Windows desktop: Understanding Windows Updates with Workspace ONE

Introduction

This article will discuss how to manage the latest Windows Update with Workspace ONE UEM.

In the traditional world, Windows desktop management is based on on-premises solutions, but Microsoft developed Windows 10 and 11 to be managed from anywhere with UEM solutions. This is called modern management.

Modern management sets a new standard for cloud-based management but also requires a new approach to the traditional solution. The same is true for Windows Update management.

Windows Update for Business (WUfB) is a solution Microsoft provides to keep devices updated. This article explores how the latest Windows Update requires a modern management approach.

Understanding Windows Updates

Workspace ONE UEM does not download updates directly from Windows Update Services. VMware has provided information on how Windows Update works in Workspace ONE.

To summarize, you can deploy the Windows Update profile to your devices, enabling them to download updates from the Windows Update Services via the Internet. It is also possible to use an on-premises solution like Windows Server Update Services (WSUS) servers.

For more details on how Windows Update works with Workspace ONE UEM, you can refer to this image from VMware TechZone.

Why are problems with Windows Update so common?

In theory, Microsoft provides two cloud service providers (CSPs) to manage Windows Updates with mobile device management solutions, Update CSP and Policy Update CSP. VMware has integrated Windows Update into the console and uses the configuration profile of both CSPs.

Microsoft has recently updated and published new online documentation about these CSPs. You can find all the details about these CSPs in the Microsoft online documents:

Update CSP - Windows Client Management | Microsoft Docs

Policy CSP - Update - Windows Client Management | Microsoft Docs

In short, Update CSP allows the administrator to manage and control updates with features such as approved updates, installed updates and rollbacks. Most of these features are limited. Finally, as you can see below, this CSP is not recommended.

As mentioned, Microsoft recommends using the Policy CSP Update. But in this CSP, you also have unsupported settings for Windows desktop devices.

If the IT administrator wants to control Windows Updates, the Policy CSP Update states that you can use the setting RequireUpdateApproval. This setting ensures you can restrict or approve the updates by category list. It is supported on Windows 10 but has yet to be supported on Windows 11.

On Microsoft Techcommunity, you can refer to published on January 19, 2022. This article does not recommend using this policy on other devices.

As you can see, these policies are not clear. The results of this policy on Windows 10 are often random and depend on other policy settings in your profile. When approving an update, the following policies will impact the update’s process for scanning and downloading:

• ActiveHoursStart
• ActiveHoursEnd
• ActiveHoursMaxRange
• DeferFeatureUpdatesPeriodInDays
• DeferQualityUpdatesPeriodInDays
• PauseQualityUpdates
• PauseFeatureUpdates

The process is described in more detail on TechZone, but implement it at your own risk, as you are unlikely to get any support if complications arise.

As you can see, there needs to be more clarity around Windows Update and what policies can be used or supported through Windows devices.

How to configure your Windows Update profile

Remember that WUfB was designed to protect Windows desktops and keep them updated. The following recommendations are based on our team’s experience and preferences.

In the Policy CSP Update, Microsoft provides multiple settings to manage Windows Updates successfully. Here’s what we suggest:

1. Change your approach and set the source of Windows Update to use the cloud-based Microsoft Update service. WUfB can be an excellent solution for specific use cases. For instance, it works well if you have Multiprotocol Label Switching (MPLS) for your entire site and only one internet connection point. Using WUfB will likely have no impact on the connection between your sites and the delivery optimization will not be more efficient than if using a local WSUS server. Regardless, for each use case you will have to create multiple policies with smart groups in Workspace ONE UEM.
2. Define the ring deployment policy. Microsoft requires you to configure Windows Update for automatic updates. Define multiple update rings with different settings, explained below.
3. Adjust your CSPs and settings. The Windows Update profile incorporates both CSPs and uses non-recommended settings. For simple Windows Update management, you can use the profile to set the settings on or off, which Microsoft does not recommend on desktop devices. To avoid issues, we recommend not using the Windows Update profile in the console and creating your profile with the recommended settings instead. You can use the VMwarePolicyBuilder website to generate your custom SyncML.
4. Create a dedicated profile to manage the quality update. To do this, you need a profile for each ring with different deferral periods, which allows you to control when the device can scan and install updates. If you can test these updates, refer to Microsoft's recommendations for validating them. If your IT team cannot test and validate the updates, you should set a longer period of days for your ring.
5. Profile dedicated Feature Updates to set and control the Windows version. You can use the native Microsoft CSP named TargetReleaseVersion.
6. Control and block the updates if you detect a problem. Create a dedicated profile to pause the devices. Pausing will block all updates on the devices.
7. (Optional)Configure dedicated delivery optimization. This will boost the distribution of these updates to your site to limit the impact of updates on bandwidth.

How to deploy a specific update

Microsoft has yet to provide a CSP for this or a modern solution, so you will have to use a traditional solution. You can do this by deploying a script to install specific updates. Several methods exist to install updates with a script, install a zero-day patch or force an update. In the future, VMware will roll out a new graphical user interface (GUI) with a dedicated menu to deploy such scripts on devices. This is already available on the CN137 UAT tenant for those with access to it.

Useful links for sample profile Windows Update scripts:

• From Github Vmware EUC
• From Other Github

Learn more about how Unisys can help you manage and secure all enterprise devices with Modern Device Management.