Introduction
In this article, I will try to share my own experiences and expertise with VMware Workspace ONE UEM and Windows Update management. This point doesn't really seem clear to all the customers who wants to manage Windows Update / Feature Upgrade via Workspace ONE UEM.
In the traditional world, Windows desktop management for updates used some on-premises solutions like SCCM / WSUS and where the operating system upgrades use a wipe-and-replace model, However Workspace ONE UEM update service for Windows Clients provides tailored functionality to address the unique constraints of managing updates in the cloud. In contrast, the update-as-a-service model pushes the approval and configurations for the periodic operating system and feature updates.
The Windows update-as-a-service requires a new architecture and the below image shows how updates are approved by VMware Workspace ONE UEM to windows end points.
To manage the updates in device, the device should enrolled to Workspace ONE UEM and windows update profile must be installed.
Procedure to Create the Profile
From the UEM console, Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
Select Windows and then select Windows Desktop.
Select Device Profile.
Configure the profile under General settings ( Profile Name ), Assignment Type (Auto or Optional ) & Smart Groups where the profile will get installed.
Expand to the Windows Updates section.
Click on Configure the Windows Updates settings as shown below table & other parameters keep as default . However you can adjust the settings as per your requirement.
Click Save and Publish.
Settings | Descriptions |
---|---|
Branching and Deferral | |
Insider Builds | NOT ALLOWED |
Defer Feature Updates (Days) | *90 |
Defer Quality Updates (Days) | *7 |
Update Installation Behavior | |
Automatic Updates | Install Updates Automatically but Let User Schedule the Computer Restart |
Active Hours Maximum (Hours) | 16 |
Active Hours (Start) | 7 AM |
Active Hours (End) | 11 PM |
Quality Updates Auto Restart Deadline (Days) | 5 |
Feature Updates Auto Restart Deadline (Days) | 5 |
Auto-Restart Notification (Minutes) | 60 |
Auto-Restart Required Notification | User Dismissal |
Quality Updates Engaged Restart Deadline (Days) | 3 |
Feature Updates Engaged Restart Deadline (Days) | 3 |
Quality Updates Engaged Restart Snooze Schedule (Days) | 3 |
Feature Updates Engaged Restart Snooze Schedule (Days) | 3 |
Scheduled Auto-Restart Warning (Hours) | 4 |
Scheduled Imminent Auto-Restart Warning (Minutes) | 60 |
Update Policies | |
Update Scan Frequency (Hours) | 12 |
Dual Scan | ENABLE |
Exclude Windows Update Drivers from Quality Updates | ENABLE |
Administrator-Approved Updates | |
Require Update Approval | ENABLE |
Auto-Approved Updates | ALLOWED |
Critical | ALLOWED |
Definition | ALLOWED |
Feature Pack | ALLOWED |
Security | ALLOWED |
Delivery Optimization | |
Peer-to-Peer Updates | ALLOWED |
Allowed Peer-to-Peer Method | Use Peers On The Same Local Network Domain |
Limit Peer Usage to Members with the Same Group ID | DO NOT LIMIT |
VPN Peer Caching | NOT ALLOWED |
Minimum Battery Required for Peer Uploads (%) | 40 |
Memory | All Default |
Network | All Default |
Validation
Go to device details > Profile tab. Find the profile and install it on the device ( If it was On Demand ).
It should show green as successfully installed.
You can check on the device to see the values applied by going to below registry HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
Navigate to the Windows Update >> Advanced Options >> Configured Update Policies, Where you can see the Policies name and Type is Mobile Device Management.
I hope this will help to secure your device applying the latest security patches.
Please stay tuned for more upcoming WS1 posts !!
Commenti