Automating Patch Remediation with Workspace ONE Intelligence: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.6 and later



VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you create a dashboard in VMware Workspace ONE® Intelligence™ that shows all devices currently missing a critical KB, create an automation that notifies users to update their devices, and learn how to monitor patch remediation.


This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Automating Patch Remediation with Workspace ONE Intelligence


Identifying security risks across all Windows devices is a challenge particularly when those devices are not managed. However, combining device management capabilities with Workspace ONE UEM allows IT administrators to report and approve patch deployment using Workspace ONE UEM.

In an environment with thousands of devices, patches being released on a weekly basis, and distributed responsibility between IT and InfoSec teams, it is crucial to provide unified visibility and real-time data to drive accurate decisions and minimize any security risk to the business.

Workspace ONE Intelligence integrates with Workspace ONE UEM to provide that unified visibility and real-time data. In addition, Intelligence brings automation workflows which allows IT to automate the patch approval process and continue monitoring the environment.

In this exercise, you identify the multiple Windows OS Versions and patches deployed across your environment, identify Windows devices that are missing critical OS patches, use automation to push the correct patches to the corresponding devices, and then monitor the remediation process.


Before you can perform the procedures in this exercise, you must meet the following requirements:

Logging In to the Workspace ONE Intelligence Console

To perform most of the steps in this exercise, you must log in to the Workspace ONE Intelligence Console. You launch the Workspace ONE Intelligence Console from within the Workspace ONE UEM Console.

1. Launch the Workspace ONE Intelligence Console

In the Workspace ONE UEM Console:

  1. Click Monitor.
  2. Click Intelligence.
  3. Click Launch.

2. Confirm the Workspace ONE Intelligence Console is Opened

Confirm that you are now logged into the Workspace ONE Intelligence Console.

3. Return to the Workspace ONE UEM Console (If Required)

If you need to return to the Workspace ONE UEM Console:

  1. Click the menu icon on the right.
  2. Select Workspace ONE UEM.

Identifying Windows Devices Missing Critical OS Patches

In this activity, use the OS Updates dashboard to view details about OS versions deployed and patch status across all managed Windows 10 devices.

1. Access the OS Updates Dashboard

  1. Click Dashboards.
  2. Click OS Updates.

2. Select WinRT Card

The OS Updates dashboard shows how heterogeneous the environment is based on the number of OS versions available on your environment per platform.

The dashboard only shows the cards based on the current devices managed in your environment. For this exercise, if you only enroll a Windows 10 device, it only shows one card.

Click the WinRT card.

3. Explore Devices by OS Version

The OS Versions dashboard includes the Number of Devices by OS Version chart, which allows you to understand number of OS versions across the Windows 10 managed devices in your organization.

  1. Scroll down to see the Active Devices by OS Version chart. This represent the active devices reporting OS version changes on the last 30 days.
  2. Click Patches.

4. Review Patch Status Across the Environment

Under Patches, you can find the Number of Patches by Update Status chart. This chart helps you to focus and prioritize which available and failed patches must be installed as soon as possible.

Click the Available bar to see a list of OS updates available to install per device.

5. Review Available Patches

This list includes all the devices and related available OS updates. The column Windows Patch Update Classification can help you to prioritize which patches must be installed first to improve device security and minimize risk for the organization.

Click WinRT to return.

6. Filter for Specific Windows Patch (KB)

  1. Click Edit.
  2. Enter Windows Patch KB Number.
  3. Enter 4497934.
  4. Click Apply.

Using Automation to Remediate Patches

After identifying the devices at risk, create an automated process that pushes the correct patches to the devices.

1. Open Automation Settings

  1. Click Automations.
  2. Click Add Automation.

2. Select a Template

  1. Navigate to Category > Workspace ONE UEM > OS Updates.
  2. In OS Updates: Create Your Own, click Get Started to base the new automation on an empty template.

3. Define Automation Settings

  1. Enter a name for the automation. For example, Windows Patch Remediation (Spectre/Meltdown).
  2. Under Filter (If), select Windows Patch KB Number.
  3. Select Equals.
  4. Enter the KB Number 4497934.
  5. Click + to add a second filter.
  6. Select Windows Patch Update Status.
  7. Select Includes.
  8. Select Available.

4. Review Impacted Devices

Based on the filter conditions, Intelligence reports the number of devices where patch 4497934 is not installed.

Click View to see the filter results.

5. Add an Action

  1. Scroll down to the Action (Then) section, and click the + icon.
  2. Select Workspace ONE UEM from the available connections.
  3. Scroll down and select the Approve Patch action.

6. Define Action Settings

  1. For Revision ID, enter ${winpatch_revision_id}. This will automatically assume the KB number from the filter condition.
  2. Click the toggle to enable automation.
  3. Click Save.

7. Enable Automation

Click Save & Enable.

8. Confirm Automation is Created

Confirm that your new automation has been created and has a status of Enabled.

Monitoring Patch Remediation

After you have enabled an action, you can monitor its execution in the Workspace ONE Intelligence console. In this activity, you walk-through monitoring the patch remediation action you just created.

1. Open Patch Remediation Action Logs

  1. To review the logs, click View on the Windows Patch Remediation (Spectre/Meltdown) action.
  2. Select the Activity tab. The log data for automation actions is displayed in this section.

2. Review the Activity Logs

The activity list shows the log data of automation actions taken per OS update. You can click each Target Identifier link to obtain the device details on each action.

Summary and Additional Resources


This operational tutorial provided steps to automate patch remediation for Windows devices using Workspace ONE Intelligence.

Procedures included:

  • Identifying devices missing a critical OS patch
  • Creating automated remediation
  • Monitoring patch remediation

For more details, see Workspace ONE Intelligence Dashboards, Automation, and Reports.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.


The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at