Planning Your Windows Deployment: Workspace ONE Operational TutorialVMware Workspace ONE UEM 1810 or later
Note: This content was created for Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.
VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial provides practical information to help you plan your VMware Workspace ONE® Unified Endpoint Management (UEM) management solution to address the unique circumstances of your use cases.
Workspace ONE UEM powered by AirWatch includes capabilities for Windows 10 that introduce smarter ways to deploy, control, and manage an organization’s PC fleet.
Traditional approaches use multiple administrative tools to manage the PC life cycle, including separate tools for staging and imaging, for maintaining drivers, for managing OS updates, for configuring firewall, antivirus, and encryption policies, and more. In contrast, Workspace ONE UEM unifies enterprise mobility management in a single administrative console.
The release of Windows 10 introduced fundamental changes to the Windows operating system to address the security and data concerns of today's digital workspace. To take advantage of Workspace ONE UEM capabilities, you can fold the Windows 10 functionality into an existing VMware management solution. Combining traditional client requirements with modern enterprise management capabilities creates a simplified, cost-effective management solution.
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial.
Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM and Microsoft Store for Business is also helpful.
Meeting Windows 10 Security Priorities
You can use Workspace ONE UEM to establish user trust, assess the device posture, and enable data loss prevention.
Figure: Security Priorities for the Modern Digital Workspace
Establishing User Trust
Workspace ONE UEM uses new identity features to establish user trust. These features include two-factor authentication, which requires that an enrolled, managed, and compliant device meet two forms of authentication.
To fulfill the first half of two-factor authentication, the device must be onboarded, a process of enrolling devices into Workspace ONE UEM for management in the Workspace ONE UEM Console (the Console).
For the second authentication factor, users with Microsoft Azure AD can use Windows Hello capabilities like biometric access and PIN authentication. Workspace ONE UEM enforces the PIN strength requirements and can allow or disallow the biometric feature for end users' devices.
Workspace ONE UEM also integrates with Windows Hello for biometric authentication while providing certificate authentication (or another authentication type) into the apps and corporate resources, thus providing a layered authentication model for added security.
Assessing Device Posture
Workspace ONE UEM assesses device posture by evaluating, locally enforcing, and remediating devices using the compliance engine, a Workspace ONE UEM tool that ensures that all devices abide by specified policies. A policy can include basic security settings or more critical security configurations.
The compliance engine detects non-compliant devices and sends end users a warning. If the end user addresses the issue after the warning, no further action is taken. If the end user fails to correct the issue in the specified time-frame, it escalates, and disciplinary actions occur.
Use the Workspace ONE UEM Console to specify the escalation steps, disciplinary actions, grace periods, and messages. For example, the following figure demonstrates a tiered approach to compliance. With each security action, an end user’s non-response escalates the risk level.
Figure: Tiered Risk Escalations and Compliance Actions
Preventing Data Loss
Modern Windows 10 management with Workspace ONE UEM maximizes native Windows Information Protection capabilities to help you minimize the risk of data loss. Use Windows Information Protection to define:
- Privileged applications
- Application access
- Enterprise boundaries
- Protection levels
Windows Information Protection encrypts all corporate data at the file level and decrypts only when accessed by a privileged application. An enterprise wipe removes all corporate data from the device.
Note: Windows Information Protection operates on a device level. If data is transferred to a file share or cloud repository, Windows Information Protection cannot guarantee data protection. Instead, shared data requires integration with a rights management service (RMS).
In addition to delivering managed applications to devices through enrollment, Windows 10 can also place device apps that were not pushed through Workspace ONE UEM Mobile Device Management into a managed state when you designate them as privileged applications.
The updated Windows 10 SDK enables application developers to handle personal and corporate data on privileged applications, creating enlightened apps. For all options, administrators can set a policy that prevents an application from sharing corporate data to a personal app, site, or repository.
Per-App VPN prevents Windows 10 applications from gaining unauthorized access to internal or public endpoints. Its client-side micro-segmentation capabilities define which IP addresses, ports, and IP protocols Windows 10 applications can access.
You can also use privileged applications to simplify per-app VPN configurations. Depending on the needs of the organization, use one or both of the following options:
- Every privileged application can have a unique VPN configuration.
- All privileged applications can use the same VPN configuration.
Enterprise boundaries on Windows 10 use specified IP ranges or domains to identify and encrypt work data downloaded to a device. The downloaded files are encrypted and can be opened only with a privileged application. For example, if the domain
air-watch.com is specified as a protected network, data downloaded from
sharepoint.air-watch.com can only be accessed by the privileged applications on that device.
You can configure varying levels of protection for user groups to address organizational demands and device use cases. Protection levels include:
- Block - Corporate data can be accessed only from privileged applications.
- Override - If a user attempts to access corporate data with a non-privileged application, a warning prompt appears. A user can choose to complete the action, but the action is logged in an audit log.
- Audit - A user can access corporate data with a non-privileged application, but the action is logged in an audit log.
- Off - Windows Information Protection is deactivated.
Determining Your Use Cases
VMware Workspace ONE UEM modernizes Windows management and security across any use case. This section explores a variety of use cases and how you can use Workspace ONE UEM to manage them.
Understanding Windows 10 Use Cases
The primary use cases for a Windows 10 deployment are: employee-owned machines, remote-worker devices, and corporate office devices. Review the following table to gain a high-level understanding of each use case.
|Common Windows 10 Device Use Cases|
|Type of Device||Use Case Name||Primary End User||EMM Priority||Domain Joined||App Footprint||SCCM Managed|
|Employee-Owned Machines||BYOD||Varied||User privacy||No||Light||No|
|Remote Employee Devices||Remote||Mobile||Enablement||Maybe||Light||No|
|Corporate Office Devices||Enterprise||Static||Security||Yes||Heavy||Maybe|
This tutorial addresses the required components and recommended configurations for the most common Windows 10 use cases. Since configuration requirements and recommendations vary by use case, when applicable, the following sections specify which use cases a particular configuration applies to.
Selecting an Onboarding Workflow
Workspace ONE UEM supports a variety of onboarding workflows that address multiple use cases. The onboarding method impacts other configuration decisions, and therefore is an important starting point when planning a Workspace ONE UEM deployment. In this section, learn about the available onboarding options for Windows 10, and evaluate which option is best for your organization.
Understanding Onboarding Options
The following table lists recommended and supported onboarding workflows by use case - as well as some requirements. Keep in mind, many of these requirements are driven by the operating system.
For a decision tree to help you identify the enrollment flows that best suit your organization, see Selecting an Onboarding Workflow.
|Onboarding Options by Use Case|
Admin privileges required for end user
Microsoft Azure Active Directory Premium license required
Admin privileges required for end user (except Autopilot enrollment)
Supports Workgroup and domain-joined device enrollment
Supports automated onboarding using current PCLM
Non-admin end user must run in SYSTEM
(Workgroup Only) To avoid username and password prompts, pre-populate device serial numbers in the console
|Drop Ship Provisioning||▣||◉||◉||
Dell Provisioning Services required
Supports Workgroup, on-premises domain joined, and Azure-based enrollments
(On-Prem Domain Joining Only) Access to corporate domain required on first boot
|◉ Recommended ◈ Supported ▣ Not Supported|
For requirements and up-to-date information about all onboarding scenarios, see Microsoft mobile device enrollment.
Selecting an Onboarding Workflow
The following figure is a decision tree intended to help you select an appropriate onboarding workflow. Examine the tree to determine which enrollment flows best suit your organization. Then, refer to the descriptions of the enrollment flows in following sections to learn more.
Figure: Windows 10 Onboarding Decision Tree
The agent-based enrollment method now uses VMware Workspace ONE Intelligent Hub (formerly known as AWAgent). The primary use case for agent-based enrollment is existing company-owned or BYOD devices that the end user self-onboards. The workflow is similar to the standard onboarding workflows for iOS and Android devices.
To walk through this enrollment workflow, see the article Intelligent Hub - Win10 Enrollment Guide.
Microsoft Azure Active Directory Enrollment
Workspace ONE UEM integrates with Azure AD, providing a robust selection of onboarding workflows that apply to a wide range of Windows 10 use cases. However, Azure licensing requirements stipulate that you must purchase an additional Azure AD Premium license to complete this integration.
Enterprises that are leveraging Azure AD typically use one of the following onboarding options for corporate-owned devices:
- Enrolling using Out-of-Box-Experience
- Enrolling using Azure AD Join
- Enrolling with AutoPilot
- Enrolling using On-Premises Active Directory Domain
For personal-owned (BYOD) devices:
- Enrolling using Azure Connect
For step-by-step instructions on how to configure these options, see the Enrolling Windows 10 Devices Using Azure AD: VMware Workspace ONE Operational Tutorial.
You have several onboarding options when using command-line enrollment. From onboarding with a PC Lifecycle Management (PCLM) solution such as SCCM using Workspace ONE AirLift, to deploying a script via a group policy object (GPO), all options have one thing in common. All of these options use the command-line parameters supported with the Workspace ONE Intelligent Hub.
Organizations utilizing command-line enrollment typically use one of the following onboarding options:
- Enrolling with SCCM using Workspace ONE AirLift
- Enrolling Domain Joined devices
- Enrolling Workgroup devices
- Enrolling during Imaging/ In-Place upgrades
- Enrolling using a Group Policy Logon Script
To walk through the Workspace ONE AirLift enrollment workflow, see the article Migrating Devices and Users from SCCM. For step-by-step instructions on how-to configure the remaining command-line enrollment options, see Onboarding Windows 10 Using Command-Line Enrollment: Workspace ONE UEM Operational Tutorial.
Drop Ship Provisioning
In partnership with Dell Configuration Services, Workspace ONE UEM supports creating provisioning packages to install applications and configurations on your Dell Windows 10 devices before they leave the factory. To use Drop Ship Provisioning for VMware Workspace ONE, you must participate in Dell Configuration Services.
Drop Ship Provisioning supports the following Workspace ONE onboarding methods:
- Azure AD Joining with Premium licenses
- Azure AD Joining without Premium licenses
- On-premises Domain Joining
For instructions on how to configure these options step-by-step, see the Drop Ship Provisioning: Workspace ONE Operational Tutorial.
Configuring Workspace ONE Profiles
Profiles provide the primary mechanism for managing devices. A profile consists of settings, configurations, and restrictions. When combined with compliance policies, the profile enforces corporate rules and procedures. To create a profile, you first specify the General settings and then configure a payload. General settings determine how the profile is deployed and who receives it. The payload settings apply to the device when the profile is installed. For optimal device and console management, configure one payload per profile.
Understanding General Settings
To create a profile, you first specify the General settings and then configure a payload. General settings determine how the profile is deployed and who receives it. The General settings include the following options:
|Profile General Settings Table|
|Name||Profile name to display in the Workspace ONE UEM Console.|
|Version||Read only. Version of the profile.|
|Description||Brief description of the profile’s purpose.|
|Deployment||If set to Managed, the profile is automatically removed if the device is unenrolled. If set to Manual, the user must manually remove the profile after the device is unenrolled.|
|Assignment Type||Specify how the profile is to be deployed to devices.
End users can also install profiles representing web applications using a Web Clip or Bookmark payload. If you configure the payload to appear in the App Catalog, you can install it from the App Catalog.
|Allow Removal||Specify whether the end user can remove the profile.
|Managed By||The organization group with administrative access to the profile.|
|Specify smart groups to configure granular profile assignment. Enter an existing smart group, or click Create a new smart group.
The platform specified in the device profile or compliance policy takes precedence over the smart group’s platform. For example, a Windows Desktop profile is always assigned to Windows Desktops devices, even if the smart group includes other platforms.
|Exclusions||To exclude selected smart groups from profiles and policies, select Yes.
In the Excluded Groups option that appears, select the groups to exclude from this profile or policy. If you need to create a new group, click the Create Assignment Group button.
If the same group is selected in Assigned Groups and Excluded Groups, you cannot save the profile or policy.
|Preview the assigned devices, smart groups, and exclusions.|
|Select Enable Scheduling and install only during selected time periods to configure a time frame in which devices can receive the profile. In the Assigned Schedules text box, enter the name of a configured time schedule.
To configure a time schedule, navigate to Devices > Profiles & Resources > Profiles Settings > Time Schedules > Add Schedule > Add Schedule.
|Removal Date||Specify a future date formatted as MM/DD/YYYY to schedule the profile’s device-side removal.|
Reviewing Windows 10 Payloads
This section reviews the payloads that are the most relevant in a Windows 10 deployment. Use the following table to determine whether the payload is relevant to your device use case.
|Windows 10 Profile Payloads Recommended by Use Case|
|◉ Always ◈ Sometimes ▣ Never|
Passcode Profile for Windows 10
A passcode payload secures devices by requiring users to enter a passcode to return from an idle state. When configuring a profile for the passcode payload, use existing corporate policies to inform decision-making. Best practice is to balance organizational security requirements with usability. The preconfigured password policies on on-premises domain-joined Windows 10 devices override the Workspace ONE UEM passcode profile. Therefore, the Workspace ONE UEM passcode profile best addresses BYOD and other non-domain-joined device use cases.
Email Profiles for Windows 10
Email profiles enable corporate email access on end-user devices. For Windows 10 devices, the available licensing for Microsoft Office applications determines which email payload to configure.
- Device does NOT have Microsoft Office license: Configure Exchange ActiveSync with the native mail client: The Exchange ActiveSync payload enables end users to access corporate email on their devices using the native mail client. When published, this profile relies on the Workspace ONE mobile email management infrastructure to block access to corporate email and requires integration with Secure Email Gateway or PowerShell. For more information, see the VMware AirWatch Mobile Email Management Guide in VMware Docs.
- Device HAS Microsoft Office licenses: Configure Exchange Web Services with the Outlook web client: The Exchange Web Services payload enables end users to access corporate email on their devices using the Outlook web client. When published, this profile uses granular conditional access policies through Workspace ONE adaptive management to grant or deny access to Outlook and the Microsoft Office suite. Office 2016 supports modern authentication -- that is, Active Directory Authentication Library (ADAL)-based sign-in -- but earlier versions do not. Earlier versions use the source network, user or group, protocols, or user agent or client type to control access.
Credentials Profile for Windows 10
A credentials profile pushes root, intermediate, and client certificates to support Public Key Infrastructure and certificate authentication use cases. The profile pushes configured credentials to the required credentials store on the Windows desktop. The certificate handles authentication into Wi-Fi, VPN, and other corporate endpoints, providing end users with a seamless experience.
To use certificates:
- Configure a Credentials payload with a certificate authority.
- Configure the Wi-Fi and VPN payloads.
- Associate the certificate authority defined in the Credentials payload when configuring the Wi-Fi and VPN payloads.
Wi-Fi Profile for Windows 10
A Wi-Fi profile auto-connects devices to corporate Wi-Fi, even if the network is hidden, encrypted, or password-protected. This payload is useful to end users who travel and use their own wireless network or are in an office setting where they can connect their devices to a wireless network onsite.
Restriction Profile for Windows 10
To help prevent data loss, a Restriction profile limits native device functionality. The icon displayed next to some settings on the Restrictions payload window indicates the OS version required to enforce the restriction.
For Windows 10, the Restriction profile limits what end users can configure in the Start > Settings menu. After the restrictions are applied, the option is grayed out in the UI. A notification that organizational policies restrict this setting is shown.
The following screenshot shows an example of a system setting enforced by a Restriction profile.
Figure: Example of a System Setting Enforced by a Restriction Profile
Customize the Restrictions profile to enforce corporate policies and apply appropriate controls to settings. The following table lists some common restrictions options across use cases.
|Windows 10 Restriction Settings Recommended by Use Case|
|Allow MDM Unenrollment||◉||◙||◙|
|Allow Device to Send Telemetry Data||◉||◈||◈|
|Allow User to Change Sign-in Options||◉||◙||◙|
|◉ Allow/Activate ◈ Depends on Corporate Policy ◙ Don't Allow/Deactivate|
The BYOD recommendations allow end users to control their own device. In comparison, the recommendations for remote and enterprise workers are more restrictive. These restrictions are similar to traditional GPO capabilities, so an easy way to configure this profile for enterprise users is to match the implemented GPO policies. For remote workers, weigh device security against user experience considerations.
Delivering and Managing Software
Many issues in PC management arise from the delivery, integration, and support of software, particularly applications. This section overviews the software delivery and management options supported by Workspace ONE UEM for Windows 10.
Determining a Software Delivery Method
The recommended application delivery methods are based on the device use case, and the type of software being delivered.
The following tables show the recommendations by use case, and type of software.
|Windows 10 Software Delivery Options Recommended by Use Case|
|Business Portal Integration||◈||◈||◈|
|◉ Recommended ◈ Supported ▣ Not Recommended|
The following table shows the recommended software delivery method for different .
|Windows 10 Software Delivery Options Recommended by Type|
|INTERNAL APPS||PUBLIC APPS||SCRIPTS|
|Business Portal Integration||▣||◈||▣|
|◉ Recommended ◈ Supported ▣ Not Recommended|
Together, these two tables show that software distribution addresses the majority of Windows 10 file delivery needs. For this reason, its helpful to think of software distribution as the default option, and the other methods as useful backups for edge cases software delivery cannot address.
You can deploy Win32 applications from the Apps & Books section of the Workspace ONE UEM Console and, in doing so, use the application life-cycle flow that exists for all internal applications. This feature is called software distribution.
Use software distribution to deliver Win32 applications, track installation statuses, keep application versions current, and delete old applications. For a step-by-step walk-through, see Deploying Win32 Applications: VMware Workspace ONE Operational Tutorial.
Business Store Portal Integration
Microsoft Universal Windows Platform (UWP) applications consist of a single code base that can run on virtually any Windows device. Integrate Workspace ONE UEM with the online or the offline Microsoft Store for Business portal to deploy UWP applications from the Microsoft Store for Business.
Enabling the Business Store Portal has its own set of requirements and instructions. For more information, see the article Microsoft Store for Business and Workspace ONE UEM.
Product provisioning delivers custom or complex files to managed devices. When a file cannot directly install on devices, package it in the Workspace ONE UEM Console to create a product. Then provision the product to managed devices based on configured conditions and smart group assignment in the Console.
For a step-by-step walk-through, see the Using Product Provisioning to Deliver Files to Windows 10: VMware Operational Tutorial.
Many issues in PC management arise from the delivery, integration, and support of applications. As end-user demand drives organizations to adopt more applications, these issues only grow in complexity and number. Fortunately, Windows 10 introduces features and tools that simplify application integration and management.
- Allowlist or Denylist by File Type (executables, scripts, Windows installers, dynamic-link libraries, packaged apps)
- Apply Granular Allowlists and Denylists (file hash, version, publisher, directory)
- Use Role-Based Controls (enrolled, standard, admin)
- Provide Advanced Protection (remove unwanted software, enforce software standardization)
Managing Windows 10 Updates
Deploying Windows 10 fixes, patches, and updates on multiple client servicing plans creates overhead. By using branches, you can create a customized deployment schedule based on preference and update sensitivity. This section explores the available patch management options.
Note: If you want to enable administrators to specify which Windows version they would like their device(s) to move to and/or stay on until they reach the end of service or reconfigure the policy, you must use Target Release Version CSP using custom settings profile.
Understanding Patch Management
The Workspace ONE UEM update service for Windows 10 provides tailored functionality to address the unique constraints of mobility and the cloud. Traditional operating system upgrades use a wipe-and-replace model. In contrast, the update-as-a-service model pushes periodic operating system and feature updates. Windows 10 updates occur on a frequent and dynamic basis to ensure that end users always have access to up-to-date operating system features.
Windows 10 Patch Management Options
Deploying Windows 10 fixes, patches, and updates on a variety of client servicing plans creates overhead. By using branches, you can create a customized deployment schedule based on preference and update sensitivity.
Figure: Windows 10 Patch Management Options
Review the following descriptions to understand the available patch management options.
|Update Branch||Description||Feature Updates||Quality Updates||Use Case|
|Windows Insider Build - Fast||Among the first to receive development builds from Microsoft; ability to provide direct feedback to Microsoft||Not supported||Not supported||Used to provide feedback to Microsoft before builds are moved to slow ring|
|Windows Insider Build - Slow||More stable than fast ring and includes fixed reported during fast ring||Not supported||Not supported||Used to provide feedback to Microsoft before builds are moved to release ring|
|Release Windows Insider Build||Close to public release but still early access, not on the development branch||Not supported||Not supported||Used to provide feedback to Microsoft before builds are moved to public builds; IT pros and other interested employees|
|Semi-Annual Channel (Targeted)||Semi-Annual Channel||Not supported||Not supported||Pilot deployments used for testing feature updates and for users such as developers. Use various teams for a wide sample set.|
|Semi-Annual Channel||Semi-Annual Channel||0-180 days||0-30 days||Broad deployment of features, you can choose from the ranges to build your distribution rings across organization|
Summary and Additional Resources
This tutorial introduces you to how Workspace ONE UEM manages Windows 10 through a product discussion and exploration of concepts.
The use cases show how to configure Workspace ONE UEM to manage and deploy Windows 10 devices in your organization. Optimal management starts with selecting the onboarding method that best fits your particular use case, understanding which profiles best control device behavior, and evaluating software delivery options.
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
For information about deployment, see Deploying Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:
Searching for More Information
When looking for more VMware documentation, you can focus the search using the Advanced Search option.
- In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
- Enter words or phrases to start the search.
Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
- Narrow the results by selecting specific criteria.
Example: The search is limited to the specific product and version.
- Click Advanced Search.
- In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.
About the Authors
This tutorial was written by:
- Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware
- Hannah Jernigan, EUC Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
Considerable contributions were made by the following subject matter experts:
- Darren Weatherly, Specialist Systems Engineer, VMware
- Aditya Kunduri, Group Product Marketing Manager, EUC Mobile Marketing, VMware
- Bryan Garmon, Sr. Solutions Engineer, VMware
- Pete Lindley, Sr. Specialist Systems Engineer, VMware
- Mike Nelson, Sr. Solutions Architect, VMware
- Ameya Jambavalikar, Sr. Solutions Architect, VMware
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at firstname.lastname@example.org.