Managing Updates for Windows Devices: Workspace ONE Operational Tutorial

Overview

Workspace ONE® UEM (Unied Endpoint Management) and its lifecycle approach for Windows Updates enables reduced administration and maximized efficiencies for propagating updates to Windows devices, including the means to selectively deploy Windows Updates to all or a subset of devices.

This operational tutorial walks you through the administrative options and deployment steps to maximize your Workspace ONE environment. Whether administering Windows 10, Windows 11, or planning for Windows 12, this tutorial helps you understand:

  • Options for deploying and managing Windows updates.
  • How to create distribution rings using smart groups, set up a patching policy, and build a Windows Updates prole.
  • Where and how to assess the status of Windows Update patches in the Workspace ONE admin portal and on client devices.
  • Troubleshooting steps that address how to remedy overall and intermittent Windows Update issues.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators with the following knowledge proficiencies:

  • Windows desktop operating systems (Windows 10, Windows 11, and/or Windows 12 early planning).
  • Active Directory, and/or Azure Active Directory.
  • Basic technical understanding of Workspace ONE UEM.

Windows Updates Overview

The Workspace ONE UEM update service for Windows desktops provides tailored functionality to address the complex constraints of managing updates for your enterprise. The Workspace ONE UEM update-as-a-service model not only automates and propagates all types of Windows Updates, but it also enables administrators to pause, resume, or roll back updates.  In addition to managing and maintaining a successful Windows Update strategy, Workspace ONE UEM provides detailed reports and metrics to indicate success and identify issues.

Workspace ONE UEM Windows Update Process Flow

Managing Windows Updates with Workspace ONE UEM is based on the following process flow:

A diagram of a computer network</p>
<p>Description automatically generated

Figure 1: Windows Update process flow

  1. Workspace ONE UEM managed Windows desktop devices reach out to Microsoft Update source to query available updates.
  2. A list of KBs/Updates is sent back to the device in the form of metadata.
  3. Devices report available updates to Workspace ONE UEM on the next Windows Update sample interval.
  4. If Workspace ONE Intelligence is integrated, updates data is also sent to Workspace ONE Intelligence.
  5. Following the next update scan by the device or manual scan by the user, the device will fetch the authorized updates from either a peer device or Windows Update source, depending on configuration within the Workspace ONE UEM console.

As per best practices, Windows Update for Business and peer-to-peer sharing are recommended because these options save system, network, and administrative resources.  

Key Considerations for Successful Windows Update Creation

When configuring Windows Update via Workspace ONE UEM, several key considerations and settings should be understood. Each of these items is detailed within this document.

  • Windows Update Source and Types: Differentiation between Windows Update for Business or Windows Server Update Service, as well as deployment considerations associated with specific types of Windows Updates.
  • Windows Update Configuration: Profile settings and configuration options, including deployment rings and related impact. 
  • Reporting and Troubleshooting: Check the status of Windows Updates and determine whether subsequent action is necessary, as well as steps to remedy Windows Update issues.

Windows Update Source and Types

The source for Windows Updates can be Windows Update for Business or Windows Server Update Services (WSUS).  Workspace ONE functions equally well via either mechanism; however, Windows Update for Business is recommended for Workspace ONE UEM due to cloud-based functionality and minimal administration.

A few windows update software</p>
<p>Description automatically generated with medium confidence

Figure 2: Windows Update source comparison

Several types of Windows Updates are applicable for Windows devices. This document will focus on Feature and Quality Updates. For a complete description of Windows Update types, see Microsoft learning documentation

Feature and quality updates may be directly controlled by administrators within Workspace ONE UEM, and this document will thus focus on the configuration of these types of updates:

  • Feature Updates are released annually and contain new features and functionality. For example, the final feature release for Windows 10 was 2H22.
  • Quality Updates are typically released as part of monthly “patch Tuesday” but may be released at any time. Quality updates are cumulative and address both security and standard issues. Quality updates may be configured to include Windows drivers and/or Microsoft application updates. 

Windows Update Configuration

Before delving into how to configure Windows Updates, below is an overview of the activity flow when a new Windows Update becomes available:

A screenshot of a computer program</p>
<p>Description automatically generated

Figure 3: Windows Update activity flow

As shown in Figure 3, several key settings impact the behavior of Windows Updates after fetching, namely:

  • Windows Update Policies, including numerous configurations such as scheduling, deployment based on update type, and reboot requirements.
  • Deployment Rings, including the manual creation of subsets of devices based on Smart Group designation.
  • Pause/Resume/Rollback, whether for specific devices or the entire profile.

Windows Update Policies

Windows Update policy options are designated based on the following steps as defined for a new profile configuration:

A screenshot of a computer</p>
<p>Description automatically generated

Figure 4: Creating Device Profile for Windows Update

Where an existing profile needs to be modified, the administrator would instead select the existing profile and change specific settings accordingly. The designated Windows Update source cannot be subsequently changed after profile creation; it is necessary to create a new profile if the Windows Update source is later modified. For example, if your enterprise currently uses WSUS as the source and then transitions to Windows Update for Business, it is necessary to create a new Windows device profile.

Windows Update Policy Options

Within Workspace ONE UEM, available options and recommended selections vary slightly based on the Windows Update source. For example, WSUS includes configuration options within the Definition section that are not applicable to Microsoft Update Service.

The following chart compares the Windows Update policy options and respective default settings based on selecting the source as Windows Update Services vs. WSUS:

 

Item

Microsoft Update Service Default Setting

WSUS Default Setting

Definition

 

 

 

 

 

 

 

 

 

Windows Update Source

[default]

 

WSUS Server URL

n/a

 

Proxy Behavior

n/a

Allow system proxy only for HTTP scans

Telemetry

n/a

0 - Security

Update Branch

General Availability Channel (Targeted)

General Availability Channel (Targeted)

Manage Preview Builds

Disable Preview Builds

Disable Preview Builds

Device Scheduling

 

 

 

 

 

 

 

Disabled

Disabled

Enable Device Scheduling

Enable

Enable

Configure Automatic Update Behavior

Updates automatically download and install at an optimal time determined by the device

Updates automatically download and install at an optimal time determined by the device

Configuration Deadline Daily Reboot

Disabled

Disabled

Feature Update (Days)

7

7

Quality Update (Days)

7

7

Grace Period (Days)

2

2

Update Behavior

 

 

 

 

 

 

 

 

 

 

Disabled

Disabled

Disable Dual Scan

n/a

Yes

Allow Windows Update Service

n/a

No

Allow Microsoft Application Updates

No

No

Feature Update Uninstall Period (Days)

10

10

Defer Feature Updates (Days)

365

365

Defer Quality Updates (Days)

7

7

Exclude Windows Drivers from Quality Updates

No

No

Disable Safe Guard

No

No

Allow Non-Microsoft Signed Update

n/a

No

Device Behavior

 

 

 

 

Disabled

Disabled

Allow Auto Windows Update Download Over Metered Network

No

No

Ignore Cellular Data Download Limit for Application Updates

Yes

Yes

Ignore Cellular Data Download Limit for System Updates

Yes

Yes

Delivery Optimization

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Disabled

Disabled

Caching Source

Peer mode

Peer mode

Hosted Mode Cache Host Source

DHCP Option ID

DHCP Option ID

Hosted Mode Cache Host 

 

 

Download Mode

HTTP Blended with Peering Behind the Same NAT

HTTP Blended with Peering Behind the Same NAT

Max Cache Age (Days)

0

0

Cache Drive

 

 

Absolute Max Cache Size (GB)

20

20

Allow VPN Peer Caching

No

No

Minimum Size to Cache (MB)

50

50

Non-Peer Download Delay: Foreground download delay (in seconds)

60

60

Non-Peer Download Delay: Background download delay (in seconds)

60

60

Network

Disable

Disable

Foreground Download Bandwidth (KB/s)

0

0

Background Download Bandwidth (KB/s)

0

0

Minimum Background QoS (KB/s)

200

200

Monthly Upload Data Limit (GB)

0

0

Restrict Peer Selection by Subnet

No

No

Device Requirements for Caching

Disable

Disable

Minimum Battery Limit (Percent)

40

40

Minimum Available Storage (GB)

32

32

Minimum Available Memory (GB)

4

4

Network Bandwidth Limitation

Disabled

Disabled

Time Period (Start)

6:00 AM

6:00 AM

Time Period (End)

6:00 AM

6:00 AM

Background Download Limit During Time Period (Percent)

20

20

Background Download Limit Outside of Time Period (Percent)

20

20

Foreground Download Limit During Time Period (Percent)

20

20

Foreground Download Limit Outside of Time Period (Percent)

20

20

OS Version

 

 

 

Disabled

Disabled

Target Release Version

 

 

Target Product Version

Windows 10

Windows 10

When configuring profiles, ensure that Windows Active Directory GPOs do not have any Windows Update settings configured to avoid conflicts. As a best practice, Workspace ONE UEM should be the single source for Windows Update settings.    

Although the maximum deferral period for Quality Updates is 30 days, this lengthy configuration timeframe is not recommended because it is possible that specific updates will be superseded before propagation. For example, if an update is released on “patch Tuesday” and then superseded 20 days later without having been deployed, the original update would no longer be available. For this reason, it is recommended that Windows Updates not align with the maximum deferral period settings but instead be configured for deployment as soon as reasonably practicable, optimally within 14 days.

Deployment Rings

The concept of Deployment Rings is a proven and effective methodology for applying Windows Updates. By systematically propagating Windows Updates to devices over a period of time rather than all at once, users are ensured a better experience. The following is an example of a Deployment Ring:

A diagram of a software update</p>
<p>Description automatically generated

Figure 5: Sample Windows Update Deployment Ring

Smart Groups

Within Workspace ONE UEM, profiles based on Smart Groups are used to deploy Windows Updates to devices. When creating or modifying a Windows profile, a subset of devices may be determined by Smart Group membership. Carefully consider Smart Group membership applicability for deployment rings and ensure that no Windows devices are inadvertently omitted.

A screenshot of a computer</p>
<p>Description automatically generated

Figure 6: Windows Profile sample Smart Group membership

Smart Groups that are designated within the Profile(s) that address Windows Updates should be based only on Windows devices.  At a minimum, the Platform and Operating System criteria should be designated as Windows. Optionally, specific versions could be selected. 

To modify or create a Smart Group, go to Groups & Settings > Groups > Assignment Groups.

For example, if an administrator wishes to create a Smart Group that includes all versions of Windows 11 devices, the following could be configured:

A screenshot of a computer</p>
<p>Description automatically generated

Figure 7: Configuring a Smart Group based on all Windows 11 devices

Additional criteria such as tags may be applied as part of the Smart Group configuration.

Sensors

When determining eligibility for Windows Updates deployment rings, Sensors may be a useful tool. In addition to the built-in sensors, administrators may create new sensors to query devices.

For example, if a minimum of 10 GB is required to install a Feature Update, first querying all Windows devices for available disk space would enable administrators to know which devices can and cannot accept the update. Devices that can accept the Feature Update could be placed into a deployment ring for immediate installation, whereas the other devices could be deferred. In this example, reviewing and assigning the built-in os_disk_free_space sensor would be useful:

A screenshot of a computer</p>
<p>Description automatically generated

Figure 8: Sensor: os_disk_free_space

Sensors must be subsequently assigned to a Smart Group.

Pause, Resume, Rollback

After Windows Updates have started to deploy, it may be necessary to pause, resume, or rollback.  For example, if a specific update causes an issue, rolling back or pausing it may be necessary. Once the issue is resolved, deployment can be resumed.

Pause, resume, and rollback may now be executed directly within the Workspace ONE UEM console; it is no longer necessary to execute scripts to enable this functionality.

A blue and white rectangular box with text</p>
<p>Description automatically generated with medium confidence

Figure 9: Pause, Resume, and Rollback within the console

Pause, Resume, and Rollback may be based on the entire profile or individual devices. When quality updates are paused or rolled back, a warning screen is presented:

A screen shot of a computer</p>
<p>Description automatically generated

Figure 10: Rollback warning

Pause and rollback should be used with caution because both will prevent new quality updates for installing for 35 days.

Reporting and Troubleshooting

This section addresses some questions about reporting and troubleshooting Windows Update management.

What are the best initial steps to take when investigating an issue related to Windows Update?

When you’re in detective mode, start with options within the Workspace ONE UEM console. If you are unable to find the needed answers, you may need to access the Windows device.

The sources outlined below should be the first steps taken to address Windows Updates issues:

A screenshot of a computer program</p>
<p>Description automatically generated

Figure 11: Windows Update issue resolution options

Note that the Update Sample Query and Troubleshooting tabs are accessed under the Devices tab. After locating the device within the Dashboard or List View, the administrator can elect either of these actions. More Actions is located in the upper-right corner, whereas the Troubleshooting tab is a drop-down option from the More button.

In addition, Workspace Intelligence is a useful tool for Windows Update status data. Reports such as Daily Risk Scoring may be useful.

How do I check the status of a specific Windows update? – I want to see whether a specific security update has been applied to certain devices.

To see the status of Windows Updates within your environment, go to Resources > Devices Updates > Update Overview.

A white background with black text</p>
<p>Description automatically generated

Figure 12: Administrative view of Windows Updates

The administrator can drill down on the specific KB number to learn more about the status, as well as to view the Microsoft KB.

Note that if a specific update was quickly superseded, it may not have been installed and thus not appear on this list.

I need to see the complete status of all Windows Updates. In the past, Workspace ONE UEM Windows Update reports may have sometimes reflected inaccuracies because only one type of data point was accessed. With three data sources, the UEM Console now enables administrators to get a full and accurate view of the status of all updates within my environment.

After selecting a device, an administrator can select a device and view the Updates tab for a holistic view of all updates that have been installed on the device. The Update sources now uniquely include queries based on the Windows Update Agent (WUA), DISM, and WMI. Because these three sources are used, the accuracy and validity of the Windows Update status is ensured.

A computer screen shot of a diagram</p>
<p>Description automatically generated

Figure 13: Device report showing Windows Updates by source

I have encountered issues transitioning from the Windows Update (Legacy) profile to the Windows Update profile. Suppose that a Windows Update (Legacy) profile had been in use for WSUS. After upgrading to Windows Update for Business, a new Windows Update profile was created and configured because the Windows Update source cannot be modified within a profile.  Now, most devices are functioning properly, but some devices are not installing Windows Updates.

The first step is to ensure that the Windows Update (Legacy) profile has been properly unlinked/disabled and the new Windows Update policy has been configured and applied correctly. In particular, examine the Smart Group designation.

Secondarily, it is possible that some residual impact of the old policy remains on the Windows device, and this can be validated by checking registry keys on the Windows device. 

A close-up of a sign</p>
<p>Description automatically generated

Figure 14: Main Windows registry keys impacted by legacy and new Windows Update policies

The next step is to ascertain which resource is being accessed for Windows Updates by checking the following registry key:

HKLM\Software\Microsoft\PolicyManager\current\device\Update\UpdateServiceUrl

If this key points to the previous Windows Update resource, the new Windows Update policy has not been applied properly, and/or antiquated settings have not been correctly updated.

It may be necessary to remove the Windows Update registry keys from the following location:

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Of course, the registry should be backed up before making any changes.

If the Windows device still does not properly apply Windows Updates, it may be necessary to reset Windows Update components.

Summary and Additional Resources

 This document provided a comprehensive guide to managing Windows updates with Workspace ONE UEM, covering key concepts such as deployment rings, smart groups, sensors, and troubleshooting steps.

Additional Resources

For more information about Windows Modern Management with Workspace ONE, you can explore the following resources:

Getting Started with Windows Modern Management

Windows Onboarding

Windows Security and Policy Management

Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial

Windows Application Management

Windows Troubleshooting

Changelog

The following updates were made to this guide:

Date

Description of Changes

2024/02/27

                     Complete rewrite of this guide published.

About the Author and Contributors

This tutorial was written by Jo Harder, Senior Technical Marketing Architect, EUC Division, Broadcom and reviewed by:

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Intermediate Win10 and Windows Desktop Manage