Do many/any here use the facility to run the Deployment task at every policy enforcement interval ?
What's the real overhead in doing this ? - especially on clinets that have sucessfully deployed already ? - will the installation package be downloaded every time ? or is this a "one off" if the package has been attempted before ?
Why would you want to do this? So every 5 minutes you have msiexec kick in and then quit?
Personally, I use this under special circumstances (ie for new deployments to make sure everything gets installed quickly) but once installed it's disabled. I'd hate to be an end user that had this option enabled!
I used to do this as well but it is definitely not a recommended best practice.
Increasing the policy enforement interval would not be a best practice either...that means that a machine could potentially have services turned off for longer periods of time, thus allowing for more opportunity for security breaches.
True...I guess this will be different in every organization. It's not just a cut and dry "yes" or "no" answer...it will depend on what level of risk you are trying to mitigate and what level of impact you are willing to accept.
There are pros and cons for either method but ultimately you need to decide amongst your decision makers which is the best route to follow.
We go through around 50 new machines on that network every day, never mind old VSE 8.0 machines being dug out of cupboards and mothballed training rooms reactivated after 12 months non use. In our case its pretty necc.
Of course I also have the policy enforcement set to 20 minutes, and normal users cant disable VSE at all.