Deploying Win32 Applications: VMware Workspace ONE Operational Tutorial
The VMware Workspace ONE UEM Operational Tutorial: Managing Windows 10 Updates consists of a series of exercises that walk through managing Windows 10 updates with Workspace ONE UEM.
This operational tutorial provides you with discussions and exercises to help with your existing VMware Workspace ONE® production environment. VMware provides operational tutorials to help you with
- Common procedures or best practices
- Complex manual procedures
Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation.
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by VMware AirWatch, is also helpful.
Deploying Win32 Applications
This exercise introduces you to managing Win32 applications with Workspace ONE.
Understanding Installation Behaviors
When deploying numerous apps to end-user devices, it can take some time to install all the device applications. After device on-boarding completes, apps queue up for the device to install per Windows operating system specifications, configured timeout values, and retry logic. Dependency files are installed prior to the main application.
Installation Behavior Variables
A few variables impact the way applications distributed from the Workspace ONE UEM Console install on devices.
- User Type - Devices can have either admin or standard users.
- Privileges - Applications may allow user privileges or require administrative privileges.
- Context - Applications can install to the device or the user context.
The following table outlines how these variables impact installation behavior.
|User Type||Privileges||Context||Install Behavior|
|Admin User||Admin||Device||Install without prompt|
|User||Install with prompt|
|User||Device||Install without prompt|
|User||Install with prompt|
|Standard User||Admin||Device||Install without prompt|
|User||Device||Install without prompt|
Getting the Uninstall Command
In this exercise, you use command-line options to determine the uninstall command you might use when creating an uninstall script. You can then upload the script on the Files tab when deploying an app.
- In a command-line session, enter
setup.exe /?. If the EXE contains an underlying MSI, use the msiexec uninstall command:
msiexec /x setup.exe.
- Install the app on a reference device.
- When installation completes, look at the HKEYs on the device’s listed registries.
Getting the Exit Code
In this exercise, you determine the exit codes you might use if you select Using Custom Script on the Deployment Options tab.
Use the environmental variable
%errorlevel% to get exit codes. Use it in conjunction with built-in DOS commands like
SET to preserve the existing
- In a command-line session, run the install command for the Win32 application.
- If the Win32 application requires a reboot for installation, the variable returns the reboot exit code.
Deploying a Standard MSI Application File
This workflow demonstrates the automated procedure for delivering an MSI application to remote and enterprise worker devices.
- Navigate to Apps & Books > Applications > List View > Internal > Add Application > Upload > Local File.
- Click Upload and select the AppName.msi file for any sample MSI application. When asked whether the file is a dependency file, select No. Selecting Yes associates a dependency file to Win32 applications. Dependency files are libraries and frameworks, such as Java, Silverlight, or .NET libraries.
- Click Continue.
- On the Details tab, review the automatically populated fields.
- On the Files tab, if necessary, customize the auto-populated command line for the uninstallation process:
MSIEXEC /X Product CodeIf desired, you can upload an uninstall script to perform additional actions while removing the application.
- On the Deployment Options tab, review the auto-populated information.
- Upload the app’s icon for end users to see in the app catalog.
- Optionally, add a terms-of-use policy for end users to accept before installing applications.
- Select Save & Assign.
- Click Add Assignment to configure flexible deployment options.
- Select Smart Group Type a smart group name to select the groups of devices to receive the assignment.
- Push Mode Determine how the application deploys to the device. On Demand deploys content to a catalog or other deployment agent and lets the device user decide if and when to install the content.
- Automatic Deploys content to a catalog or other deployment agent on a device upon enrollment. After the device enrolls, the system prompts users to install the content on their devices.
- Deployment Begins On Specify a day of the month and a time of day for the deployment to start.
- DLP Configure a device profile with aRestrictionsprofile to set data loss prevention policies for the application.
- Application Transforms Associate transform files to the Win32 applications. This setting replaces the placeholder transform name in the Install Command option.
- Select Smart Group Type a smart group name to select the groups of devices to receive the assignment.
- Select Add and then click Save & Publish.
Adding Application Versions
You can control the versions of internal applications available to end users.
- Navigate to Apps & Books > Applications > List View and select the Internal tab.
- Select the application and then select Add Version from the actions menu.
- Upload the updated file.
- On the Details tab, select Retire Previous Versions.
- Select Save & Assign to use the flexible deployment feature.
Reviewing Additional Application Samples
In addition to the packaged apps like the zipped file we uploaded in this exercise, Workspace ONE UEM supports the upload and deployment of MSIs and EXEs. Below are additional examples of the supported application types, and their required Workspace ONE UEM configurations.
Refer to the article Software Distribution: Tips and Troubleshooting for a list of validated use cases as well as instructions on retrieving required application information.
||Use default setting|
|When to Call Install Complete||Value Type String||Use default setting|
|When to Call Install Complete||Registry path:
|PocketOE.zip1||GPO Migration Tool2|
|When to Call Install Complete||Type: App Exists
|Upload the Custom PowerShell Script File: LGPOConfirmPackageInstall.ps1
|1This example shows an MSI deployed as a zip.
2This example shows a zip with a PowerShell script used for installation detection.
Deploying Microsoft Office 365 ProPlus
This exercise helps you configure and assign Microsoft Office 365 ProPlus with a configuration file for click-to-run delivery. The procedures are sequential and build upon one another, so make sure that you complete each section in order.
Software Distribution with Workspace ONE UEM
The VMware Workspace ONE application life cycle flow, also known as software distribution, exists for all internal applications. Use software distribution to deliver Win32 applications, track installation statuses, keep application versions current, and delete old applications.
You must also must satisfy the following requirements:
- Workspace ONE UEM Console
- 9.2 or later
- Software Package Deployment enabled
- Windows 10 device that meets the following specifications:
- Enrolled in Workspace ONE UEM
- A virtual machine or spare Windows device
- Windows 10 with the latest updates installed
- Workspace ONE Application installed on Windows 10 device
- Administrative rights
- Folder containing Office365 files with the logo saved as 0365-logo.jpg.
Important: Do not access the Workspace ONE UEM Console from the same machine you are managing.
This exercise uses software distribution to deploy Office 365 Pro Plus, an EXE file packaged as a Zip file. This requires you to enter application information into the Workspace ONE UEM Console. To facilitate configuration, we gathered the required information in the following table.
Office 365 Pro Plus Zip
|Install Command||setup.exe /Configure Configuration.xml
|Uninstall Command||setup.exe /uninstall ProPlus|
|When to Call Install Complete||Registry Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail
Value Name: DisplayName
Value Type: String
Value Data: Microsoft Office Professional Plus 2016
Note: VMware software distribution supports MSI, EXE, and ZIP files. The required application details vary by application and file type. For more information, see Additional Application Samples. To address scripting needs, use product provisioning.
Preparing Office 365 ProPlus Files
Before we can upload the ProPlus app to the Workspace ONE UEM Console, we need to prepare and zip the files.
1. Download the Office Deployment Tool
- Navigate to the Microsoft website: https://www.microsoft.com/en-us/download/details.aspx?id=49117.
- Click Download to download the Office Deployment Tool executable.
- Click the .exe file.
2. Extract Files
- Accept the licensing terms.
- Click Continue.
3. Select or Create Folder to Store Files
- Select or create a folder in which to store the extracted files.
- Click OK.
4. Package the Office 365 Files as a Zip
- Navigate to the folder containing the extracted files, for example, Office365.
- Select the configuration.xml and setup.exe files (click + drag over both, or ctrl + click both files) and right-click.
- Hover over Send to.
- Select Compressed (zipped) folder.
5. Rename the Zipped Folder
Rename the zipped folder to
6. Inspect the Configuration.xml File (Optional)
- Select configuration.xml and right-click the file.
- Select Edit.
In this example, we are using the default configuration.xml file that is provided with the Office 365 ProPlus deployment. Your organization, if it has deployed Office 365, will have a configuration.xml file already that contains organization specifics for install and licensing options. The configuration.xml file contains organization specific details that the setup.exe process uses to configure the Office 365 installation for your users.
- Click the Close (X) button to exit Notepad.
Logging In to the Workspace ONE UEM Console
To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.
1. Launch Chrome Browser
On your desktop, double-click the Google Chrome icon.
3. Authenticate In to the Workspace ONE UEM Console
- Enter your Username. This is the name provided in the activation email.
- Enter your Password. This is the password provided in the activation email.
- Click the Login button.
Note: If you see a Captcha, be aware that it is case sensitive.
Uploading Microsoft Office 365 ProPlus
Now that you have zipped the setup.exe and configuration.xml files for your Office 365 deployment, the next step is to upload and deploy this application through the Workspace ONE UEM Console.
1. Add an Internal Application
In the Workspace ONE UEM Console:
- Select Apps & Books.
- Select Add Application.
2. Upload the Application File
3. Choose the File to Upload
Click Choose File.
4. Choose the Office365ProPlus.zip File
- Navigate to the folder containing Office365ProPlus.zip.
- Click to select the Office365ProPlus.zip file.
- Click Open.
5. Save the Uploaded File
6. Continue after Saving the File
- Select No for Is this a dependency app?
- Click Continue.
Note: In software distribution, dependency files are libraries and frameworks that the app requires to function, such as Java, Silverlight, or .NET libraries. Although you upload and view them like a file, they have reduced features.
To view dependency files in the Workspace ONE UEM Console, navigate to Apps & Books > Applications > Native > Internal > Filters > Platform and select Windows Desktop. Then, expand Core vs Dependency Apps, and select Dependencies.
Configuring & Deploying Microsoft Office 365 ProPlus
After uploading Office 365 ProPlus to the Workspace ONE UEM Console, set its configurations, assign it to groups, and deploy it to devices.
1. Configure the Details Tab
- Ensure the Details tab is selected.
Office 365 Pro Plusfor the Name.
- Select 64-bit for the Supported Processor Architecture. Verify which processor architecture is relevant for your device.
Note: When uploading MSI files all possible fields are automatically pre-populated with all of the metadata, however for ZIP packages you will have to generate a Name as well as some of the Deployment options.
2. Configure the Files Tab
Select the Files tab.
2.1. Review Application File Settings
Familiarize yourself with the following settings, which enable you to configure additional application details and requirements:
- App Dependencies: Enable the system to apply dependency files.
- App Transforms: Apply MSI Transform (MST) files.
- App Patches: Apply MSI Patch (MSP) files.
2.2. Configure the App Uninstall Process
- Scroll down to find the App Uninstall Process section.
- Select Input for the Custom Script Type.
setup.exe /uninstall ProPlusas the Uninstall Command.
3. Configure Deployment Options
Select the Deployment Options tab.
3.1. Define When to Install
Configure details about what requirements must be met in order to install the application.
3for the Disk Space Required which specifies the amount of disk space the device must have available to install the application.
- Select GB for the Units of the Disk Space Required.
50for the Device Power Required which specifies the battery power, in percentage, that the device must have to install the application.
500for the RAM Required which specifies the amount of RAM the device must have to install the application.
- Enter MB for the Units of the RAM Required.
3.2. Define How to Install
- Scroll down to find the How To Install section.
setup.exe /configure configuration.xmlfor the Install Command.
3for the Retry Count, which specifies the number of times the system attempts to install the application after an unsuccessful attempt.
5for the Retry Interval, which specifies the time (in minutes) the system waits when it tries to install the application after an unsuccessful attempt.
30for the Install Timeout, which specifies the time (in minutes) the system allows the installation process to run without success.
1614for the Installer Reboot Exit Code, which specifies the code the installer outputs to identify a reboot action.
0for the Installer Success Exit Code, which specifies the code the installer outputs to identify a successful installation.
3.3. Define When To Call Install Complete
- Scroll down to the When To Call Install Complete section.
- Select Defining Criteria for Identify Application By.
- Click + Add.
3.4. Define the Application Criteria
- Select Registry Exists for the Criteria Type.
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office16.PROPLUSfor the Path.
DisplayNamefor the Value Name.
- Select String for the Value Type.
Microsoft Office Professional Plus 2016for the Value Data.
- Click Add.
Note: There are multiple Criteria Types to choose from, allowing you to be flexible in determining if your deployment was successful. You can also add multiple Criteria configurations and link them together logically to cover complex deployments.
4. Add the Application Icon
Select the Images tab.
4.1. Open Icon Settings
- Select the Icon tab.
- Click the area labeled Click or drag files here.
4.2. Select the Icon File
- Navigate to the folder containing the Office365 files.
- Select o365-logo.jpg.
- Click Open.
- Click Save & Assign.
6. Assign & Publish
6.1. Add Application Assignment
Click Add Assignment.
6.2. Assign Office 365 Pro Plus
- Select All Devices (firstname.lastname@example.org) for the Assignment Groups.
- Select Auto for App Delivery Method.
- Click Add.
6.3. Save and Publish
Click Save & Publish.
7. Confirm the Application Appears in the List View
In the Internal Applications List View, confirm that the Office 365 Pro Plus application is displayed.
You have successfully added the Office 365 ProPlus app to Workspace ONE UEM for deployment.
Verifying Microsoft Office 365 ProPlus Deployed
This exercise helps you to verify that the install command completed successfully and how to verify your software distribution process.
1. Verify Install Command Was Sent
You can retrieve details about the current install status of an application on the assigned devices. Use these details to confirm that devices are installing the application appropriately.
1.2. Review the Application Summary
- Notice that the Install Status is currently showing
Not Installedfor 1 device. This verifies that 1 device is currently assigned to receive the application and the application is still reporting as
- You can also verify your Deployment Progress to ensure that the number of devices receiving this application is correct and that your Deployment Mode (Auto or On Demand) is correct.
1.3. Verify the Install Command Dispatched
- Select the Devices tab. This displays the current list of Devices that are assigned to receive this application.
- Notice that our enrolled Windows 10 Device is marked as Not Installed, but the Reason is listed as
Install Command Dispatched. Depending on your network resources, this is expected as the install can take some time.
Note: After the Install Command is processed, the Install Status and Reason fields will update to show that the install was successful or that there were errors.
2. Track & Troubleshoot Application Installation
Use the Device Details view to track application deployments and debug deployment issues.
2.2. View App Status
- Select the Apps tab.
- Scroll down until you see the Office 365 Pro Plus app in the list.
- Here you can see a list of applications that are installed on the device and additional information about each of them. Successful, pending, and failed installations will all appear here. You can see that the Office 365 Pro Plus application is pending due to the grey checkmark.
2.3. Access Troubleshooting Logs
- Select the More drop-down menu.
- Select Troubleshooting.
2.4. View Device Events
- Ensure the Event Log tab is selected. Under Event Log, you can view the full list of events sent to the device. You can use this information to verify that the Install Command was received, and details about why the install succeeded or failed.
Applicationin the search box.
- Scroll to the right.
- Find the Install Application Requested action for the Office 365 Pro Plus application to verify that the device received the command. You may need to scroll to the right to find the necessary columns, which are:
- Event: Install Application Confirmed
- Event Data: Application: Office 365 Pro Plus
3. Verify Install Was Completed
The following steps help you to verify that software distribution installs are completed and successful.
3.2. Review the Application Summary
Notice that the Install Status now shows Installed for the Windows 10 device.
3.3. Check the Install Status and Reason
Notice that Install Status updated to Installed, and Reason to Managed.
3.4. Verify Installation on the Windows 10 Device
- Click the Windows button.
- After the installation completes, you will notice that the Recently Added section now displays the Office 2016 suite.
Updating Microsoft Office 365 ProPlus
See Patches in Software Distribution for an explanation of the system behavior for assigning cumulative patches to applications and restrictions for patches.
Deleting Microsoft Office 365 ProPlus
VMware AirWatch includes several methods to remove applications from devices. This exercise explains how to delete an application from devices in its assigned smart groups.
2. Select Office 365 ProPlus
- In the search bar, type
Officeand press Enter.
- Select the appropriate application from the list that appears
3. Delete Office 365 ProPlus
Summary and Additional Resources
This tutorial shows you how to use Workspace ONE UEM to manage Windows 10 updates through a series of exercises.
Terminology Used in This Tutorial
The following terms are used in this tutorial:
|adaptive access||The ability to control access and authentication methods to sensitive apps based on a device’s managed status.|
|additive||Includes only changes developed after the latest version of the application or the last additive patch.|
|app dependencies||Applications required by the environment and devices to run the Win32 application.|
|app patches||Files that apply additive or cumulative fixes, updates, or new features to applications.|
|app transforms||Files that control application installation and can add or prevent components, configurations, and processes during the process.|
|app uninstall process||Scripts that instruct the system to uninstall an application under specific circumstances.|
|application store||A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.|
|auto-enrollment||Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.|
|BitLocker||Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.|
|bring your own device (BYOD)||The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content.|
|business mobility||The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.|
|catalog||A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.|
|cloud||Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.|
|conditional access||To provision access to a resource or service, based on user entitlements or roles.|
|container||The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content.|
|cumulative||Includes the entire application, including any changes since the latest version of the application, or the last patches.|
|data leakage protection||Software-controlled policies that determine how and where data can be transferred or shared to.|
|device enrollment||The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.|
|Device Health Attestation||Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.|
|enrollment||The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.|
|enterprise mobility management||The concept of using software and policies to both secure and provide access controls for mobile devices.|
|files and actions||The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices.|
|Health Attestation Services||Cloud service that evaluates health measurements from the device to determine the health state.|
|identity-as-a-service||Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.|
|identity provider (IdP)||A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.|
|mobile application management||The concept of managing access, deployment, and restrictions of mobile applications using software and services.|
|mobile device management
|The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.|
|multi-factor authentication||Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.|
|one-touch login||A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.|
|per-app VPN||Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.|
|public app stores||Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.|
|service provider (SP)||A host that offers resources, tools, and applications to users and devices.|
|smart groups||Groups that control which devices get which product, based on how the group is created.|
|step-up authentication||Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.|
|unified endpoint management||A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.|
|virtual desktop||The user interface of a virtual machine that is made available to an end user.|
|virtual machine||A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.|
|Windows Information Protection||Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.|
For more information about Workspace ONE, you can explore the following resources:
- VMware Workspace ONE Action Path
- VMware Workspace ONE product page
- VMware Workspace ONE Documentation
- VMware Identity Manager product page
- VMware Identity Manager Documentation
- VMware Workspace ONE UEM, powered by VMware AirWatch product page
- VMware Workspace ONE (formerly AirWatch) Documentation
- VMware Workspace ONE free trial
- VMware Workspace ONE Enterprise Edition Reference Architecture
- VMware End-User-Computing Blogs
- Workspace ONE UEM Hands-On Lab
About the Authors
This tutorial written by Josué Negrón, Sr. Solutions Architect, End-User-Computing Technical Marketing, VMware, and Hannah Jernigan, Technical Writer, End-User-Computing Technical Marketing, VMware, with appreciation and acknowledgement for considerable contributions from the following subject matter experts:
- Pedro Bravo, Deployments Subject Matter Expert, VMware AirWatch
- Ajay Padmakumar, T3 Support Subject Matter Expert, VMware AirWatch
- Varun Murthy, Product Line Manager, VMware AirWatch
- Nigitha Alugubelli, Sr. Product Manager, VMware AirWatch
- Jason Roszak, Director Product Management, VMware AirWatch
- Darren Weatherly, Sales Engineer, VMware AirWatch
- Robert Terakedis, Sr. Solutions Architect, EUC Technical Marketing, VMware
- Aditya Kunduri, Product Marketing Manager, EUC Mobile Marketing, VMware
The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at email@example.com.