Introduction
The Workspace ONE UEM update service for Windows 10 provides tailored functionality to address the unique constraints of managing updates in the cloud. Traditional operating system upgrades use a wipe-and-replace model. In contrast, the update-as-a-service model pushes the approval and configurations for the periodic operating system and feature updates. Windows 10 updates occur on a frequent and dynamic basis to ensure that end-users always have access to up-to-date operating system features.
The Windows update-as-a-service requires a new architecture and the above image shows how updates are approved by Workspace ONE UEM and Workspace ONE Intelligence.
- Workspace ONE UEM managed Windows 10 devices reach out to Microsoft Update Servers to query available updates.
- A list of KBs/Updates are sent back to the device in the form of metadata.
- Devices report available updates to Workspace ONE UEM on the next Windows Update sample interval.
- Workspace ONE UEM pulls in additional information from Microsoft about each available update.
- If Workspace ONE Intelligence is integrated, updates data is also sent to Workspace ONE Intelligence.
- If Workspace ONE Intelligence is integrated, CVE feed is ingested into Workspace ONE Intelligence daily.
- If Workspace ONE Intelligence is integrated, Workspace ONE Intelligence correlates CVEs and KBs.
- If Workspace ONE Intelligence is integrated, configurable automation updates are approved.
- Based on approvals via the Workspace ONE UEM console or automation in Workspace ONE Intelligence, authorized approved updates (metadata) are sent to the devices.
- On the next update scan by the device, or manual scan by the user, the device will fetch the authorized updates.
- If Delivery Optimization is configured, devices will leverage Peer-to-Peer delivery when downloading updates.
- Lastly, the update results are sent to the Workspace ONE UEM console on the next Windows Update sample interval.
TASKS
In this task we will configure Diagnostics and Usage Telemetry.
Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. Works space one uses this to receive information about updates on the device.
Important: When using Workspace ONE UEM to manage Windows Updates, the minimum required diagnostic data setting is Basic or Required. No Windows Update information is collected when diagnostic data is set to Security or Off; therefore, Workspace ONE UEM doesn't receive information about updates.
- From the Workspace ONE UEM console main menu, expand the Organization Group dropdown menu and select your top-level OG, [your-last-name]
- Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
- Select Windows > Windows Desktop
- Click Device Profile
- On General page name the profile Windows Diagnostic Data Restriction
- Set the Smart Groups field to Windows 10 Devices
- In the Payloads Pane Click Restrictions
- Click Configure
- In the Administration Section, Locate the "Send Diagnostic and Usage Telemetry Data" setting
- Click the drop-down and set the value to Basic
- Click Save and Publish
- If prompted, Click Publish to publish the Profiles to your assigned Windows Desktops
In this task, you demonstrate the Windows Update management capability
- From the Workspace ONE UEM console main menu, expand the Organization Group dropdown menu and select your top-level OG, [your-last-name]
- Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
- Select Windows > Windows Desktop
- Click Device Profile
- On General page name the profile Windows Update Profile
- Set the Smart Groups field to Windows 10 Devices (Your_Lastname)
- In the Payloads Pane Click Windows Updates
- Click Configure
- Review the Windows Updates settings for:
- Branching and Deferral
- Update Installation Behavior
- Update Policies
- Enable Require Update Approval
- Click Save and Publish
If prompted, click Publish to publish the Profiles to your assigned Windows Desktops
Task 3 - Review and Approve updates
In this task you'll approve an available Windows update for your enrolled windows device.
NOTE: If your windows systems is running the most recent updates you will not see any available updates for the device.
Updates can be approved or unapproved at a device level (per-device) from within the console by selecting that device. Available updates are marked with a gray circle with a hyphen and, once selected, can be approved. Upon approval, that update installs at the next sync. Updates that are Approved can be Unapproved in the same way. Unapproving an Approved update stops the update from installing on devices where it was previously approved, as long as the installation of that update has not started.
- Navigate to Devices > List View in the Workspace ONE UEM Console, then select a Windows 10 device.
- Click the Updates tab.
- Select an available update to approve.
- Click the Approve button, which appears above the listed updates
- If prompted to confirm your selection, Click OK
As opposed to approving updates per device as shown above. Updates can be approved from the Assisgned Smart Group(s). This however can only be done from the Customer OG Type.
From the Devices > Device Updates > Windows screen, all updates reported by all devices in the deployment are shown, and from here, it is possible to assign the updates to Smart Groups. When assigning an update to a Smart Group, the update is approved for each device in the Smart Group. In cases where an update is assigned to an ineligible device, that update is still shown as approved for the device but is never downloaded. Using the same method, it is possible to unassign updates from Smart Groups, which stops the update from installing on devices where it was previously approved
0 Comments
Add your comment