cancel
Showing results for 
Search instead for 
Did you mean: 

Run Task At Every Enforcement Inrerval ?

Hi,

Do many/any here use the facility to run the Deployment task at every policy enforcement interval ?


What's the real overhead in doing this ? - especially on clinets that have sucessfully deployed already ? - will the installation package be downloaded every time ? or is this a "one off" if the package has been attempted before ?


Thanks,

Jim
11 Replies
tonyb99
Level 13
Report Inappropriate Content
Message 2 of 12

RE: Run Task At Every Enforcement Inrerval ?

I do use this

there is an overhead in client resource usage (but its not much on a decent spec) of some more memory and cpu usage. Negligable network overhead as it doesnt redo the installer

RE: Run Task At Every Enforcement Inrerval ?

Thanks Tony - good to know - might even start using it now Smiley Wink

Jim

RE: Run Task At Every Enforcement Inrerval ?

Why would you want to do this? So every 5 minutes you have msiexec kick in and then quit?

Personally, I use this under special circumstances (ie for new deployments to make sure everything gets installed quickly) but once installed it's disabled. I'd hate to be an end user that had this option enabled!

RE: Run Task At Every Enforcement Inrerval ?

I have this enabled as well... Though I increased the policy enforcement from the default 5 minutes to 20.

RE: Run Task At Every Enforcement Inrerval ?



It's more to do with "catching" systems that are either turned off when the deployment is enabled or who's initial deployment fails for some reason - e.g. lack of resources or locked files etc.

I agree that it would normally be disabled onec systems were up to date.

Jim

RE: Run Task At Every Enforcement Inrerval ?

I used to do this as well but it is definitely not a recommended best practice.

Increasing the policy enforement interval would not be a best practice either...that means that a machine could potentially have services turned off for longer periods of time, thus allowing for more opportunity for security breaches.

RE: Run Task At Every Enforcement Inrerval ?

Granted Jeff - but like most security matters it's a trade-off between using PC resources and enhanced security - you could argue the same about the ASCI interval setting as well....

Jim

RE: Run Task At Every Enforcement Inrerval ?

True...I guess this will be different in every organization. It's not just a cut and dry "yes" or "no" answer...it will depend on what level of risk you are trying to mitigate and what level of impact you are willing to accept.

There are pros and cons for either method but ultimately you need to decide amongst your decision makers which is the best route to follow.
tonyb99
Level 13
Report Inappropriate Content
Message 10 of 12

RE: Run Task At Every Enforcement Inrerval ?

We go through around 50 new machines on that network every day, never mind old VSE 8.0 machines being dug out of cupboards and mothballed training rooms reactivated after 12 months non use. In our case its pretty necc.

Of course I also have the policy enforcement set to 20 minutes, and normal users cant disable VSE at all.