Figure: New Windows Policies available in Workspace ONE UEM
Today’s challenges with Windows policy management
The hybrid world of management that the Windows operating system has been in since Windows 10 poses some challenges for admins. There are old management capabilities, such as Active Directory GPOs (AD GPOs) and client-based management, and new capabilities, such as the built-in OMA-DM client.
How can admins decide which way to manage Windows? You may wonder whether to use Active Directory GPO or modern policies, and whether to join devices to Azure AD, hybrid or on-prem domain, etc.
Modern Windows policies aren’t on feature parity with AD GPOs
Then, with each Windows version (Windows 10 and Windows 11) each major release had new modern policies in the form of Microsoft CSPs that UEM vendors can utilize to manage the machines. This meant a development overhead for UEM MDM vendors including Intune, to build into the product. Even then, the modern MDM Windows Policies weren’t on feature parity with AD GPO. Thus, causing more frustration and confusion for admins juggling multiple tools for management.
We captured legacy policy management with Workspace ONE Baselines
It was clear that Windows would have a modern and a legacy approach to management, and we didn’t want that to be an overhead or a blocker for admins to decide how to manage their devices with ease. Knowing this, we worked hard to build Workspace ONE Baselines, a catalog of AD GPOs you can apply to your Windows machine. This allowed endpoint administrators to use Workspace ONE Baselines to apply policies to devices that are domain-joined, Azure-joined, or workgroup devices; removing the need to use VPNs or run commands like
gpupdate /force to apply policies. Admins can also view and manage the policy compliance of your devices over the air in a single admin console with role-based access.
We worked on modernizing the profiles framework
So, now that we had covered the “legacy” component of policy management, what about the new modern management approach?
Well now, we have built a framework to import the Windows modern policies into the console, without the need to hand-code them one by one. This delivers new policies to you faster, as new policies are released by Microsoft. Microsoft releases new OMA-DM configuration service provider (CSP) policies with each Windows version. A CSP is an interface to read, set, modify, or delete configuration settings on the device. These modern policies or CSPs are released for different versions of Windows, including Windows Desktop, Windows HoloLens, and Surface Hub for example.
When Microsoft release new policies or CSPs, they are rolled up into Device Description Framework or DDF files. These DDF files contain various CSPs and include data about OS versions supported. If you want to learn more about how DDF works, see
Benefits of the new Windows profiles
With Workspace ONE UEM 2306, we couldn’t wait to show you what we have been working on. For now, we’ve tagged the new Windows policies as beta. Over time, we’ll make some enhancements to the new Windows policy framework, and keep you updated once these have been made.
The new Windows policy framework builds on our Data-Driven User Interface or DDUI – we love an acronym! DDUI has been rolling out for other platforms within Workspace ONE.
Instead of coding, we update the new DDUI to add any Windows DDF files. This changes the definition file that helps render the profile UI. What once required days of development effort can now be completed in hours, and customers can take advantage of new functionality without custom settings.
Some other advantages of the modern DDUI policy approach are:
- Search profile configurations with ease
- Easy to configure, no need to go to Microsoft documentation due to integrated help text
- Add any Policies in Workspace ONE Freestyle Workflows
- Policies include the latest Windows Configurations
- Modern policy design aligned with other platforms
- No need for complex custom payload configurations
- Contents of a payload can now be viewed before adding the payload to the profile
- Separate screens for profile configuration and deployment simplify role-based access use cases
How to see the new Windows Profiles Beta
The profile user experience has been updated with a new look and UX framework. This can be accessed by logging into the Workspace ONE UEM admin console and navigating to Resources > Profiles and Baselines > Profiles and clicking Add new profile.
To use the New Windows Profile Beta, Select Windows (Beta).
Give the profile a name. Then you can add a payload, by searching or scrolling through all the new payload configurations and selecting Add. Selecting Add, allows you to make the configuration changes.
Review the summary on the right-hand side and click Next to walk through the wizard to assign these policies to a Workspace ONE smart group and select the deployment options.
We’re excited to share with you the new Windows Profiles Beta in Workspace ONE UEM 2306. With the new Data Driven User Interface, we have added 100’s modern new Windows Profiles (CSPs) for ease of management with Workspace ONE. Workspace ONE can now easily configure and deploy thousands of Windows policies over the air, whether you start with Workspace ONE Baselines, or use the new Windows modern policies, Workspace ONE can help you manage your Windows fleet in a single management console.
We recommend using the new profiles where required. Over time, we will migrate the old profiles to the new ones.
For more information on policy management with Workspace ONE, visit