Windows Desktop - Understanding Windows Updates with Workspace ONE

Introduction

In this article, I will try to share my own experiences and expertise with Workspace ONE UEM and Windows Update management. This point doesn't really seem clear to all the customers I meet and who want to manage Windows Update with Workspace ONE UEM.

In the traditional world, Windows desktop management is based on some on-premises solutions, but Microsoft developed Windows 10 and now 11 to be managed from anywhere with MDM/UEM solutions. We call this modern management.

Modern management set a new standard for cloud-based management, but also required a new mindset and approach to the traditional solution. The same is true for Windows Update management.

Windows Update for Business (WUfB) is a solution provided by Microsoft to keep devices always up-to-date with Windows Update services. In this article, you will see that Windows Update management is now completely different and linked to modern management.

Understanding Windows Updates

Workspace ONE UEM does not download updates directly from Windows Update Services. VMware has provided us with all the information on how Windows Update works in Workspace ONE. In a nutshell, you deploy the Windows Update profile to the devices, after which the devices will download the updates from the Windows Updates Services over the Internet. It is also possible to use an on-premises solution like WSUS servers.

For more details on how Windows Update works with Workspace ONE UEM, you can refer to this image from VMware Techzone.

Why customers often have problems with Windows Update ?

There are probably several ways to think about this, but I'll get straight to the point. In theory, Microsoft provides two CSPs to manage Windows updates with MDM solutions, Update CSP and Policy Update CSP. VMware has integrated Windows Update into the console and uses the configuration profile of both CSPs.
Microsoft has recently updated and published new online documentation about these CSPs.

You can find all the details about these CSPs in the Microsoft online documents:

Update CSP - Windows Client Management | Microsoft Docs
Policy CSP - Update - Windows Client Management | Microsoft Docs

In short, Update CSP allows the administrator to manage and control updates with features such as approved updates, installed updates, rollbacks, etc... Most of these features are limited and don't do the trick. Finally, this CSP, as you can see below, is not recommended.

Capture screen from : Update CSP documentation

As we mentioned, Microsoft recommends using the CSP policy updates but "spoiler alert", you should know that in this CSP you also have unsupported settings for Windows desktop devices.

The IT administrator wants to have control over the updates, in the CSP Update policy you have the settings "RequireUpdateApproval". This setting promises you will be able to restrict updates or approve updates by category list and seems to be supported on Windows 10 and not supported on Windows 11 yet.

Capture screen from : Policy CSP Update documentation.

On Microsoft Techcommunity you can refer to this article published Jan 19 2022 - Why you shouldn’t set these 25 Windows policies - Windows IT Pro Blog (microsoft.com) And finally this article not recommend to use this policy on other devices.

As you can see, these policies are not really clear and confusing. I am testing this policy as many customers on Windows 10 devices and as mentioned the result is often random and depends on other policy settings in the profile. I got several feedbacks from customers with Windows Update issues. When approving an update, you should be aware that the following policies will impact the scanning and downloading of the update:

• ActiveHoursStart
• ActiveHoursEnd
• ActiveHoursMaxRange
• DeferFeatureUpdatesPeriodInDays
• DeferQualityUpdatesPeriodInDays
• PauseQualityUpdates
• PauseFeatureUpdates

If you absolutely want to use this process and approve the update despite the recommendation of Microsoft. The process is described on Techzone but it is at your own risk and you will probably not get any support or assistance in case of problems.

As you can see, there are even more doubts and confusion about Windows Update and what policies to use or actually supported for Windows devices.

In fact, in my opinion, you should not use "Update CSP" as recommended and also all other policies that Microsoft does not recommend like "RequireUpdateApproval" and also approve by categories for Windows desktop devices.

Then how to configure Windows Update profile ?

Keep in mind that Windows Updates for Business were designed to protect Windows desktops and keep them always up-to-date. The following recommendations are based on my experience and preferences.

In the CSP update policy, Microsoft provides multiple settings to manage Windows updates for a good strategy, so here are our advices :

1. Change your approach and set the source of Windows Update to the cloud "Microsoft Update Service". WSUS is great but will be the best solution in some use cases, for example if you have MPLS for your entire site and one internet connection point. You will probably not have any impact on your connection between your sites and the delivery optimization will not be more efficient than a local WSUS server. You will have to create multiple policies with smart groups in Workspace ONE UEM for each use case.

2. Define the ring deployment policy. - Microsoft requires to configure Windows Update for automatic update. Define multiple update rings with different settings which I will explain below.

3. The Windows Update profile incorporates both CSPs and uses non-recommended settings. For simple Window Update management you can use the profile, I'm not really a fan of, because you can set the settings on or off, so Microsoft does not recommend using these settings on desktop devices. For me, the best way to avoid any issues is to not use the Windows Update profile in the console and create your own profile with the recommended settings. You can use the VMwarePolicyBuilder website to generate your custom SyncML.

4. Create your own dedicated profile to manage the quality update. You need a profile for each ring with different deferral periods, which allows you to control when the device should scan and install updates. If you can test these updates, refer to Microsoft's recommendations for validating them. If your IT team cannot test and validate the updates, you may want to set a longer period of days for your ring.

5. Profile Dedicated Feature Updates to set and control the Windows version. You can use the native Microsoft CSP named TargetReleaseVersion.

6. If you detect a problem with the updates, you will need to control and block these updates. Create a dedicated profile to pause the devices. Pausing will block all updates on the devices.

7. (Optional) You can configure dedicated delivery optimisation to boost the distribution of these updates to your site to limit the impact of updates on bandwidth.

Finally, how do you deploy a specific update?

As you can see, Microsoft has not provided a CSP for this or a modern solution. You will have to use a traditional solution to do this, deploying a script to install specific updates, there are several methods to install updates with a script and to install a zero day patch or force an update. In the future, VMware will roll out a new GUI with a dedicated menu to deploy such scripts on devices. This is already available on the CN137 UAT tenant for those who have access to it.

It will be the suject of a future separate article on our Blog.

So thanks for your reading and stay tuned !

Useful links for sample profile Windows Update Scripts :

• From Github Vmware EUC
• From Other Github