« Back to myAirWatch

Configure a Windows Updates Profile (Windows Desktop)

Create a Windows Updates profile to manage the Windows Updates settings for Windows Desktop devices. The profile ensures that all your devices are up-to-date, which improves device and network security.

Important: To use advanced settings, the Windows Update profile requires the AirWatch Protection Agent to be installed on the device.

To enforce a Windows Update profile:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the Windows Updates profile.
  6. Configure the Windows Updates settings. The profile supports Windows 8.1 and Windows 10 devices. The settings differ based on the OS. For Windows 10 devices, configure the settings:

    Settings Descriptions
    Branching and Deferral
    Windows Update Source

    Select the source for Windows Updates:

    • Microsoft Update Service– Select to use the default Microsoft Update Server.
    • Corporate WSUS – Select to use a corporate server and enter the WSUS Server URL and WSUS Group.

      The device must contact the WSUS at least once for this setting to take effect.

    Choosing Corporate WSUS as a source allows your IT Admin to view updates installed and device status of devices in the WSUS Group.

    Update Branch

    Select the update branch to follow for updates.

    • Current Branch subscribes to the current updates from Microsoft.
    • Current Branch for Business allows organizations to defer new features and security updates
    Defer Feature Updates Period in Days Select the number of days to delay feature updates before installing the updates on the device.
    Pause Feature Updates

    Enable to pause all feature updates for 60 days or until disabled. This setting overrides the Defer Feature Updates Period in Days setting.

    Use this option to delay an update that causes issues that would normally install following your deferral settings.

    Defer Quality Updates Period In Days Select the number of days to delay quality updates before installing the updates on the device.
    Pause Quality Updates

    Enable to pause all quality updates for 60 days or until disabled. This setting overrides the Defer Quality Updates Period in Days setting.

    Use this option to delay an update that causes issues that would normally install following your deferral settings.

    Enable Settings for Previous Windows versions

    Select to enable deferral settings for previous versions of Windows. The settings include:

    • Defer New Features (months)
    • Defer New Updates (weeks)
    • Pause Deferrals
    Update Installation Behavior
    Automatic Updates

    Set how updates from the selected Update Branch are handled:

    • Install updates automatically
    • Install Updates but let the user schedule the computer.
    • Install updates automatically and restart at specified time.
    • Install updates automatically and prevent user from modifying the control panel settings.
    • Check for updates but let user choose whether to download and install them.
    • Never check for updates (not recommended).
    Active Hours Start Time

    Enter the start time for active hours.

    Set the active hours to prevent the system from rebooting during these hours.

    Active Hours End Time

    Enter the end time for active hours.

    Set the active hours to prevent the system from rebooting during these hours.

    Update Policies
    Allow Update Service

    Allow updates from the public Windows Update service.

    Not allowing this service can cause issues with the Windows Store.

    Allow MU Updates Allow updates from Microsoft Update
    Update Other Microsoft Products When Updating Windows Allow other Microsoft Products to update when Windows is updated.
    Install Signed Updates from 3rd Party Entities Allow the installation of updates from approved third parties.
    Insider Builds Allow the download of Windows Insider builds of Windows 10.
    Administrator Approved Updates
    Require Update Approval

    Enable to require updates to have approval before downloading to the device.

    Enable to require updates to be explicitly approved by admins before downloading to the device. This approval is either through Update Groups or individual update approval.

    This option requires you to accept any required EULA on behalf of your end users before the update pushes to devices. If a EULA must be accepted, a dialog opens displaying the EULA.

    To approve updates, navigate to Lifecycle > Windows Updates. For more information, see Approve Windows Updates.

    Auto-Approved Updates

    Enable this option to set update groups that are automatically approved for download on end user devices.

    This option requires you to accept any required EULA on behalf of your end users before the update pushes to devices. If a EULA must be accepted, a dialog opens displaying the EULA.

    Application

    Set to Allowed to automatically approve all app updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Connectors

    Set to Allowed to automatically approve all Office 365 connectors updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Critical

    Set to Allowed to automatically approve all critical updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Definition

    Set to Allowed to automatically approve all Windows Defender definition updates for download to assigned devices.

    Consider setting this option to Allowed to ensure your devices remain protected by Windows Defender. This option is enabled by default.

    Displays if Auto-Approved Updates is enabled.

    Developer Kit

    Set to Allowed to automatically approve all developer kit updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Feature Pack

    Set to Allowed to automatically approve all feature pack updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Guidance Set to Allowed to automatically approve all guidance updates for download to assigned devices.
    Security

    Set to Allowed to automatically approve all security updates for download to assigned devices.

    Consider setting this option to Allowed to ensure your devices remain secure. This option is enabled by default.

    Service Pack

    Set to Allowed to automatically approve all service pack updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Tool Updates

    Set to Allowed to automatically approve all tool updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Update Rollups

    Set to Allowed to automatically approve all update rollups for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    General

    Set to Allowed to automatically approve all general updates for download to assigned devices.

    Displays if Auto-Approved Updates is enabled.

    Delivery Optimization

    Peer-to-Peer Updates

    Allow the use of peer-to-peer downloading of updates.
    Allowed Peer-to-Peer Method Select the method of peer-to-peer connection you want to allow.
    Limit Peer Usage to Member with the Same Group ID Limit peer-to-peer downloading to devices within the same organization group.
    Maximum time each file is held in the delivery optimization cache (seconds)

    Set the number of seconds a file is held in the delivery optimization cache before being pushed to devices.

    The optimization cache keeps updates available on other peers that the device can reach for quicker downloading of updates.

    Maximum cache size that delivery optimization can utilize (%) Enter the percentage of the cache that delivery optimization can use.
    Maximum upload bandwidth that a device will use across all concurrent upload activity (KB/second) Enter maximum upload bandwidth in KB/second that a device uses when sending updates to peers.

    For Windows 8.1 devices, configure the settings:

    Settings Descriptions
    Windows 8.1
    Updates Managed By Set to Administrator to configure how Windows Updates. Setting to User does not override the device settings.
    Install Important Updates Automatically Require all Important Automatic Updates to install automatically.
    Install Recommended Updates Automatically Require all Recommended Automatic Updates to install automatically.
    Protection Agent Advanced Configuration

    Configure the advanced settings for the Windows Automatic Update profile.

    Windows Update Source

    Select the source for Windows Updates:

    • Microsoft Default – Select to use the default Microsoft Update Server.
    • Corporate WSUS – Select to use a corporate server and enter the WSUS Server URL and WSUS Group.

      The device must contact the WSUS at least once for this setting to take effect.

    Choosing Corporate WSUS as a source allows your IT Admin to view updates installed and device status of devices in the WSUS Group.

    Important Updates

    Select the rules to use for Important Updates.

    Install Recommended Updates the Same Way as Important Updates Enable to install Recommended Updates using the same rules Important Updates use.
    Update Other Microsoft Products When Updating Windows Enable to allow other Microsoft Products to update when Windows is updated.
  7. Select Save & Publish to push the profile to devices.