Is anyone sucessfully using system lockdown? It seems like a lot of maintenance to keep it going? I would like to fully enable this feature but need to know what I'm in for once I do? From what I understand I need to perform the steps outlined below.
1.) Run checksum.exe on every computer on the network as most have varying hardware and software, all very similar but not all have the same exact feature set.
2.) Take the information from each of the checksum files and import it into one file and take that file and import it into system lockdown at the group level.
3.) Log unapproved applications for a few days to verify nothing was missed, if hashes were missed manually update the master hash file with what was discovered from the unapproved applications list.
4.) Once I go a few days without any new applications showing up on the unapproved applications list turn on enable system lockdown.
5.) My question here is on patch tuesday there will be a host of new hashes introducted, do I need to do steps 1 through 3 all over again? This seems like a tremedous amount of work, am I missing something here, if I get this this enabled without it occupying a ton of time this would be an excelent feature to have since the majority of my users have laptops and I can't control what they install on them once they leave the building.
Appreciate the feedback anyone can offer