We have a group of users who have laptops assigned to them because they are on call after hours every day. However, they only actually get called after hours a few times per year. They are provided with a laptop for this purpose, but since there may be many months of non-use, when they finally turn the laptops on and connect to VPN for an after-hours emergency, the laptop is now very far out of date and has missed installation deadlines for Windows Updates. So, in the middle of using the laptop for this emergency, the laptop may reboot to finish installing the overdue updates. Either that or we would need to block laptops missing recent updates from connecting to VPN which would also delay getting their work done.
We would like to see if it is possible to lock down a Windows 8.1 laptop to the point they are safe to use without installing Windows Updates in a timely manner. We would turn off automatic updating deadlines on only these laptops and allow they to connect to VPN without passing updates checks. A/V will be installed that will update virus definitions from the Internet.
Basically these laptops would only be used as thin clients that remotely connect to their primary desktop PC over VPN and RDP. All their actual work will be done via remote controlling their office desktop PC.
We are not going to use actual official "thin client" laptop hardware because of the expense of implementing a server VDI infrastructure that thin clients must connect to. We can use our existing laptops for no extra expense and also get new, low-end Windows 8.1 consumer grade laptops (such as HP Stream) for under $400 including the cost of upgrading Windows 8.1 to 8.1 Professional.
Our other option is to deploy Chromebooks instead of Windows laptops, but we would then also need to setup clientless VPN connections since Chromebooks can't run the VPN software application we use for Windows.
This is all these laptop users users need to do:
1. Log into Windows .
2. Join a wireless network so they can get an Internet connection that will allow the VPN client to work. They may also need browser access to join wireless networks that have captive web portal logins. No other browser access is required.
2. Launch VPN client and connect (VPN network access will be locked down to only allow RDP connections to their workstations VLAN from these laptops).
3. Launch RDP client (TBD where it will be the desktop RDP client or Microsoft App Store RDP client.
4. Turn the laptop on and off.
The users should not have access to do anything else and will not have admin rights.
Can Windows 8.1 be configured in this manner?
