May I suggest developing a "installlocker" feature, to allow signed certificate based applications to download and install updates? pushing out updates via gpo is mundane, to allow specific software vendors to be installed on the user level would be very beneficial in school environments with 1 to 1 laptop programs, or school managed byod laptop programs, e.g. printer software installs, adobe flash updates, acrobate reader, etc.
↧