0

I am managing content displays for a company and over the last few weeks a problem has arisen where the devices have been going to sleep one-by-one during the night shift. The displays are powered by mini PCs running Windows 10.

All update services were disabled on the devices (Microsoft Edge Update, Windows Update, etc). The only service running in the background is an endpoint manager. Upon checking the devices, there are no recent events in the Event Viewer. The devices are not fully turned off, they are simply in "sleep" mode (the PCs normally boot to a UEFI Interactive Shell, however checking these 'downed' devices, they are at the login screen, meaning they never shutdown. When I sign back into the machines, there are no error messages). No blue screens or black screens, no error codes.

I need to verify whether something is being done to the machines remotely (e.g. cyber security team mistakenly targeting the devices) or whether this is being done by hand (e.g. disgruntled nightshift worker). The evidence is leaning towards the latter (for example, one machine that repeatedly went down mysteriously stopped having problems after I took it back to my office to observe it; in another case both the TV and the mini PC were turned off, and the PC was hanging as though it had been pulled down; also, the only sign that is directly in front of a security camera has never turned off - although it also happens to be the only device that was not fully imaged as a company machine and therefore can't be accessed by a remote connection). I'd like to exhaust my own troubleshooting options before getting site security involved to go through the security cameras.

Is there a way for me to check the remote-connection history of a Windows 10 machine (i.e. when a connection was initiated, what was done during the connection, and so on)? Or is there some kind of "sleep" log that I can go through to see if the machines were in fact put to sleep? The endpoint manager is Cortex XDR, but Cortex has not provided any clues either; the problem has occurred on all devices whether Cortex was running or not.

Improve this question
5
  • Have you properly turned off power settings so that they do not suspend or hibernate?
    – anon
    Commented Jun 19, 2023 at 11:24
  • That does not appear to be the issue - as I mentioned, the device that I relocated to my room magically stopped having problems, and the device that has not been imaged (and is in front of a camera) also does not have problems. Additionally, three or four devices in the same area will go off one night, and then the next night three or four different devices in the vicinity of one another will turn off. It's as though someone is going through them methodically - either working through a list or walking around to each one.
    – 001121100
    Commented Jun 19, 2023 at 11:48
  • How are we supposed to know if someone is walking to each machine and doing something to it? That's a job for monitoring or anything alike. Anyways, voting to close this as it has 2 different kind of questions (logs of remote connections, logs of sleep). Questions here should focus on one specific topic.
    – Destroy666
    Commented Jun 19, 2023 at 12:22
  • Both questions are likely to have answers here also, e.g. superuser.com/questions/1258473/…
    – Destroy666
    Commented Jun 19, 2023 at 12:25
  • I agree. Systems are not magic (100.0%). Set properly, they will run forever until they break.
    – anon
    Commented Jun 19, 2023 at 12:35

0

Reset to default