Automating Patch Remediation with Workspace ONE Intelligence: Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.6 and later



VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you create a dashboard in VMware Workspace ONE® Intelligence™ that shows all devices currently missing a critical KB, create an automation that notifies users to update their devices, and learn how to monitor patch remediation.


This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration,  VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Automating Patch Remediation with Workspace ONE Intelligence


Identifying security risks across all Windows devices is a challenge particularly when those devices are not managed. However, combining device management capabilities with Workspace ONE UEM allows IT administrators to report and approve patch deployment using Workspace ONE UEM.

In an environment with thousands of devices, patches being released on a weekly basis, and distributed responsibility between IT and InfoSec teams, it is crucial to provide unified visibility and real-time data to drive accurate decisions and minimize any security risk to the business.

Workspace ONE Intelligence integrates with Workspace ONE UEM to provide that unified visibility and real-time data. In addition, Intelligence brings automation workflows which allows IT to automate the patch approval process and continue monitoring the environment.

In this exercise, you identify the multiple Windows OS Versions and patches deployed across your environment, identify Windows devices that are missing critical OS patches, use automation to push the correct patches to the corresponding devices, and then monitor the remediation process.


Before you can perform the procedures in this exercise, you must meet the following requirements:

Logging In to the Workspace ONE Intelligence Console

To perform most of the steps in this exercise, you must log in to the Workspace ONE Intelligence Console. You launch the Workspace ONE Intelligence Console from within the Workspace ONE UEM Console.

1. Launch the Workspace ONE Intelligence Console

updating automatically (workspace one intelligence documentation, workspace one intelligence docs, change dashboard windows 10, intelligence reporting)
updating automatically v

In the Workspace ONE UEM Console:

  1. Click Monitor
  2. Click Intelligence.
  3. Click Launch.

Note: You can launch Workspace ONE Intelligence only from a Customer type Organization Group. If you select a non-customer type Organization Group in the Workspace ONE UEM Console, the Monitor menu option will not be available.

2. Confirm the Workspace ONE Intelligence Console is Opened

updating automatically (workspace one intelligence documentation, workspace one intelligence docs, change dashboard windows 10, intelligence reporting)

Confirm that you are now logged into the Workspace ONE Intelligence Console.

3. Return to the Workspace ONE UEM Console (If Required)

updating automatically (workspace one intelligence documentation, workspace one intelligence docs, change dashboard windows 10, intelligence reporting)

If you need to return to the Workspace ONE UEM Console:

  1. Click the menu icon on the right.
  2. Select Workspace ONE UEM.

Identifying Windows Devices Missing Critical OS Patches

In this activity, use the OS Updates dashboard to view details about OS versions deployed and patch status across all managed Windows 10 devices.

1. Access the OS Updates Dashboard

updating automatically
  1. Click Dashboards.
  2. Click OS Updates.

2. Select WinRT Card

updating automatically

The OS Updates dashboard shows how heterogeneous the environment is based on the number of OS versions available on your environment per platform.

The dashboard only shows the cards based on the current devices managed in your environment. For this exercise, if you only enroll a Windows 10 device, it only shows one card.

Click the WinRT card.

3. Explore Devices by OS Version

updating automatically
updating automatically

The OS Versions dashboard includes the Number of Devices by OS Version chart, which allows you to understand number of OS versions across the Windows 10 managed devices in your organization.

  1. Scroll down to see the Active Devices by OS Version chart. This represent the active devices reporting OS version changes on the last 30 days.
  2. Click Patches.

4. Review Patch Status Across the Environment

updating automatically

Under Patches, you can find the Number of Patches by Update Status chart. This chart helps you to focus and prioritize which available and failed patches must be installed as soon as possible.

Click the Available bar to see a list of OS updates available to install per device.

5. Review Available Patches

updating automatically

This list includes all the devices and related available OS updates. The column Windows Patch Update Classification can help you to prioritize which patches must be installed first to improve device security and minimize risk for the organization.

Click WinRT to return.

6. Filter for Specific Windows Patch (KB)

updating automatically
updating automatically

For the purpose of this exercise, you will use KB 4503308 to automate the deployment. In your environment you may don't have the KB 4503308, in this case, pick another KBs available and use that as the reference for this exercise.

  1. Click Edit.
  2. Enter Windows Patch KB Number.
  3. Enter 4503308.
  4. Click Apply.

Using Automation to Remediate Patches

After identifying the devices at risk, create an automated process that pushes the correct patches to the devices.

1. Open Automation Settings

  1. Click Automations.
  2. Click Add Automation.

2. Select a Template

  1. Navigate to Category > Workspace ONE UEM > OS Updates.
  2. In OS Updates: Create Your Own, click Get Started to base the new automation on an empty template.

3. Define Automation Settings

For the purpose of this exercise, you will use KB4503308 to automate the deployment.

  1. Enter a name for the automation. For example, Windows Patch Remediation.
  2. Under Filter (If), select Windows Patch KB Number.
  3. Select Equals.
  4. Enter the KB Number 4503308.
  5. Click + to add a second filter.
  6. Select Windows Patch Update Status.
  7. Select Includes.
  8. Select Available.

4. Review Impacted Devices

Based on the filter conditions, Intelligence reports the number of devices where patch 4503308 is not installed.

Click View to see the filter results.

5. Add an Action

  1. Scroll down to the Action (Then) section, and click the + icon.
  2. Select Workspace ONE UEM from the available connections.
  3. Scroll down and select the Approve Patch action.

6. Define Action Settings

  1. For Revision ID, enter ${winpatch_revision_id}. This will automatically assume the KB number from the filter condition.
  2. Click the toggle to enable automation.
  3. Click Save.

7. Enable Automation

Click Save & Enable.

8. Confirm Automation is Created

Confirm that your new automation has been created and has a status of Enabled.

Monitoring Patch Remediation

After you have enabled an action, you can monitor its execution in the Workspace ONE Intelligence console. In this activity, you walk-through monitoring the patch remediation action you just created.

1. Open Patch Remediation Action Logs

  1. To review the logs, click View on the Windows Patch Remediation (Spectre/Meltdown) action.
  2. Select the Activity tab. The log data for automation actions is displayed in this section.

2. Review the Activity Logs

The activity list shows the log data of automation actions taken per OS update. You can click each Target Identifier link to obtain the device details on each action.

3. Return to Workspace ONE UEM Console

Return to Workspace ONE UEM Console
  1. Click the Square menu icon.
  2. Click Workspace ONE UEM.

4. View Device Details

On Workspace ONE UEM Console you can validate the patch status change triggered by the Workspace ONE Intelligence Automation.

  1. Click Devices.
  2. Click List View.
  3. Click the Device Name for your enrolled device.

5. Validate patch approval status

  1. Click Updates
  2. Enter KB4503308 in the search box and hit Enter.
  3. Look for the KB4503308, the status should be changed to Approved.


6. Open Windows Settings

From the enrolled Windows 10 machine that just got a patch approved, you can validate if Windows Update is downloading and preparing to install the approved patch.

  1. Click Windows Start icon
  2. Click Settings icon

7. Open Windows Update

Click Update & Security

8. Monitoring patch action on the device

NOTE - Click on Check For Updates if you are not seeing the option.

  1. From the Windows Update windows, you can follow the status (downloading, pending restart, installed) of all approved patches, some patches may require the restart of the machine.
  2. Click on X to close the Windows Settings Window.

9. Querying Device OS Updates Data

In the Workspace ONE UEM Console:

You can force the device to check-in and query the latest OS Updates details from the device by performing the following on the Device Details page:

  1. Click More Actions.
  2. Click OS Updates under Query.

9.1. Confirming Device OS Updates Query

  1. Click More.
  2. Click Troubleshooting.
  3. You will see logs noting Available OS Update requested when the task is triggered, and Available OS Updates confirmed when the details are reported.
  4. Click Refresh if needed to check the logs again for both events.

Summary and Additional Resources


This operational tutorial provided steps to automate patch remediation for Windows devices using Workspace ONE Intelligence.

Procedures included:

  • Identifying devices missing a critical OS patch
  • Creating automated remediation
  • Monitoring patch remediation

For more details, see Workspace ONE Intelligence Dashboards, Automation, and Reports.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the Authors and Contributors

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.


The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at

Filter Tags

Workspace ONE Workspace ONE Intelligence Workspace ONE UEM Document Operational Tutorial Overview Manage