Senior Solutions Architect, End User Computing, VMware.
Brooks Peppin is a Senior Solution Architect at VMware. He is focused on helping customers adopt modern management with Windows 10 and deliver great technology experiences for their end users. Previously he worked in VMware IT and led their journey from legacy to modern management of Windows 10. He has been working in the End User Computing space for 8 years and is passionate about all things EUC. He holds a Bachelor’s of Science Degree in Information Systems from the University of Colorado. He blogs about Windows 10 and Workspace ONE at www.brookspeppin.com.

Maintain Workspace ONE Enrollment with SCCM Configuration Baselines

July 26, 2019

Brooks Peppin, a well-respected member of the technical community, addresses some gnarly questions: How do you make sure devices always stay enrolled? What happens if enrollment doesn't get associated to the correct end user? What if it gets associated to a staging user, or to no user at all? These questions don't come up often, but if they do, this blog post has the answers. Brooks describes exactly how to use an SCCM compliance baseline to check for valid enrollment. And if that fails, how to run a script to remove the old agent, repair WMI, and re-enroll automatically.

Maintain Workspace ONE Enrollment with SCCM Configuration Baselines

Enabling co-existence with VMware Workspace ONE is a simple process. VMware Workspace ONE AirLift is a great tool to create and deploy the Workspace ONE Enrollment application to any collection in your environment. You can also do it yourself by using our standard command line enrollment. However, we have had questions from customers on how to ensure devices always stay enrolled. They ask, “What happens if the Workspace ONE application (agent) is installed but enrollment is not associated to the correct end user?” Or “What happens if the device is stuck enrolled to a staging user or no user at all?” While this is very infrequent, it can still happen. Sometimes clients have WMI issues or an old version of the agent isn’t auto upgrading. In this blog, I’ll show you how you can use an SCCM compliance baseline to check for valid enrollment and if it fails, you can run a script to remove an old agent, repair WMI, and re-enroll automatically.

If you’d like to skip the steps and simply import the baseline, jump down to the end. If you want to go through the steps manually start at the top.

Create SCCM Baseline and Package Manually

Follow these basic steps to manually create an SCCM baseline and package.

1. Create Compliance Item

First, let’s create an SCCM Compliance item to do the actual checking of a valid enrollment.

  1. In SCCM, select Assets and Compliance and then drill into Compliance Settings > Configuration Items.
    Assets and Compliance
  2. Right-click and click Create configuration item.
    configuration item
  3. Name it and select Windows 10 under the Settings for devices managed with Configuration Manager client. Click Next.
    Configuration Manager client
  4. Select Windows 10 under Supported Platforms. Click Next.
    windows 10
  5. Leave the Device Settings and Platform Applicability pages default. Save the configuration item.
  6. Once saved, right-click your new configuration item and click Properties.
  7. Click the Settings tab, then click New at the bottom to create a new condition.
    Workspace ONE Enrollment Compliance Properties
  8. Specify the following details:
    Create Setting
    • Name: Enter a name such as Enrollment Check.
    • Setting Type: Script.
    • Data Type: String.
  9. Under Discovery Script, click Add Script.
  10. For Script Language, select Windows PowerShell, and copy and paste the latest script from here.
    Windows Powershell
  11. Ensure you update the first $val2 -eq StagingWin10@staging.com to be the email address of the staging account you are using in your console. You can go to Settings > Devices & Users > Windows > Windows Desktop > Staging & Provisioning and look at the UPN.
    Staging
  12. Click OK.
  13. Click Apply to save it.
    Apply Settings
  14. Go to Compliance Rules tab and click New to create a new rule.
  15. Fill in the word “Compliant” in the This setting must comply with the following rule section.
    Compliant
  16. Click OK to save.
  17. Click OK to save the Configuration Item.

2. Add to Baseline and Deploy

Now we need to create a baseline in order to deploy this to devices.

  1. Go to the Configuration Baselines section.
    Baseline and Deploy
  2. Right click and click Create Configuration Baseline.
    Create Configuration Baseline
  3. Fill in a name, and click Add > Configuration Items.
    Configuration items
  4. Select the configuration item you just created and click OK.
  5. Ensure you tick the box next to Always Apply this baseline even for co-managed clients.
    baseline even for co-managed clients
    Now we are ready to deploy this to our collections.
  6. Right-click the baseline and click Deploy.
    Baseline and Deploy
  7. Click the Browse button and select the collection.
  8. Change the schedule to run on the frequency you desire. I tend to put this at Every Day.
    Deploy Configuration Baselines
  9. Click OK to deploy the baseline.

This will go out to the collection and clients will pick up the baseline per the frequency of your SCCM Agent polling settings. Once the client gets the policy, it will then run on the schedule you set above.

3. Create Collections based on compliance

I recommend deploying this to your Windows 10 clients so that you can track your overall enrollment numbers and then make a new collection based on the failures.

On the Deployment tab of the baseline you deployed, you will see the collection it was deployed to and the compliance percentage. To create collections automatically based on compliance results, right-click the collection and click Create New Collection. You can create collections based on Compliant, Non-Compliant, Error, or Unknown statuses.

Let’s go ahead and create one for Non-compliant.

  1. Click Create New Collection > Non-Compliant.
    Non-compliant
  2. On the next screen, you can either leave the Name default or rename it. I’ve renamed mine to be: WS1 Enrollment | Non-Compliant. Click Next.
    WS1 Enrollment | Non-Compliant
  3. Under membership rules, I recommend changing this to Use Incremental updates for this collection. If not, then schedule a full update on this collection at least once a day.
    Incremental updates
  4. Click Next and then Close. Your new device collection will show up in the list and automatically update as clients report back compliance status.

Keep in mind that this is by no means real-time, as it takes time for devices to run the baseline, send the results to SCCM to process, and then update the collection. You can also see the results of the Baseline by going to Monitoring > Workspace ONE Enrollment (or whatever you named it).

Workspace ONE Enrollment

You can right-click it and then select Run Summarization to get the most up-to-date results.

Run Summarization

Give it a couple of minutes to process.

4. Create and Deploy Re-Enrollment Package

Now that you have your collection based on non-compliant clients (meaning not enrolled), we can deploy a remediation script to fix them. I use a package because it is the simplest to configure and deploy the re-enrollment script and Workspace ONE hub.  This script does a number of things (lines 449-461 show each of the functions):

  • Checks for a valid enrollment just like in the compliance baselines, just to ensure that nothing changed since client was added to the collection.
  • Checks WMI and if errors are found, does a WMI repair.
  • Uninstalls any versions of the Workspace ONE Intelligent Hub (AirWatch Agent). Uninstalling the Hub initiates an MDM un-enrollment. 
  • Silently enrolls Workspace ONE Intelligent Hub.
  • Initiates full SCCM agent cycle refresh (machine policy, hardware inventory, software inventory). Note that this is optional.
  • Invoke baseline evaluation. This re-runs the baseline eval so that the client shows compliant (hopefully) and then updates the baseline and thus the collection. This just updates the baseline results quicker than waiting for the schedule.

Let’s create a quick SCCM package to be able to deploy this.

  1. Create a folder where you store application/package content. I’ve named mine Re-Enroll WS1.
  2. Download Airwatchagent.msi from https://getwsone.com and Re-Enroll-WS1.ps1.
    Re-Enroll WS1
  3. Under Software Library, right-click Package and click Create Package.
    Create Package
  4. Name it accordingly and then paste in the source folder. Click OK. Click Next.
    Source Folder
  5. Select Standard Program and then click Next.
  6. On Specify Information about this standard program, fill in the following information changing the command line to be unique to your organization:
    • Name: Production
    • Command Line: %WINDIR%\Sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file .\Re-enroll-ws1.ps1 -Server company.awmdm.com -LGName Prod -UPN staging@prod.com -Password 123456 
      **Note: We call %WINDIR%\Sysnative\WindowsPowerShell\v1.0\powershell.exe in order to launch 64 bit PowerShell. SCCM Packages run in 32 bit context by default.
    • Startup folder: leave blank
    • Run: Hidden
    • Program Can Run: Only when user is logged in.
    • Run mode: Run with administrative rights.
    • Leave the rest default.
  7. Click Next.
    Specify Information about this standard program
     
  8. Select All Windows 10 on the Requirement window, and then click Next.
    Specify Information about this standard program
  9. Click Next again and then Finish. Close out the wizard.
  10. Right-click the package and click Distribute Content.
  11. Select applicable distribution points and finish out the wizard.
    Now we need to deploy the package to our non-compliant collection.
  12. Right-click package and click Deploy.
    Re-Enroll WS1 Deploy
  13. Select your non-compliant collection. Click Next.
    non-compliant
  14. On the Content window, it should show the distribution point you have already distribution this content to. If not, add your distribution point(s) there. Click Next.
  15. On Deployment Settings, leave it set as Required. Click Next.
  16. For Scheduling, select today’s date and then set a once-a-day schedule. I like to do every day at noon.
  17. For Re-run behavior, select Always rerun program. You do this because if this program succeeds and then later on, enrollment gets removed, the program still shows as installed, even if the compliance baseline is non-compliant. The script in this package does an enrollment check, as well. So if it re-runs while there is a valid enrollment, it will exit with code 0 (success) and not do any actions.
    Specify the schedule for this deployment
  18. On the User Experience page, check Allow users to run the program independently of assignments to show this program in Software Center.
    User Experience
  19. Complete the remaining screens according to your organization’s specific requirements.

On the Client

Let’s see how this looks on the client.

  1. If we open up the Configuration Manager control panel applet and then go to the Configurations tab, we can see that our baseline was deployed to our client and evaluated as non-compliant.
    Configuration Manager
  2. You can re-evaluate by clicking the Evaluate button. You can also select View Report to get a detailed report.
    Compliance Report
  3. If we go into Software Center (since I enabled it to show up there on the deployment), it will show the new program:
    Re-Enroll WS1 - Production
  4. In this case, the Re-Enrollment package ran and succeeded. But if it failed, you can view the detailed log here: C:\ProgramData\Airwatch\UnifiedAgent\Logs\Re-Enroll-WS1.log
  5. If I go back to my compliance item and re-evaluate it, I can see that it now shows compliant:
    Configuration Manager
  6. My client also shows compliant on the WS1 Enrollment Baseline report.
    Deployment Status
  7. If I manually update the membership of my Non-compliant collection, I can observe my collection is now at zero members (was 1 with my device). And if I manually run the Machine Policy Retrieval & Evaluation Cycle on my client, I no longer have the package assigned.
    Machine Policy Retrieval & Evaluation Cycle

Import Baseline and Package

Here's how to import the baseline and the package.

Baseline

To import the baseline, you start with Github.

  1. Select Download WS1 Enrollment Baseline.cab from Github.
  2. Copy to your SCCM Server.
  3. Right-click Configuration Baselines and click Import Configuration Data.
    Import Configuration Data
  4. Click Add and browse to the file.
  5. Click Ok when prompted regarding unable to verify the publisher.
  6. Click Next and then complete the wizard.
    Import Configuration Data

Package

Like you did with the baseline, you start with Github to import the package.

  1. Download the Re-Enroll WS1 Package.zip from Github.
  2. Copy to SCCM server and place on the UNC share of your Application content repository.
  3. Under Packages, click Import.
    Import Packages
  4. Browse to the zip file.
    Import Package
  5. Select Create New. Click Next, Next, Close.
    Re Enroll WS1 Package
  6. Right-click the package and click Properties.
  7. Click the Data Source tab and ensure you update the content source path with your own package path. You will still need to download and copy the AirwatchAgent.msi and the Re-Enroll-WS1.ps1 files into your package folder.
    Re Enroll WS1 Properties
  8. It should look like this:
    Re Enroll WS1
  9. Don’t forget to deploy the package program to your non-compliant collection. 

For more blogs like this, visit www.brookspeppin.com.

 

July 26, 2019

Senior Solutions Architect, End User Computing, VMware.
Brooks Peppin is a Senior Solution Architect at VMware. He is focused on helping customers adopt modern management with Windows 10 and deliver great technology experiences for their end users. Previously he worked in VMware IT and led their journey from legacy to modern management of Windows 10. He has been working in the End User Computing space for 8 years and is passionate about all things EUC. He holds a Bachelor’s of Science Degree in Information Systems from the University of Colorado. He blogs about Windows 10 and Workspace ONE at www.brookspeppin.com.