• Santosh Kumar Behera

Managing Windows Updates Using VMware Workspace ONE UEM

Introduction

In this article, I will try to share my own experiences and expertise with VMware Workspace ONE UEM and Windows Update management. This point doesn't really seem clear to all the customers who wants to manage Windows Update / Feature Upgrade via Workspace ONE UEM.


In the traditional world, Windows desktop management for updates used some on-premises solutions like SCCM / WSUS and where the operating system upgrades use a wipe-and-replace model, However Workspace ONE UEM update service for Windows Clients provides tailored functionality to address the unique constraints of managing updates in the cloud. In contrast, the update-as-a-service model pushes the approval and configurations for the periodic operating system and feature updates.


The Windows update-as-a-service requires a new architecture and the below image shows how updates are approved by VMware Workspace ONE UEM to windows end points.


To manage the updates in device, the device should enrolled to Workspace ONE UEM and windows update profile must be installed.


Procedure to Create the Profile

  1. From the UEM console, Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.

  3. Select Device Profile.

  4. Configure the profile under General settings ( Profile Name ), Assignment Type (Auto or Optional ) & Smart Groups where the profile will get installed.

  5. Expand to the Windows Updates section.

  6. Click on Configure the Windows Updates settings as shown below table & other parameters keep as default . However you can adjust the settings as per your requirement.

  7. Click Save and Publish.

Settings

Descriptions

Branching and Deferral

Insider Builds

NOT ALLOWED

Defer Feature Updates (Days)

*90

Defer Quality Updates (Days)

*7

Update Installation Behavior

Automatic Updates


Install Updates Automatically but Let User Schedule the Computer Restart

Active Hours Maximum (Hours)

16

Active Hours (Start)

7 AM

Active Hours (End)

11 PM

Quality Updates Auto Restart Deadline (Days)

5

Feature Updates Auto Restart Deadline (Days)

5

Auto-Restart Notification (Minutes)

60

Auto-Restart Required Notification

User Dismissal

Quality Updates Engaged Restart Deadline (Days)

3

Feature Updates Engaged Restart Deadline (Days)

3

Quality Updates Engaged Restart Snooze Schedule (Days)

3

Feature Updates Engaged Restart Snooze Schedule (Days)

3

Scheduled Auto-Restart Warning (Hours)

​4

Scheduled Imminent Auto-Restart Warning (Minutes)

​60

Update Policies

Update Scan Frequency (Hours)

12

Dual Scan

ENABLE

Exclude Windows Update Drivers from Quality Updates

ENABLE

Administrator-Approved Updates

Require Update Approval

ENABLE

Auto-Approved Updates

ALLOWED

Critical

ALLOWED

Definition

ALLOWED

Feature Pack

ALLOWED

Security

ALLOWED

Delivery Optimization

Peer-to-Peer Updates

ALLOWED

Allowed Peer-to-Peer Method

Use Peers On The Same Local Network Domain

Limit Peer Usage to Members with the Same Group ID

DO NOT LIMIT

VPN Peer Caching

NOT ALLOWED

Minimum Battery Required for Peer Uploads (%)

40

Memory

All Default

Network

All Default

Validation

  1. Go to device details > Profile tab. Find the profile and install it on the device ( If it was On Demand ).

  2. It should show green as successfully installed.

  3. You can check on the device to see the values applied by going to below registry HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update

  4. Navigate to the Windows Update >> Advanced Options >> Configured Update Policies, Where you can see the Policies name and Type is Mobile Device Management.

I hope this will help to secure your device applying the latest security patches.

Please stay tuned for more upcoming WS1 posts !!


143 views

Recent Posts

See All