Windows 10 and Windows 11 OS updates and subsequent patch management is a constant exercise. From selecting and approving patches manually to creating update lists and patch packages to testing and deploying updates, OS update management continues to be high touch and time-consuming. Windows updates management causes more headaches due to the complexity of configurations available, required knowledge and time to troubleshoot and resolve errors, and lack of insights into update failures and success – to name just a few.
In the past, if there was a security risk and someone wasn’t on-network, the updates would have to wait until the computer joined the network, which could take days, weeks, or months. If something goes wrong, uninstallation is often a very manual process too. Because the reason for errors can be difficult to ascertain and obscured behind PowerShell scripts, it can be difficult to tell leadership why it’s not working, only that it isn’t working. Until recently, there was not much of an option other than asking employees to join the network and spending hours and hours troubleshooting.
Introducing Workspace ONE Updates Lifecycle
Today VMware is introducing new Workspace ONE capabilities that will make managing OS updates and patches even easier and improve the security posture of Windows devices. Workspace ONE flexibly extends to multiple content sources and unifies policy, deployment, and lifecycle management of the OS from the cloud.
The revamped update management capabilities in Workspace ONE will give admins significant flexibility in update timing and level of automation, granular controls, and vastly improved reporting and dashboards. Admins can patch OS versions at any time, regardless of whether the device is on or off the company network.
Let’s have a look at the admin experience.
With these new features, the controls for updates are no longer buried within a device profile. They have a new dedicated space where admins can configure, manage, and monitor updates.
A new Policy creation system allows admins to build their own fully custom configurations or select from pre-defined templates based on the target user experience or business need.
While standard configuration items are available, the design is more dynamic by linking specific values together based on their interdependencies. Many configuration items that were not previously available within MDM have been added to address deployment speed, reliability, and overall effectiveness to improve compliance and visibility into the overall health of an environment. Admins can target specific Windows OS products and versions to manage major Feature Update releases more granularly.
Policy sets are now easily managed from a central location, including editing, copying, and deleting, as well as additional actions, such as pause and rollback.
The Workspace ONE Update Catalog has seen significant changes as well. It is now a globally hosted catalog with full access to all published updates. This catalog constantly updates as they become available throughout the day.
This means VMware has a vastly larger system of metadata, allowing us to build and design new solutions around that additional information, such as release dates, version and revision history, applicability, and supersedence status.
Offering intrinsic flexibility to make patching accessible
Flexibility is an inherent feature of the new Workspace ONE Updates Lifecycle. Admins can roll out critical updates automatically, without having to create automations or approval workflows, while retaining control to hand-test patches that are more likely to create issues. Admins can define the timing of updates to ensure an expedient rollout with the least disruption to user experience. Simultaneously, users can choose when it’s best for them to patch, particularly during non-emergency updates. To address emergency updates and provide even further flexibility, IT teams can patch devices that are both on and off the network in real time.
Updates and patching are important to IT administrators and security operations teams. Workspace ONE Updates Lifecycle breaks down the silos between these teams and allows for seamless communications between the two teams. IT teams can communicate and delegate appropriate actions to Sec-Ops team members via granular role-based access controls (RBAC), and Sec-Ops can get customer views to track updates as they progress. Now, Windows updates are made easier. Both expert and fresher employees from IT and Sec-Ops teams will be able to improve compliance and elevate the security posture of their Windows fleet.