I am managing content displays for a company and over the last few weeks a problem has arisen where the devices have been going to sleep one-by-one during the night shift. The displays are powered by mini PCs running Windows 10.
All update services were disabled on the devices (Microsoft Edge Update, Windows Update, etc). The only service running in the background is an endpoint manager. Upon checking the devices, there are no recent events in the Event Viewer. The devices are not fully turned off, they are simply in "sleep" mode (the PCs normally boot to a UEFI Interactive Shell, however checking these 'downed' devices, they are at the login screen, meaning they never shutdown. When I sign back into the machines, there are no error messages). No blue screens or black screens, no error codes.
I need to verify whether something is being done to the machines remotely (e.g. cyber security team mistakenly targeting the devices) or whether this is being done by hand (e.g. disgruntled nightshift worker). The evidence is leaning towards the latter (for example, one machine that repeatedly went down mysteriously stopped having problems after I took it back to my office to observe it; in another case both the TV and the mini PC were turned off, and the PC was hanging as though it had been pulled down; also, the only sign that is directly in front of a security camera has never turned off - although it also happens to be the only device that was not fully imaged as a company machine and therefore can't be accessed by a remote connection). I'd like to exhaust my own troubleshooting options before getting site security involved to go through the security cameras.
Is there a way for me to check the remote-connection history of a Windows 10 machine (i.e. when a connection was initiated, what was done during the connection, and so on)? Or is there some kind of "sleep" log that I can go through to see if the machines were in fact put to sleep? The endpoint manager is Cortex XDR, but Cortex has not provided any clues either; the problem has occurred on all devices whether Cortex was running or not.