Managing Updates for Windows Devices: Workspace ONE Operational Tutorial
Overview
Workspace ONE® UEM (Unified Endpoint Management) and its lifecycle approach for Windows Updates enables reduced administration and maximized efficiencies for propagating updates to Windows devices, including the means to selectively deploy Windows Updates to all or a subset of devices.
This operational tutorial walks you through the administrative options and deployment steps to maximize your Workspace ONE environment. Whether administering Windows 10, Windows 11, or planning for Windows 12, this tutorial helps you understand:
- Options for deploying and managing Windows updates.
- How to create distribution rings using smart groups, set up a patching policy, and build a Windows Updates profile.
- Where and how to assess the status of Windows Update patches in the Workspace ONE admin portal and on client devices.
- Troubleshooting steps that address how to remedy overall and intermittent Windows Update issues.
Audience
This operational tutorial is intended for IT professionals and Workspace ONE administrators with the following knowledge proficiencies:
- Windows desktop operating systems (Windows 10, Windows 11, and/or Windows 12 early planning).
- Active Directory, and/or Azure Active Directory.
- Basic technical understanding of Workspace ONE UEM.
Windows Updates Overview
The Workspace ONE UEM update service for Windows desktops provides tailored functionality to address the complex constraints of managing updates for your enterprise. The Workspace ONE UEM update-as-a-service model not only automates and propagates all types of Windows Updates, but it also enables administrators to pause, resume, or roll back updates. In addition to managing and maintaining a successful Windows Update strategy, Workspace ONE UEM provides detailed reports and metrics to indicate success and identify issues.
Workspace ONE UEM Windows Update Process Flow
Managing Windows Updates with Workspace ONE UEM is based on the following process flow:
Figure 1: Windows Update process flow
- Workspace ONE UEM managed Windows desktop devices reach out to Microsoft Update source to query available updates.
- A list of KBs/Updates is sent back to the device in the form of metadata.
- Devices report available updates to Workspace ONE UEM on the next Windows Update sample interval.
- If Workspace ONE Intelligence is integrated, updates data is also sent to Workspace ONE Intelligence.
- Following the next update scan by the device or manual scan by the user, the device will fetch the authorized updates from either a peer device or Windows Update source, depending on configuration within the Workspace ONE UEM console.
As per best practices, Windows Update for Business and peer-to-peer sharing are recommended because these options save system, network, and administrative resources.
Key Considerations for Successful Windows Update Creation
When configuring Windows Update via Workspace ONE UEM, several key considerations and settings should be understood. Each of these items is detailed within this document.
- Windows Update Source and Types: Differentiation between Windows Update for Business or Windows Server Update Service, as well as deployment considerations associated with specific types of Windows Updates.
- Windows Update Configuration: Profile settings and configuration options, including deployment rings and related impact.
- Reporting and Troubleshooting: Check the status of Windows Updates and determine whether subsequent action is necessary, as well as steps to remedy Windows Update issues.
Windows Update Source and Types
The source for Windows Updates can be Windows Update for Business or Windows Server Update Services (WSUS). Workspace ONE functions equally well via either mechanism; however, Windows Update for Business is recommended for Workspace ONE UEM due to cloud-based functionality and minimal administration.
Figure 2: Windows Update source comparison
Several types of Windows Updates are applicable for Windows devices. This document will focus on Feature and Quality Updates. For a complete description of Windows Update types, see Microsoft learning documentation.
Feature and quality updates may be directly controlled by administrators within Workspace ONE UEM, and this document will thus focus on the configuration of these types of updates:
- Feature Updates are released annually and contain new features and functionality. For example, the final feature release for Windows 10 was 2H22.
- Quality Updates are typically released as part of monthly “patch Tuesday” but may be released at any time. Quality updates are cumulative and address both security and standard issues. Quality updates may be configured to include Windows drivers and/or Microsoft application updates.
Windows Update Configuration
Before delving into how to configure Windows Updates, below is an overview of the activity flow when a new Windows Update becomes available:
Figure 3: Windows Update activity flow
As shown in Figure 3, several key settings impact the behavior of Windows Updates after fetching, namely:
- Windows Update Policies, including numerous configurations such as scheduling, deployment based on update type, and reboot requirements.
- Deployment Rings, including the manual creation of subsets of devices based on Smart Group designation.
- Pause/Resume/Rollback, whether for specific devices or the entire profile.
Windows Update Policies
Windows Update policy options are designated based on the following steps as defined for a new profile configuration:
Figure 4: Creating Device Profile for Windows Update
Where an existing profile needs to be modified, the administrator would instead select the existing profile and change specific settings accordingly. The designated Windows Update source cannot be subsequently changed after profile creation; it is necessary to create a new profile if the Windows Update source is later modified. For example, if your enterprise currently uses WSUS as the source and then transitions to Windows Update for Business, it is necessary to create a new Windows device profile.
Windows Update Policy Options
Within Workspace ONE UEM, available options and recommended selections vary slightly based on the Windows Update source. For example, WSUS includes configuration options within the Definition section that are not applicable to Microsoft Update Service.
The following chart compares the Windows Update policy options and respective default settings based on selecting the source as Windows Update Services vs. WSUS:
|
Item |
Microsoft Update Service Default Setting |
WSUS Default Setting |
Definition
|
|
|
|
Windows Update Source |
[default] |
|
|
WSUS Server URL |
n/a |
|
|
Proxy Behavior |
n/a |
Allow system proxy only for HTTP scans |
|
Telemetry |
n/a |
0 - Security |
|
Update Branch |
General Availability Channel (Targeted) |
General Availability Channel (Targeted) |
|
Manage Preview Builds |
Disable Preview Builds |
Disable Preview Builds |
|
Device Scheduling
|
|
Disabled |
Disabled |
Enable Device Scheduling |
Enable |
Enable |
|
Configure Automatic Update Behavior |
Updates automatically download and install at an optimal time determined by the device |
Updates automatically download and install at an optimal time determined by the device |
|
Configuration Deadline Daily Reboot |
Disabled |
Disabled |
|
Feature Update (Days) |
7 |
7 |
|
Quality Update (Days) |
7 |
7 |
|
Grace Period (Days) |
2 |
2 |
|
Update Behavior
|
|
Disabled |
Disabled |
Disable Dual Scan |
n/a |
Yes |
|
Allow Windows Update Service |
n/a |
No |
|
Allow Microsoft Application Updates |
No |
No |
|
Feature Update Uninstall Period (Days) |
10 |
10 |
|
Defer Feature Updates (Days) |
365 |
365 |
|
Defer Quality Updates (Days) |
7 |
7 |
|
Exclude Windows Drivers from Quality Updates |
No |
No |
|
Disable Safe Guard |
No |
No |
|
Allow Non-Microsoft Signed Update |
n/a |
No |
|
Device Behavior
|
|
Disabled |
Disabled |
Allow Auto Windows Update Download Over Metered Network |
No |
No |
|
Ignore Cellular Data Download Limit for Application Updates |
Yes |
Yes |
|
Ignore Cellular Data Download Limit for System Updates |
Yes |
Yes |
|
Delivery Optimization
|
|
Disabled |
Disabled |
Caching Source |
Peer mode |
Peer mode |
|
Hosted Mode Cache Host Source |
DHCP Option ID |
DHCP Option ID |
|
Hosted Mode Cache Host |
|
|
|
Download Mode |
HTTP Blended with Peering Behind the Same NAT |
HTTP Blended with Peering Behind the Same NAT |
|
Max Cache Age (Days) |
0 |
0 |
|
Cache Drive |
|
|
|
Absolute Max Cache Size (GB) |
20 |
20 |
|
Allow VPN Peer Caching |
No |
No |
|
Minimum Size to Cache (MB) |
50 |
50 |
|
Non-Peer Download Delay: Foreground download delay (in seconds) |
60 |
60 |
|
Non-Peer Download Delay: Background download delay (in seconds) |
60 |
60 |
|
Network |
Disable |
Disable |
|
Foreground Download Bandwidth (KB/s) |
0 |
0 |
|
Background Download Bandwidth (KB/s) |
0 |
0 |
|
Minimum Background QoS (KB/s) |
200 |
200 |
|
Monthly Upload Data Limit (GB) |
0 |
0 |
|
Restrict Peer Selection by Subnet |
No |
No |
|
Device Requirements for Caching |
Disable |
Disable |
|
Minimum Battery Limit (Percent) |
40 |
40 |
|
Minimum Available Storage (GB) |
32 |
32 |
|
Minimum Available Memory (GB) |
4 |
4 |
|
Network Bandwidth Limitation |
Disabled |
Disabled |
|
Time Period (Start) |
6:00 AM |
6:00 AM |
|
Time Period (End) |
6:00 AM |
6:00 AM |
|
Background Download Limit During Time Period (Percent) |
20 |
20 |
|
Background Download Limit Outside of Time Period (Percent) |
20 |
20 |
|
Foreground Download Limit During Time Period (Percent) |
20 |
20 |
|
Foreground Download Limit Outside of Time Period (Percent) |
20 |
20 |
|
OS Version
|
|
Disabled |
Disabled |
Target Release Version |
|
|
|
Target Product Version |
Windows 10 |
Windows 10 |
When configuring profiles, ensure that Windows Active Directory GPOs do not have any Windows Update settings configured to avoid conflicts. As a best practice, Workspace ONE UEM should be the single source for Windows Update settings.
Although the maximum deferral period for Quality Updates is 30 days, this lengthy configuration timeframe is not recommended because it is possible that specific updates will be superseded before propagation. For example, if an update is released on “patch Tuesday” and then superseded 20 days later without having been deployed, the original update would no longer be available. For this reason, it is recommended that Windows Updates not align with the maximum deferral period settings but instead be configured for deployment as soon as reasonably practicable, optimally within 14 days.
Deployment Rings
The concept of Deployment Rings is a proven and effective methodology for applying Windows Updates. By systematically propagating Windows Updates to devices over a period of time rather than all at once, users are ensured a better experience. The following is an example of a Deployment Ring:
Figure 5: Sample Windows Update Deployment Ring
Smart Groups
Within Workspace ONE UEM, profiles based on Smart Groups are used to deploy Windows Updates to devices. When creating or modifying a Windows profile, a subset of devices may be determined by Smart Group membership. Carefully consider Smart Group membership applicability for deployment rings and ensure that no Windows devices are inadvertently omitted.
Figure 6: Windows Profile sample Smart Group membership
Smart Groups that are designated within the Profile(s) that address Windows Updates should be based only on Windows devices. At a minimum, the Platform and Operating System criteria should be designated as Windows. Optionally, specific versions could be selected.
To modify or create a Smart Group, go to Groups & Settings > Groups > Assignment Groups.
For example, if an administrator wishes to create a Smart Group that includes all versions of Windows 11 devices, the following could be configured:
Figure 7: Configuring a Smart Group based on all Windows 11 devices
Additional criteria such as tags may be applied as part of the Smart Group configuration.
Sensors
When determining eligibility for Windows Updates deployment rings, Sensors may be a useful tool. In addition to the built-in sensors, administrators may create new sensors to query devices.
For example, if a minimum of 10 GB is required to install a Feature Update, first querying all Windows devices for available disk space would enable administrators to know which devices can and cannot accept the update. Devices that can accept the Feature Update could be placed into a deployment ring for immediate installation, whereas the other devices could be deferred. In this example, reviewing and assigning the built-in os_disk_free_space sensor would be useful:
Figure 8: Sensor: os_disk_free_space
Sensors must be subsequently assigned to a Smart Group.
Pause, Resume, Rollback
After Windows Updates have started to deploy, it may be necessary to pause, resume, or rollback. For example, if a specific update causes an issue, rolling back or pausing it may be necessary. Once the issue is resolved, deployment can be resumed.
Pause, resume, and rollback may now be executed directly within the Workspace ONE UEM console; it is no longer necessary to execute scripts to enable this functionality.
Figure 9: Pause, Resume, and Rollback within the console
Pause, Resume, and Rollback may be based on the entire profile or individual devices. When quality updates are paused or rolled back, a warning screen is presented:
Figure 10: Rollback warning
Pause and rollback should be used with caution because both will prevent new quality updates for installing for 35 days.
Reporting and Troubleshooting
This section addresses some questions about reporting and troubleshooting Windows Update management.
What are the best initial steps to take when investigating an issue related to Windows Update?
When you’re in detective mode, start with options within the Workspace ONE UEM console. If you are unable to find the needed answers, you may need to access the Windows device.
The sources outlined below should be the first steps taken to address Windows Updates issues:
Figure 11: Windows Update issue resolution options
Note that the Update Sample Query and Troubleshooting tabs are accessed under the Devices tab. After locating the device within the Dashboard or List View, the administrator can elect either of these actions. More Actions is located in the upper-right corner, whereas the Troubleshooting tab is a drop-down option from the More button.
In addition, Workspace Intelligence is a useful tool for Windows Update status data. Reports such as Daily Risk Scoring may be useful.
How do I check the status of a specific Windows update? – I want to see whether a specific security update has been applied to certain devices.
To see the status of Windows Updates within your environment, go to Resources > Devices Updates > Update Overview.
Figure 12: Administrative view of Windows Updates
The administrator can drill down on the specific KB number to learn more about the status, as well as to view the Microsoft KB.
Note that if a specific update was quickly superseded, it may not have been installed and thus not appear on this list.
I need to see the complete status of all Windows Updates. In the past, Workspace ONE UEM Windows Update reports may have sometimes reflected inaccuracies because only one type of data point was accessed. With three data sources, the UEM Console now enables administrators to get a full and accurate view of the status of all updates within my environment.
After selecting a device, an administrator can select a device and view the Updates tab for a holistic view of all updates that have been installed on the device. The Update sources now uniquely include queries based on the Windows Update Agent (WUA), DISM, and WMI. Because these three sources are used, the accuracy and validity of the Windows Update status is ensured.
Figure 13: Device report showing Windows Updates by source
I have encountered issues transitioning from the Windows Update (Legacy) profile to the Windows Update profile. Suppose that a Windows Update (Legacy) profile had been in use for WSUS. After upgrading to Windows Update for Business, a new Windows Update profile was created and configured because the Windows Update source cannot be modified within a profile. Now, most devices are functioning properly, but some devices are not installing Windows Updates.
The first step is to ensure that the Windows Update (Legacy) profile has been properly unlinked/disabled and the new Windows Update policy has been configured and applied correctly. In particular, examine the Smart Group designation.
Secondarily, it is possible that some residual impact of the old policy remains on the Windows device, and this can be validated by checking registry keys on the Windows device.
Figure 14: Main Windows registry keys impacted by legacy and new Windows Update policies
The next step is to ascertain which resource is being accessed for Windows Updates by checking the following registry key:
HKLM\Software\Microsoft\PolicyManager\current\device\Update\UpdateServiceUrl
If this key points to the previous Windows Update resource, the new Windows Update policy has not been applied properly, and/or antiquated settings have not been correctly updated.
It may be necessary to remove the Windows Update registry keys from the following location:
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
Of course, the registry should be backed up before making any changes.
If the Windows device still does not properly apply Windows Updates, it may be necessary to reset Windows Update components.
Summary and Additional Resources
This document provided a comprehensive guide to managing Windows updates with Workspace ONE UEM, covering key concepts such as deployment rings, smart groups, sensors, and troubleshooting steps.
Additional Resources
For more information about Windows Modern Management with Workspace ONE, you can explore the following resources:
Getting Started with Windows Modern Management
Windows Onboarding
Windows Security and Policy Management
Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial
Windows Application Management
Windows Troubleshooting
Changelog
The following updates were made to this guide:
Date |
Description of Changes |
2024/02/27 |
• Complete rewrite of this guide published. |
About the Author and Contributors
This tutorial was written by Jo Harder, Senior Technical Marketing Architect, EUC Division, Broadcom and reviewed by:
- Saurabh Jhunjhunwala, EUC Customer Success Architect, EUC Division, Broadcom
- Grischa Ernst, EUC Product Manager, EUC Division, Broadcom
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.