen as annoying, but it is used to prevent unapproved processes from running with elevated privileges.|
|Flush DNS||Clearing the DNS cache helps with network access and it’s good practice to do this on a regular basis.|
|Set PowerShell execution policy to RemoteSigned||PowerShell execution policy is recommended to be RemoteSigned by default. It often gets changed to unrestricted for convenience, but that’s a security risk, as any script can be run without any validation.|
|Disable RDP||RDP on desktop is not usually necessary so it should not be enabled unless it is required.|
|Disable Autorun||Autorun of USB storage devices and CD/DVD/Blu-ray disks should not be enabled as this is a security risk if a virus or malware is installed on that device.|
|Disable Sleeping when computer is on AC power||Sleeping is usually not required if the device is plugged in and helps with patches being done outside work hours.|
|Disable Hibernation when computer is on AC power||Similar to sleeping, hibernation is usually not required if the device is plugged in and helps with patches being done outside work hours.|
|Ensure Windows Update Service is running||Windows update service will sometimes stop and needs to be restarted for updates to install when scheduled. This restarts it if it is stopped.|
|Enable Windows SmartScreen||Windows SmartScreen is a security check put in place by Microsoft to warn about unknown executables. Users often disable it, or in some cases it is never enabled.|
|Disable Windows Fast Start/Quickboot||Fast Start/Quickboot is a Windows feature that allows the computer to boot faster. However, when restarting the computer it does not do a full reboot but rather a partial one, causing issues with some apps. We recommend you disable it since boot time is not as much of an issue as it used to be since most users are switching to SSD drives.|
|Delete Temporary Files||Temporary files can be cleaned up periodically to reduce the use of unnecessary disk space.|
|Ensure Windows Time is started||Windows Time should always be started and this ensures it is running.|
|Set time sync to DC or local NTP server||The time should always be synced to a time server to avoid clock drift.|
Now the question everyone will ask: How often should I run this? I’ve seen partners use it daily, some weekly, and some every few weeks. My personal recommendation would be at least weekly.
If you have suggestions for other things to add to this, please reach out to me directly at [email protected] or on Twitter at @automation_nerd.
If you have created an automation policy and would like to share it with the community, please feel free to email me at [email protected].
As always, don’t forget to go look in the Automation Cookbook at www.solarwindsmsp.com/cookbook if you are interested in other automation policies, script checks, and custom services.
Marc-Andre Tanguay is head automation nerd. You can follow him on Twitter at @automation_nerd.