Managing Updates for Windows 10: VMware Workspace ONE ... · Deploying Windows 10 fixes, patches,...

GUIDE – APRIL 2019

PRINTED 20 AUGUST 2019

MANAGING UPDATES FORWINDOWS 10: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE

MANAGING UPDATES FOR WINDOWS 10: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL

GUIDE | 2

Table of Contents

Overview

– Introduction

– Audience

Configuring Update Management for Windows 10

– Introduction

– Prerequisites

– Understanding Patch Management

– Logging In to the Workspace ONE UEM Console

– Syncing Active Directory Organization Units to Workspace ONE UEM

– Creating Distribution Rings Using Smart Groups

– Creating an Updates Profile

– Using Workspace ONE UEM to Manage Windows 10 Updates

Summary and Additional Resources

– Conclusion

– Terminology Used in This Tutorial

– Additional Resources

– About the Authors

– Feedback


GUIDE | 3

VMware Workspace ONE UEM Operational Tutorial:Managing Windows 10 Updates

OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial helps you tomanage Windows 10 updates with VMware Workspace ONE® UEM (unified endpoint management). Procedures include syncingActive Directory Organization Units to Workspace ONE UEM, creating distribution rings using smart groups, and creating an Updatesprofile.

AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Bothcurrent and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment isassumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such asVMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Configuring Update Management for Windows 10IntroductionThis exercise introduces you to managing Windows 10 updates in Workspace ONE. The procedures are sequential and build uponone another, so make sure that you complete each procedure in this section before going to the next procedure.

PrerequisitesBefore you can perform the procedures in this exercise, you must satisfy the following requirements:

Workspace ONE UEM Console version 9.3 and later, with admin credentials

Important: Do not access the Workspace ONE UEM Console from the same machine you are managing.

Active Directory integrated with Workspace ONEEnrolled virtual machine or spare Windows 10 Pro+ Device v1703+Administrative rights to the virtual machine or spare Windows deviceTelemetry Data enabled — verify Active Directory GPO or other local policies are not blocking this featureActive Directory set up with the following test Organization Units (or User Groups):

AccountingConsultingEarly AdoptersHRITR&DSalesTechnical Field Engineers

Understanding Patch ManagementThe Workspace ONE UEM update service for Windows 10 provides tailored functionality to address the unique constraints of mobilityand the cloud. Traditional operating system upgrades use a wipe-and-replace model. In contrast, the update-as-a-service modelpushes periodic operating system and feature updates. Windows 10 updates occur on a frequent and dynamic basis to ensure thatend users always have access to up-to-date operating system features.

http://www.vmware.com/products/workspace-one.html

https://www.vmware.com/products/workspace-one/unified-endpoint-management.html

https://www.vmware.com/products/workspace-one/access.html

https://www.vmware.com/products/airwatch-enterprise-mobility-management.html


GUIDE | 4

Windows 10 Patch Management OptionsDeploying Windows 10 fixes, patches, and updates on a variety of client servicing plans creates overhead. By using branches, youcan create a customized deployment schedule based on preference and update sensitivity.

Figure: Windows 10 Patch Management Options

Review the following descriptions to understand the available patch management options.

Update Branch Description Feature Updates Quality Updates Use Case

Windows Insider Build- Fast

Among the first toreceive developmentbuilds from Microsoft;ability to provide directfeedback to Microsoft

Not supported Not supportedUsed to provide feedbackto Microsoft before buildsare moved to slow ring

Windows Insider Build- Slow

More stable than fastring and includes fixedreported during fast ring

Not supported Not supportedUsed to provide feedbackto Microsoft before buildsare moved to release ring

Release WindowsInsider Build

Close to public releasebut still early access, noton the developmentbranch

Not supported Not supported

Used to provide feedbackto Microsoft before buildsare moved to public builds;IT pros and otherinterested employees

Semi-Annual Channel(Targeted)

Semi-Annual Channel Not supported Not supported

Pilot deployments used fortesting feature updatesand for users such asdevelopers. Use variousteams for a wide sampleset.

Semi-Annual Channel Semi-Annual Channel 0-180 days 0-30 days

Broad deployment offeatures, you can choosefrom the ranges to buildyour distribution ringsacross organization

Logging In to the Workspace ONE UEM ConsoleTo perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.


GUIDE | 5

1. Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

2. Navigate to the VMware Workspace ONE UEM ConsoleFor example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of theWorkspace ONE UEM console.

3. Authenticate In to the Workspace ONE UEM Console


GUIDE | 6

Enter your Username, for example, administrator.1.Click Next. After you click Next, the Password text box is displayed.2.


GUIDE | 7

Enter your Password, for example, VMware1!1.Click Login.2.

Note: If you see a Captcha, be aware that it is case sensitive.

Syncing Active Directory Organization Units to Workspace ONE UEMLeverage existing Active Directory Organization Units (OUs) or User Groups to create distribution rings in Workspace ONE UEM.

Note: Organizations that used Active Directory to create distribution rings can skip this step.

1. Navigate to the User Group List View


GUIDE | 8

In the Workspace ONE UEM Console, select Accounts.1.Select User Groups. 2.Select List View.3.

2. Open User Group Settings

Select Add.1.Select Add User Group.2.

3. Add a User Group


GUIDE | 9

Select Directory as the Type.1.Select Organizational Unit for External Type.2.Enter R&D into the Search Text field.3.Click Search.4.Click Save.5.

4. Add the Remaining Organization Units


GUIDE | 10

Repeat step 3 for the remaining Organization Units (or User Groups). When complete, your User Group List View should resemble thescreenshot shown.

Creating Distribution Rings Using Smart Groups

1. Navigate to Assignment Groups


GUIDE | 11

In the Workspace ONE UEM Console, click Groups & Settings.1.Click Groups.2.Click Assignment Groups.3.

2. Add a Smart Group

Click the Add Smart Group tab.


GUIDE | 12

3. Configure Smart Group Settings

Enter Production (Broad) Distribution Ring as the Name.1.Expand the User Group drop-down menu.2.Click Selected.3.Deselct Early Adopters and IT, who will be added to the other rings.4.Click Save.5.

Note: Previously enrolled devices that match the criteria will appear in a list on the right.

4. Configure Remaining Smart Groups

Repeat steps 2 and 3 to create the remaining distribution ring Smart Groups. When complete, your Smart Groups List View shouldresemble the screenshot above.

After creating Smart Groups for your distribution rings, you are ready to create a Windows Update profile.


GUIDE | 13

Creating an Updates Profile

1. Navigate to Profile Settings

In the upper-right corner of Workspace ONE UEM Console:

Select Add.1.Select Profile.2.

1.1. Select the Platform


GUIDE | 14

Select the Windows icon.

Note: Make sure that you select Windows and not Windows Rugged.

1.2. Select the Device Type

Select Windows Desktop.

1.3. Select Profile Context


GUIDE | 15

Select Device Profile.

2. Define the General Settings

Select General if it is not already selected.1.Enter a profile name such as Windows Update Production Ring in the Name text box.2.Copy the profile name into the Description field.3.Switch Allow Removal to Never to keep users from removing this profile in the self-service portal.4.If necessary, scroll down to Assigned Groups. Click the field and select Production (Broad) Ring from the list of Assignment5.Groups that populate.

Note: Do not click Save & Publish at this point. This interface allows you to move around to different payload configuration screensbefore saving.


GUIDE | 16

3. Configure the Updates Payload3.1. Open the Update Payload

Select the Windows Updates payload in the Payload section on the left.1.Click the Configure button to continue setting the Windows Updates payload.2.

Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

3.2. Configure Branching and Deferral Settings


GUIDE | 17

Configure Branching and Deferral settings to determine the timeline for applying updates.

Select Microsoft Update Service as the Windows Update Source.1.Select Semi-Annual Channel as the Update Branch.2.Enter 120 into the Defer Feature Updates Period in Days text box. Feature Updates add new functionality two to three times3.per year.Leave Pause Feature Updates Disabled.4.Enter 14 into the Defer Quality Updates Period in Days text box. Quality Updates provide security and reliability fixes at least5.once a month.Leave Pause Quality Updates Disabled.6.For 1511 or earlier versions only, select Enable Settings for Previous Windows versions and configure the following7.settings:

Defer New Features: 6 MonthsDefer New Updates: 2 Weeks

Keep Pause Deferrals Disabled. 8.

Note: Deferment Periods are only available for the Semi-Annual Channel branch.

3.3. Configure Update Behavior


GUIDE | 18

Scroll down to the Update Installation Behavior section.1.

Review the Windows recommended settings, which populate by default. Edit these settings to reflect corporate policies andpreferences, or leave them as-is to align with the steps in this exercise.

Automatic Updates — Use Install Updates Automatically reboots devices and applies updates as soon as they become1.available.Active Hours Max Range In Hours — Block out an 18 hour range during which the device cannot reboot or restart to apply2.updates. Then, specify the start time and end time. Paired with automatic updates, this prevents random reboots fromhindering end-user productivity.Auto Restart Deadline Period In Days — Reboot for updates becomes mandatory after 7 days.3.Auto Restart Notification Schedule in Minutes — Issue a notifications 15 minutes prior to an auto-restart.4.Auto Restart Required for Notification Dismissal — Dismiss notifications using auto-dismissal.5.Engaged Restart Deadline in Days - Automatically schedule and execute a restart outside of active hours after 2 days.6.Engaged Restart Snooze Schedule In Days — Allow users 3 days to snooze engaged restart reminders.7.Schedule Restart Warning In Hours — Issue a warning 4 hours before an auto-restart.8.


GUIDE | 19

Schedule Imminent Restart Warning In Minutes — Issue a final warning 15 minutes before an auto-restart.9.

3.4. Configure Update Policies

Scroll down to the Update Policies section and configure more granular update settings as dictated by corporate policies and1.preferences.Enter 22 as the Update Scan Frequency In Hours.2.Disable the Dual Scan For Deferral Policies to prevent dual scans and allow users to configure as many deferral policies as3.necessary.Set the Mobile Operator App Download Limit to DoNotIgnore to disable unlimited downloading over a cellular network for apps4.and their updates.Set the Mobile Operator Update Download Limit to DoNotIgnore to disable unlimited downloading over a cellular network for5.OS updates.Since this profile applies to standard users, allowing insider builds is likely inappropriate, set Insider Builds to Not Allowed.6.However, for the profile that applies to the internal IT department user group, set Insider Builds to Allowed, as these userslikely require access to the Windows Insiders Program.

3.5. Configure Admin Approved Updates


GUIDE | 20

Scroll down to Administrator Approved Updates and configure which updates can install on end-user devices.1.Select Enable for Require Update Approval to configure approval for update groups.2.Select Allowed for Auto-Approved Updates to display the list of available update groups and configure automatic approval on3.a group by group basis.Review the recommended configurations which auto-populate in the Workspace ONE UEM Console.4.

Allowed — Install automatically after the deferment period during approved hours.Not Allowed — Requires manual approval in the Workspace ONE UEM Console on a KB by KB basis.


GUIDE | 21

3.6. Configure Delivery Optimization

Scroll down to the Delivery Optimization section, and configure settings to mitigate potential bandwidth issues.1.Select Allowed for Peer-to-Peer Updates to create an internal device network that enables devices to share updates with each2.other.Select Use Peers on the Same NAT Only as the Allowed Peer-to-Peer Method for downloads of Windows updates, apps and3.app updates.Do Not Limit peer usage to members with the same group ID.4.Select Not Allowed for VPN Peer Caching to prevent devices connected to the domain network via VPN from peer caching.5.Enter 40 as the Minimum Battery Required For Peer Uploads (%). Uploads will automatically pause when the battery level6.drops below the specified minimum.

Note: Consider limiting peer usage by Group ID when using geographically based distribution groups. This establishes a NYC peernetwork for the New York City user group, and a Los Angeles peer network for the LA user group.

3.7. Configure Memory


GUIDE | 22

Scroll down to the Memory settings.1.Allow up to 10 GB as the Maximum Allowed Cache Size for delivery optimization, 2.Specify 32 GB as the Minimum disk size for devices to use peer caching.3.Require 4 GB RAM as the Minimum RAM for devices to use peer caching.4.Require 4 MB as the Minimum Content File Size That Can Use Peer Caching.5. Enter %SystemDrive% as the Drive location used for peer cache by delivery optimization.6.

3.8. Configure Network


GUIDE | 23

Scroll down to Network settings.1.Enter KiloBytes/second as the Maximum download bandwidth that a device will use.2.Enter 500 KiloBytes/sec as the Minimum QoS (Quality of Service or speed) for background downloads.3.Enter 20 GB as the maximum Monthly upload data cap (GB).4.

3.9. Publish the Profile

Click Publish.

4. Verify the Profile Published Successfully4.1. Navigate to Profiles List View


GUIDE | 24

Select Devices.1.Select Profiles & Resources.2.Select Profiles.3.

4.2. Find the Profile in the List ViewYou should now see the Updates Profile within the List View of the Devices Profiles window.

Note: If you need to edit the profile, this is where you would do so. To edit, click the profile name, then select Add Version. Updatethe profile and click Save & Publish to push the new settings to the assigned devices.

Using Workspace ONE UEM to Manage Windows 10 UpdatesAfter configuring the updates profiles, you can manage distribution rings from the Workspace ONE UEM Console.

1. Navigate to the Windows Updates List View

From the left-hand menu in the Workspace ONE UEM Console, select Devices.1.Select Lifecycle.2.Select Updates to view and manage the device fleet’s discovered updates in the KB list view.3.


GUIDE | 25

2. Manage Updates

Leverage this centralized view of all updates to:

Discover all available updates.1.Link directly to Microsoft reference articles for each KB.2.Select and assign a KB or group of KBs to assignment groups.3.Find the installation or deployment status of an update.4.

Summary and Additional ResourcesConclusionThis tutorial shows you how to use Workspace ONE UEM to manage Windows 10 updates through a series of exercises.

Terminology Used in This TutorialThe following terms are used in this tutorial:


GUIDE | 26

Term Description

adaptive access The ability to control access and authentication methods to sensitive apps based on a device’s managed status.

additive Includes only changes developed after the latest version of the application or the last additive patch.

app dependencies Applications required by the environment and devices to run the Win32 application.

app patches Files that apply additive or cumulative fixes, updates, or new features to applications.

app transforms Files that control application installation and can add or prevent components, configurations, and processes during the process.

app uninstall process Scripts that instruct the system to uninstall an application under specific circumstances.

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and theMicrosoft Store.

auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.

BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.

bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data,apps, or content.

business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.

catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched uponselection.

cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is bothprivate and public.

conditional access To provision access to a resource or service, based on user entitlements or roles.

container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invadingemployee privacy or personal apps and content.

cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches.

data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to.

device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMwareWorkspace ONE Access (formerly VMware Identity Manager).

Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.

enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.

enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices.

files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assignfiles and actions to a product, which then provisions to devices.

Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state.

identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.

identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically grant the user access to a resource based on their authentication to a different resource.

mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services.

mobile device management(MDM) agent

The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.

multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) andsomething the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.

one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.

per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.

public app stores Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.

service provider (SP) A host that offers resources, tools, and applications to users and devices.

smart groups Groups that control which devices get which product, based on how the group is created.

step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.

unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.

virtual desktop The user interface of a virtual machine that is made available to an end user.

virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.

For more information, see the VMware My Workspace ONE Glossary or the VMware Technical Publications Glossary.

https://secure.workspaceone.com/login?destination=https%3A%2F%2Fsupport.workspaceone.com%2Farticles%2F115001661968

https://www.vmware.com/support/pubs/


GUIDE | 27

Additional ResourcesFor more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curatedassets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides aframework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the AuthorsThis tutorial was written by Josué Negrón, Sr. Solutions Architect, End-User-Computing Technical Marketing, VMware, and HannahJernigan, Technical Writer, End-User-Computing Technical Marketing, VMware, with appreciation and acknowledgment forconsiderable contributions from the following subject matter experts:

Pedro Bravo, Deployments Subject Matter Expert, VMware AirWatchAjay Padmakumar, T3 Support Subject Matter Expert, VMware AirWatchVarun Murthy, Product Line Manager, VMware AirWatchNigitha Alugubelli, Sr. Product Manager, VMware AirWatchJason Roszak, Director Product Management, VMware AirWatchDarren Weatherly, Sales Engineer, VMware AirWatchRobert Terakedis, Sr. Solutions Architect, EUC Technical Marketing, VMwareAditya Kunduri, Product Marketing Manager, EUC Mobile Marketing, VMware

FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].

https://techzone.vmware.com/becoming-workspace-one-hero

https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture

https://techzone.vmware.com/users/josu%C3%A9-negr%C3%B3n

https://techzone.vmware.com/users/hannah-jernigan

https://techzone.vmware.com/users/hannah-jernigan

mailto:[email protected]

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001

www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international

copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in

the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademarks of their respective companies.

Managing Updates for Windows 10: VMware Workspace ONE ... · Deploying Windows 10 fixes, patches,...

Documents

Transcript of Managing Updates for Windows 10: VMware Workspace ONE ... · Deploying Windows 10 fixes, patches,...