We have about 100 devices that mostly reside in the field, and they don't consistently connect back to the mothership via VPN, which means many of them fall far out of compliance on patches / updates. I can dictate that they plug in, but it's not really workable, as they are routed electronically to visit specific customers. What ends up happening is when there is a bi-annual division meeting, we have them put their laptops on a table with a switch so they can check in with the server and get their updates.
Does anybody have a working strategy for a situation like this?
I've considered removing the policy for WSUS / PM so they can get Microsoft patches directly from the source, but we would lose a lot of control in that case.