Managing Windows Updates Using VMware Workspace ONE UEM
In this article, I will try to share my own experiences and expertise with VMware Workspace ONE UEM and Windows Update management. This point doesn't really seem clear to all the customers who wants to manage Windows Update / Feature Upgrade via Workspace ONE UEM.
In the traditional world, Windows desktop management for updates used some on-premises solutions like SCCM / WSUS and where the operating system upgrades use a wipe-and-replace model, However Workspace ONE UEM update service for Windows Clients provides tailored functionality to address the unique constraints of managing updates in the cloud. In contrast, the update-as-a-service model pushes the approval and configurations for the periodic operating system and feature updates.
The Windows update-as-a-service requires a new architecture and the below image shows how updates are approved by VMware Workspace ONE UEM to windows end points.
To manage the updates in device, the device should enrolled to Workspace ONE UEM and windows update profile must be installed.
Procedure to Create the Profile
From the UEM console, Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
Select Windows and then select Windows Desktop.
Select Device Profile.
Configure the profile under General settings ( Profile Name ), Assignment Type (Auto or Optional ) & Smart Groups where the profile will get installed.
Expand to the Windows Updates section.
Click on Configure the Windows Updates settings as shown below table & other parameters keep as default . However you can adjust the settings as per your requirement.
Click Save and Publish.
Branching and Deferral
Defer Feature Updates (Days)
Defer Quality Updates (Days)
Update Installation Behavior
Install Updates Automatically but Let User Schedule the Computer Restart
Active Hours Maximum (Hours)
Active Hours (Start)
Active Hours (End)
Quality Updates Auto Restart Deadline (Days)
Feature Updates Auto Restart Deadline (Days)
Auto-Restart Notification (Minutes)
Auto-Restart Required Notification
Quality Updates Engaged Restart Deadline (Days)
Feature Updates Engaged Restart Deadline (Days)
Quality Updates Engaged Restart Snooze Schedule (Days)
Feature Updates Engaged Restart Snooze Schedule (Days)
Scheduled Auto-Restart Warning (Hours)
Scheduled Imminent Auto-Restart Warning (Minutes)
Update Scan Frequency (Hours)
Exclude Windows Update Drivers from Quality Updates
Require Update Approval
Allowed Peer-to-Peer Method
Use Peers On The Same Local Network Domain
Limit Peer Usage to Members with the Same Group ID
DO NOT LIMIT
VPN Peer Caching
Minimum Battery Required for Peer Uploads (%)
Go to device details > Profile tab. Find the profile and install it on the device ( If it was On Demand ).
It should show green as successfully installed.
You can check on the device to see the values applied by going to below registry HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
Navigate to the Windows Update >> Advanced Options >> Configured Update Policies, Where you can see the Policies name and Type is Mobile Device Management.
I hope this will help to secure your device applying the latest security patches.
Please stay tuned for more upcoming WS1 posts !!