Create a Windows Updates profile to manage the Windows Updates settings for Windows Desktop devices. The profile ensures that all your devices are up-to-date, which improves device and network security.

Prerequisites

To use advanced settings, the Windows Update profile requires the Workspace ONE Intelligent Hub to be installed on the device.

Important: To see the OS version each update branch supports, see Microsoft's documentation on Windows 10 release information: https://technet.microsoft.com/en-us/windows/release-info.aspx.

To enforce a Windows Update profile:

Procedure

  1. Navigate to Devices > Profiles > List View and select Add Profile.
  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.
  5. Select the Windows Updates profile.
  6. Configure the Windows Updates settings:
    Settings Descriptions
    Windows Update Source

    Select the source for Windows Updates:

    • Microsoft Update Service– Select to use the default Microsoft Update Server.
    • Corporate WSUS – Select to use a corporate server and enter the WSUS Server URL and WSUS Group.

      The device must contact the WSUS at least once for this setting to take effect.

    Selecting Corporate WSUS as a source allows your IT Admin to view updates installed and device status of devices in the WSUS Group.

    Update Branch

    Select the update branch to follow for updates.

    • Semi-Annual Channel
    • Windows Insider Branch - Slow
    • Windows Insider Branch - Fast
    • Release Windows Insider Build
    Insider Builds Allow the download of Windows Insider builds of Windows 10.
    Defer Feature Updates Period in Days Select the number of days to delay feature updates before installing the updates on the device.

    The maximum number of days you can defer an update changed in Windows 10 version 1703. Devices running a version before 1703 can only defer for 180 days. Devices running a version after 1703 can defer up to 365 days.

    If you defer an update for longer than 180 days and push the profile to a device running Windows 10 before the1703 update, the profile fails to install on the device.

    Pause Feature Updates

    Enable to pause all feature updates for 60 days or until disabled. This setting overrides the Defer Feature Updates Period in Days setting.

    Use this option to delay an update that causes issues that can normally install following your deferral settings.

    Defer Quality Updates Period In Days Select the number of days to delay quality updates before installing the updates on the device.
    Pause Quality Updates

    Enable to pause all quality updates for 60 days or until disabled. This setting overrides the Defer Quality Updates Period in Days setting.

    Use this option to delay an update that causes issues that can normally install following your deferral settings.

    Enable Settings for Previous Windows versions

    Select to enable deferral settings for previous versions of Windows. The settings include:

    • Defer New Features (months)
    • Defer New Updates (weeks)
    • Pause Deferrals
    Automatic Updates

    Set how updates from the selected Update Branch are handled:

    • Install updates automatically.
    • Install Updates but let the user schedule the computer.
    • Install updates automatically and restart at specified time.
    • Install updates automatically and prevent user from modifying the control panel settings.
    • Check for updates but let the user choose whether to download and install them.
    • Never check for updates.
    Active Hours Maximum (Hours) Enter the maximum number of active hours that prevent the system from rebooting due to updates.
    Active Hours Start Time

    Enter the start time for active hours.

    Set the active hours to prevent the system from rebooting during these hours.

    Active Hours End Time

    Displays the end time for active hours

    This time is determined by the Active Hours Start Time and the Active Hours Maximum.

    Auto Restart Deadlines Set the maximum number of days that can pass after installing a Quality or Feature Update before a system reboot is mandatory.
    Auto-Restart Notification (Minutes) Set the number of minutes before an auto-restart that a warning displays.
    Auto-Restart Required Notification Set how an auto-restart notification must be dismissed.
    • Auto Dismissal - Automatically dismissed
    • User Dismissal - Requires the user to close the notification.
    Engaged Restart Deadline Engaged Restarts allow to manage when the device reboots after installing a Quality or Feature update during Active Hours. Use this option to set the number of days a user can engage a reboot before a reboot is automatically scheduled outside of active hours.
    Engaged Restart Snooze Schedule Enter the number of days a user can snooze an Engaged Restart. After the snooze period passes, a reboot time is scheduled outside active hours.
    Scheduled Auto-Restart Warning (Hours) Set the number of hours before a scheduled auto-restart to warn users.
    Scheduled Auto-Restart Warning (Minutes) Set the number of minutes before a scheduled auto-restart to warn users.
    Allow Public Updates

    Allow updates from the public Windows Update service.

    Not allowing this service can cause issues with the Microsoft Store.

    Allow Microsoft Updates Allow updates from Microsoft Update.
    Update Scan Frequency (Hours) Set the number of hours between scans for updates.
    Dual Scan Enable to use Windows Update as your primary update source while using Windows Server update Services to provide all other content.
    Exclude Windows Update Drivers from Quality Updates Enable to prevent driver updates from automatically installing on devices during Quality Updates.
    Install Signed Updates from 3rd Party Entities Allow the installation of updates from approved third parties.
    Mobile Operator App Download Limit Select whether to ignore any Mobile Operator download limits for downloading apps and their updates over a cellular network.
    Mobile Operator Update Download Limit Select whether to ignore any Mobile Operator download limits for downloading OS updates over a cellular network.
    Require Update Approval

    Enable to require updates to have approval before downloading to the device.

    Enable to require admins explicitly approve updates before downloading to the device. This approval is either through Update Groups or individual update approval.

    This option requires you to accept any required EULA on behalf of your end users before the update pushes to devices. If a EULA must be accepted, a dialog box opens displaying the EULA.

    To approve updates, navigate to Lifecycle > Windows Updates. For more information, see Approve Windows Updates.

    Auto-Approved Updates

    Enable this option to set update groups that are automatically approved for download on end-user devices.

    This option requires you to accept any required EULA on behalf of your end users before the update pushes to devices. If a EULA must be accepted, a dialog box opens displaying the EULA.

    When you enable this option, the update groups display so you can set which groups automatically update. Set these groups to Allowed to approve the updates for download to assigned devices automatically.
    • Feature Updates
    • Application
    • Connectors
    • Critical
    • Definition
    • Developer Kit
    • Drivers
    • Feature Pack
    • Guidance
    • Security
    • Service Pack
    • Tool Updates
    • Update Rollups
    • General
    Peer-to-Peer Updates Allow the use of peer-to-peer downloading of updates.
    Allowed Peer-to-Peer Method Select the method of peer-to-peer connection you want to allow.
    Limit Peer Usage to Member with the Same Group ID Limit peer-to-peer downloading to devices within the same organization group.
    VPN Peer Caching Enable to allow devices to participate in Peer Caching while connected to a VPN.
    Minimum Battery Required for Peer Uploads (%) Select the minimum battery charge percentage that a device must have before it can participate in peer-to-peer uploading.
    Maximum Allowed Cache Size Enter the maximum catch size that delivery optimization can use. This value is a percantage of disk size.
    Maximum cache size that delivery optimization can utilize (%) Enter the percentage of the cache that delivery optimization can use.
    Maximum time each file is held in the delivery optimization cache (seconds)

    Set the number of seconds a file is held in the delivery optimization cache before being pushed to devices.

    The optimization cache keeps updates available on other peers that the device can reach for quicker downloading of updates.

    Minimum Disk Size for Device to Use Peer Caching Enter the minimum disk size (in GB) that the device must have to use Peer Caching
    Minimum RAM for Device to Use Peer Caching Enter the minimum RAM size (in GB) that the device must have to use Peer Caching.
    Minimum Content File Size That Can Use Peer Caching Enter the minimum file size content must be to use Peer Caching.
    Drive Location Used for Peer Caching Enter the file location to use for Peer Caching.
    Maximum upload bandwidth that a device will use across all concurrent upload activity (KB/second Enter the maximum upload bandwidth in KB/second that a device uses when sending updates to peers.
    Maximum Download Bandwidth that a Device Will Use (KB/second) Enter the maximum download bandwidth in KB/second that a device uses when downloading updates from peers.
    Maximum Download Bandwidth as a Percentage of Total Available (%) Enter the maximum download bandwidth percentage (of the total bandwidth available) used for downloading updates from Peer Caching.
    Minimum QoS for Backgrund Downloads (KB/second) Enter the minimum quality of service (or speed) in KB/secondfor background downloads.
    Monthly Upload Data Cap (GB) Enter the maximum amount of data (in GB) that a device can upload per month.
  7. Select Save & Publish to push the profile to devices.