In case you missed our announcement last month, we are thrilled to expand VMware AirWatch unified endpoint management (UEM) with new innovations across all major operating system (OS) platforms, including Windows 10.
A big theme of our Windows platform updates is OS compliance and security. The new capabilities make desktop management easy for IT by eliminating the many silos in endpoint management that you see today, while ensuring the OS, apps and your company IP are constantly protected against modern security threats.
These UEM enhancements now enable your organization to:
- Simplify OS patching and maintain compliance with the latest software patches.
- Protect data at rest by rendering it unreadable to unauthorized users.
- Provide next-gen threat detection and automated remediation in real-time.
- Distribute apps directly from a custom company catalog or silently upon device enrollment.
Let’s look at what these enhancements mean to your business, IT and end users.
Granular Windows 10 Update Management
Patching is critical for maintaining overall OS security and health. However, the traditional Windows update management model that relies on on-premises servers is broken and painful for IT.
The Challenges of Windows Update Management
- The Mobile Workforce: One challenge we hear from customers is keeping all endpoints up to date with patches, particularly when users today are constantly moving in and out of the company premises. Admins struggle to deploy patches to off-network and off-domain users. As a result, a very low percentage of devices get patched, even weeks after critical updates are available and pushed down by IT.
- Windows Server Update Services: Speaking of on-premises management servers, the challenges of setting up WSUS (Windows Server Update Services) are well documented. WSUS problems are amplified further with Windows 10. Given the variations in Windows 10 SKUs, platform types and branching models, it becomes increasingly difficulty to sift through the large number of updates and to identify and test what’s relevant to your deployments.
- Installed Updates Visibility: Another concern we hear from customers is getting any sort of on-demand visibility into installed updates. Often, admins are writing massive SQL queries to get even a simple report on installed updates and updates status.
With Windows 10, Microsoft recommends the new Windows as a service update model, where cumulative OS updates are pushed over the air (OTA). Updates that have gone through a broad testing cycle are now directly shipped as a business-ready servicing branch.
Although there are advantages to this cloud delivery and servicing model, IT is still fearful of losing control over which patches are distributed as part of these rollups and of potentially breaking the OS without having fully tested these internally. Adding to the challenges is the large size of these cumulative update rollups that are released frequently every few weeks and the major upgrades that Microsoft is pushing out approximately every six months. Clearly, companies will now have to deal with network and bandwidth constraints while delivering these over their WAN networks.
New OS Patch Management Capabilities in AirWatch
To help address these specific challenges, we continue to invest and strengthen the OS patch management capabilities in AirWatch. I touch upon this in today’s video, and in the coming weeks we will have a dedicated episode on OS patch management.
These enhancements enable IT to get more granular control over updates management and distribution. Key patch management features identified below now enable IT admins to:
- Overcome the challenges associated with off-network patching with instant push-based management.
- Subscribe to OS branches and deploy and/or defer updates based on device priority and desired maintenance windows.
- In addition to the branch model, give control back to IT by allowing admins to override forced upgrades from Windows Update for Business.
- Auto-approve or disallow certain update groups based on a targeted group’s sensitivity to feature and security updates.
- Manage patches even at individual patch/KB-level and distribute these to a specific device or in bulk based on targeted smart group assignments.
- Leverage peer-to-peer caching for delivery optimization of updates and avoid potential network congestion resulting from large cumulative updates.
- Receive detailed inventory of required, pending or installed Windows updates and perform compliance auditing at an individual KB, device or organization level.
Advanced BitLocker Management
The next major addition to this release is advanced BitLocker deployment and administration capabilities for your Windows 10 endpoints—without requiring any additional encryption management tools from Microsoft (e.g. MBAM) or third parties.
BitLocker is a native OS encryption feature of Windows 10 and provides hands-free data protection at rest by rendering the data unreadable to unauthorized users. This is useful in scenarios where a device is lost, stolen or retired, leaving the data on the hard disk at risk of theft or unintended exposure.
The new BitLocker management profile in AirWatch now includes the ability to:
- Flexibly encrypt the entire hard disk or just the system partition. An additional option now enables admins to quickly encrypt only the used space on the disks.
- Enable use of the device’s built-in Trusted Platform Module (TPM) for secure authentication. This offers a low total cost of ownership (TCO) deployment without the need to provision USB flash drives with startup keys and also ensures pre-startup OS integrity by validating that system isn’t tampered with.
- Enforce a second factor login PIN in conjunction with TPM. The multifactor authentication ensures added security and prevents OS startup and auto-resume from a suspend or hibernate state until the user enters the correct PIN.
- Set recovery password rotation. The 48-digit BitLocker recovery password used to unlock an encrypted volume are static until a new one is generated. With AirWatch, admins now have an ability to set a periodic recovery key rotation policy. This ensures adherence to compliance requirements and better data protection in scenarios where the key falls into wrong hands.
- Display a configurable BitLocker recovery password URL (e.g. the AirWatch Self-Service Portal URL, which escrows the BitLocker recovery password). This allows end users to recover the encryption password on their own without having to raise a help desk ticket.
- Suspend BitLocker temporarily during scheduled maintenance windows (e.g. Windows updates, BIOS updates, software installs) so that the user is not constantly prompted for a password/PIN each time the OS restarts.
Accelerated Compliance and Threat Containment
The latest release of AirWatch integrates with VMware TrustPoint to take your Windows 10 endpoint security and hygiene to the next level. The integration provides accelerated compliance and faster threat containment across Windows 10 endpoints.
TrustPoint brings in the unique ability to detect threats across millions of endpoints in seconds and report back compliance status and the gradient risk level (low to high) for devices that are compromised. For example, devices that may be running older versions of app dependencies, apps with bad MD5 hashes or a combination of both will be flagged as being out of compliance by TrustPoint and immediately notified to AirWatch.
Admins can now define compliance policies within AirWatch, which takes automated remediation actions based on the threat level assessment. For example, for a threat that’s categorized as low level, the admin may choose to simply revoke work email, but for a higher risk level, access to the company network may be revoked and a remote enterprise wipe command may be enforced to safeguard company data.
Expanded Support for Windows Store for Business
The Windows Store for Business delivers a place for developers, IT decision makers and administrators to submit, find, acquire, manage and distribute Windows 10 apps for organizations.
Last year, we added AirWatch integration with the Business Store Portal (BSP) to make it easier for organizations to buy, assign, revoke and manage licenses for any Windows store app. The AirWatch 9.1 release adds support for the online licensing model, so IT can now distribute online or offline licensed apps directly from a custom company catalog or silently upon device enrollment.
This means that end users will no longer require a Microsoft Account (MSA) and a credit card each time an app is downloaded and installed from the store. IT departments can perform bulk actions (such as import, assign, revoke) on these app licenses, and get complete visibility on license assignments and use.
We hope that you are just as excited as we are with these latest innovations in Windows 10 management with AirWatch 9.1. Over the next couple of episodes, we will take a deeper look at these capabilities and what it means for your IT organization. Tune in to these episodes to see our very own Jason Roszak demo these new features.
Catch up on the latest in The Redmond Series: