Understanding Windows Group Policies: VMware Workspace ONE Operational Tutorial
Introduction
Purpose of This Group Policy Object Tutorial
Note: This content was created for Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.
As you make a move to Windows Modern management, you are likely to encounter challenges with group policy management. Common challenges include:
- Increasing user mobility by deconstructing the traditional workspace
- Multiple management tools creating policy conflicts
- Figuring out how to push policies to domain-joined, Azure-joined, or even workgroup devices
- Lack of feature parity between profile configurations and traditional group policy objects (GPOs).
Whatever challenges you face, this operational tutorial covers the benefits and the steps to consider when moving to cloud-based group policies and other configurations. If you are trying to figure out how to apply policies on and off the domain, enforce those policies offline, track compliance, use inbox or application ADMX policies, and don’t know where to start in VMware Workspace ONE® UEM (aka AirWatch), then you have come to the right place.
This tutorial is broken up into the following core sections:
- Planning and Preparation: Determine your current GPO estate and plan your migration strategy
- Analyzing and Rationalizing: Determine which policies need to move to Workspace ONE and which method(s) you will use to make a move: migrating or modernizing.
- Modernizing and Migrating: Learn the prescriptive steps required to modernize with Workspace ONE Baselines.
- Validation, Compliance, and Enforcement: Learn how to validate configured policies on the device manually (if needed) versus leveraging Workspace ONE to report on compliance and locally enforce configured policies.
Keep in mind that every use case is different, and the methodology discussed here should serve as high-level guidelines. As the Windows operating system is ever-evolving, Workspace ONE UEM is continuously evolving.

Audience
This operational tutorial is for PC lifecycle management (PCLM) administrators and Workspace ONE IT administrators. Familiarity with configured policies or required configurations and security baselines in your environment is assumed, including Active Directory structure, group policy objects (GPOs), and application (3rd party) ADMX policies. Knowledge of additional technologies such as VMware Workspace ONE® UEM, Microsoft Endpoint Configuration Manager, or any other technology that configures policies on Windows devices is recommended.
Prepare to Move Group Policies
Evaluating Your Current Group Policy State
Before you begin your journey of managing group policies in the cloud with Workspace ONE UEM, you must determine your current GPO state.
Use the following questions to evaluate your current state:
- Are the end-users on the managed Windows devices local admins? Enforcement of policies is top-of-mind when end-users have local admin rights on managed devices. If enforcement and compliance of policies are a concern in your use case, consider leveraging Workspace ONE Baselines as much as possible.
- Are you currently or planning to Azure Cloud join your Windows devices? On-premises policies require devices to be joined to the local domain. While many organizations are moving to the cloud, it’s essential to consider if you will be joining your devices to the Azure Cloud, on-premises domain, or hybrid joined. Consider moving all policies to Workspace ONE UEM if devices will no longer leverage the on-premises domain. Keep in mind; you also may have some devices in various domain states.
- Are you currently or planning to use an industry-standard baseline? Organizations that leverage industry-standard baselines such as Windows 10 Security Baseline or CIS Microsoft Windows Desktop Benchmarks can leverage the Baselines feature in Workspace ONE UEM to deploy policies from these industry-standard templates.
- Do you want to move all policies or a subset of policies over to Workspace ONE UEM? Decide which policies need to move to Workspace ONE UEM. It is helpful to obtain a full list of policies and then categorize them into groups such as personalization, security, system, BitLocker, Defender, Internet Explorer, and Chrome. It is also good to know how these policies are currently being configured, such as MBAM, domain group policies, or ADMX templates.
- Are you ready to manage all your policies from the cloud? Policy conflict, collisions, and order of precedence are concerns that develop during the modernization implementation phase. To avoid this topic altogether, consider having a single source of truth and manage all policies from the cloud using Workspace ONE. I will address these concerns in more detail later on in this tutorial.
- Who is the owner of the policies set in the organization? Involve and collaborate with anyone in the organization who is responsible for managing, configuring, and securing Windows devices. The planning and analyzing phases should not be completed in a vacuum, as we have seen success when other teams are involved especially the security team.
- Will there be discrete policy sets for different employees or a standardized approach for all use cases? Understanding which policies are applied to which users/groups is vital. You will be asked to assign policies in Workspace ONE UEM leveraging smart groups throughout the tutorial. In order to prepare, you should decide how you plan for policies to be applied.
- Do you have third-party, custom settings, or build-time settings? Aside from group policy, how else are user and device settings configured? Are the following mechanisms in use, and will they continue to be in use? Build-time settings, logon scripts, other PCLM tools and agents, and so on.
- What tooling is required? Make sure that you understand the implementation effort, including change control, that is required for the tooling to perform this work. This tooling can be implemented ahead of your Workspace ONE deployment.
Choosing the Correct Policy Delivery Model
Workspace ONE UEM provides the administrator with multiple different deployment models for their current GPO policies. An administrator must be aware of the different options available in Workspace ONE and the caveats around each of these models, to ensure the correct model is chosen.
Workspace ONE UEM Policy Deployment Models
A critical part of ensuring the correct policy model is chosen in Workspace ONE UEM is to have a sound understanding of each of the options. Workspace ONE UEM allows for an administrator to apply group policies as:
- Configuration Service Providers (CSP) – Applied through the existing Windows 10 Profiles or via a Custom Settings profile.
- Workspace ONE Baselines – Using either the Microsoft Windows Security Baselines or CIS Microsoft Windows Desktop Benchmark, or a Custom Baseline based on a GPO backup.
As part of the GPO remediation process that you’ll undertake with your internal teams, a decision should be made around what is the best place to enable that policy inside of Workspace ONE.
Configuration Service Providers (CSPs)
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Most of the CSPs support SyncML for over-the-air configuration of the device.
Workspace ONE UEM leverages CSPs when an administrator creates and assigned profiles in the console. In most cases, the OMA-DM client is responsible for delivering the CSP setting to the devices.
Administrators of Workspace ONE UEM can choose to create CSPs in three different ways:
- Profiles that are listed in the Workspace ONE UEM console.
- Custom Settings profiles created using VMware Policy Builder.
For more information regarding CSPs, refer to the Understanding Windows 10 Configuration Service Providers (CSPs) and Custom Profiles section in the appendix.
Workspace ONE Baselines
Baselines allow you to keep all your devices secure with industry-recommended settings and configurations. It uses a cloud-based microservice that handles the policy catalog of settings to apply on devices. Baselines are based on GPOs and function in similar ways. For more information regarding Baselines, refer to the next section Modernize Group Policies using Workspace ONE Baselines.
Workspace ONE allows for an administrator to create baselines based on industry-certified templates such as the CIS Microsoft Windows Desktop Benchmark and the Microsoft Windows 10 Security Baseline. You can add additional policies to a baseline that you create from an easy-to-use catalog of thousands of policies based on the Microsoft ADMX files.
An administrator can also upload a GPO backup into the Workspace ONE UEM console as a custom baseline. This requires LGPO.exe to be deployed to the Windows 10 device.
Comparison of the Unified Endpoint Management Policy Models
Given both CSPs and Baselines are important policy delivery methods in Workspace ONE, you must understand the pros and cons of each. An administrator needs to understand which delivery model makes the most sense for the requirement and how best to apply their GPO setting in the Workspace ONE platform.
Policy Delivery Method | Pros | Cons |
---|---|---|
Configuration Service Provider (CSP) |
|
|
Workspace ONE Baseline (using templates) |
|
|
Workspace ONE Baseline (custom baseline) |
|
|
Policy Delivery Model Guidelines
The following guidelines are the best practices when assessing existing GPOs and determining which is the most effective delivery method through Workspace ONE.
- Policies that are implemented in the Profiles section of the Workspace ONE UEM console should be utilized before any alternative method.
- For configuration settings that don’t get updated often (e.g. WiFi settings, encryption settings, restrictions), should be implemented using the CSPs. If the setting does not already exist as a profile in the console, you can use VMware Policy Builder or VMware Dynamic Environment Manager to deliver ADMX.
- If the user doesn’t have administrative rights on their Windows 10 machines, most configuration settings applied cannot be changed by the user.
- For policies that need to be reinforced within a defined time interval, these should be implemented through Workspace ONE Baselines, based on an industry template.
- It is recommended to start with a Workspace ONE Baseline based on the Microsoft Windows 10 Security Baselines or CIS Microsoft Windows Desktop Benchmark and the policies that need reinforcement and reporting.
- GPO backups uploaded as a custom baseline are not a recommended approach for all of your GPO policy settings. You will find that custom baselines lack the ability for full lifecycle management such as reporting and making edits directly via the console.
- Custom ADMX policies should be assessed to determine if there are more optimized delivery models for these settings. Workspace ONE can deliver scripts and transforms to augment applications to have the desired configurations.
- For the remaining custom ADMX policies, the recommended approach is to use VMware Dynamic Environment Manager to deliver ADMX via Workspace OEN UEM.
Modernize Group Policies Using Workspace ONE Baselines
What Are Workspace ONE Baselines?
Keeping your devices configured to best practices is a time-consuming process. Workspace ONE Baselines enforce device security using industry-recommended configurations and settings. These configurations significantly reduce the time it takes to set up and configure Windows devices along with other configuration options within the Workspace ONE solution.
Baselines use the VMware Policy Catalog Service, a cloud-based micro-service that handles storing the policy catalog. If you are an on-premises customer, ensure that your environment can communicate with the micro-service. For more information, see the On-Premises Network Requirements documentation.
Prerequisites for Baselines
The following list of items are the minimum requirements for baselines:
- Workspace ONE UEM 1907 or later
- Workspace ONE UEM Admin with Manage/View Baselines Roles
- Workspace ONE Intelligent Hub 1907 or later
- Workspace ONE Advanced or greater
- If you are an on-premises customer, ensure that your environment can communicate with the micro-service. For more information, see the On-Premises Network Requirements documentation.
- Only when using Custom Baselines: LGPO.exe located at %ProgramData%\AirWatch\LGPO
- Leverage this sample for deploying LGPO.exe to your devices.
Deploying Baselines
To ensure that Baselines use only the best settings and configurations, VMware offers industry-standard baselines, including the CIS Microsoft Windows Desktop Benchmarks and Windows 10 Security Baselines. These Baselines are based on the Windows OS version of your devices. During configuration, you can choose which baseline to use and customize any of the baseline policies. You can also add any additional policies you need as part of the configuration process. These policies are Microsoft ADMX policies. We will see how to deploy and customize a sample Windows 10 Security Baseline.
For Workspace ONE Baselines to apply and report compliance you may need:
- An Active user session in Workspace ONE Intelligent Hub (the Workspace ONE Intelligent Hub applies the Baselines)
- For some policies to apply the device may need to be on-premises domain joined.
- Baselines currently don't automatically re-apply. This can be achieved today via a registry key change.
Workspace ONE Baselines may not apply or the device may report as "non-compliant" if the above criteria is not met.
1. Create New Baseline
Log in to the Workspace ONE UEM console using an admin account that has access to Baselines (Manage and View Baselines), then navigate to Devices > Profiles & Resources > Baselines. Click New to create a new Baseline.
2. Configure General Settings

Configure the General settings:
- Type
Windows 10 1903 Security Baseline
for Baseline Name. - Type
Corporate Windows 10 1903 Security Baseline with customizations
for the Description. - Click Next.
3. Select a Baseline Template
Select the pre-configured baseline and version, that is best for your organization’s use case. Use the tooltip to learn more about each option. It is not advisable to choose the Custom Baseline option at this time. For more details, refer to the Using Custom Baselines section. For this example:
- Select Windows 10 Security Baseline.
- Select Version 1903 from the dropdown.
- Click Next.

Pro Tip: Depending on your use case, some default policy configurations can disrupt your current workflows on your managed Windows devices. Ensure you fully test the end-to-end workflow, on UAT or non-production devices, to ensure everything is working properly especially if you have not previously used a baseline. For example, when using the CIS Windows 10 Benchmarks you may notice that the Workspace ONE app and other UWP (Store apps) do not install or launch properly. You will have to customize the baseline to configure the following policies:
- Disable all apps from Microsoft Store set to Enabled or Not Configured
- Turn off the Store application set to Disabled or Not Configured
4. Customize the Baseline
You can now review or customize the policies from the Windows 10 Security Baseline to meet your organization’s needs. Each setting will have a useful tooltip to assist in understanding each configuration option. You can find settings using the search Filter option or by manually expanding each section to find the policies.

- Type
deny write access
for the search filter. - Select Deny write access to removable drives not protected by BitLocker.
- Use the dropdown menu to change this policy to Disabled.
- Check out the tooltip for the details of this policy.
- Click Next.
5. Add Policies (Optional)
If your use case contains policies that are not part of the standard template, then you can leverage this step that allows for the granularity of fully configuring device policies. Use the search field to find additional policies, then configure them for your needs.

- Type
prevent access to registry
into the search. Notice that real-time search results are populated as you type. Select Prevent access to registry editing tools. Note that the catalog contains both machine and user policies. You can quickly see these details via the dropdown. - Use the dropdown menu to set this policy to Enabled. Enabling this policy prevents user access to regedit. Note that Disable regedit from running silently is set to Yes by default. This will prevent users from using regedit via command-line with the /s (silent) switch.
- Click Next.
6. Review the Summary
You can now review all of the settings and configurations you have made. This screen shows you the selected baseline, any customizations made, as well as the additional policies. You can go back to make edits or move on to save and assign to devices.

After reviewing the summary, click Save & Assign.
7. Assigning the Baseline
The next step is to assign the baseline to a group(s) of devices leveraging Smart Group(s). Smart Groups allow you to customize assignments based on various factors such as the platform, ownership, user group, OS version, model, device tag, enterprise OEM, and even individual devices or users by name. You can also choose to exclude specific groups such as executives or select members of the organization.
There are endless ways to deploy your baselines. However, I would recommend starting with the guidelines set by Microsoft when using Windows 10 Security Baselines or Center for Internet Security when using CIS Microsoft Windows Desktop Benchmarks. I would then recommend choosing one of the two following methods for deploying baselines:
- Assignments based on Groups: assign baselines based on the current grouping structure you have for deploying apps and profiles. Remember that you can create new Smart Groups as well, which can align with your domain user groups.
- Assignments based on Windows version: assign baselines based on Windows 10 version. It is recommended not to create Smart Groups tied to a singular version, but to create a Smart Group for the targeted version and above. For example, Windows 10 1903 or later devices. Doing this will prevent a baseline from being removed/unassigned when the devices upgrade to the next Windows version.
Note: Before choosing a method to implement, refer to the Baseline Lifecycle Management section to fully understand how baselines are applied over time to devices.
8. Baseline List View
Once the baseline is assigned, you can click View under Install Status to quickly see the deployment status of the baseline. For more details, you can click the Name of the baseline, for example, Windows 10 1903 Security Baseline to see additional info such as compliance, versions, and install status.
Baseline Lifecycle Management
Managing Baselines Overview
You can manage your baselines from the Baselines list view. From here, you can edit and delete existing baselines. If you delete an industry-standard baseline that was pushed to devices, the device settings revert to before the baseline was published based on the snapshot stored by Workspace ONE UEM.

Assigned Device List View
You can see which baselines are applied to a device on the Device Details page on a per-device basis. You can also view the current baseline status on all assigned devices on the Devices page. Note, when you first publish the baseline, it will install but will be in Pending Reboot status. The end user will also receive a toast notification stating, “Workspace ONE policies have been updated. Restart your device to apply the updates”. Compliance info will update once the device is rebooted. For more information on compliance, refer to the Baseline Compliance section.

Baseline Lifecycle Workflow
Understanding the baseline lifecycle workflow is essential to answering questions such as:
- What happens when I assign multiple baselines to a single device?
- What happens when I edit or delete a baseline when I have multiple baselines assigned to the same device?
- How do I move from 1903 to 1909 baselines when my devices update from 1903 to 1909?
- What happens when a baseline is inherited from a top-level organization group, and a lower level baseline is created and assigned?
Refer to the below samples where each color represents a different baseline policy. They are all assigned to the same device. When a baseline is assigned to a device or a currently assigned baseline is updated or removed, then all baselines are removed and re-applied in order from the oldest created/modified to the newest created/modified. The last baseline (newest), which is applied, will overwrite any overlapping policies on the device. The two samples show how these baselines are applied along with the expected resultant baseline on the device. Keep in mind that adding multiple baselines to the same device will skew compliance reporting since the resultant baseline could possibly be a mix of various baselines.
Note: It is not recommended to have multiple baselines assigned to the same device.
Sample 1: 3 Baselines Assigned to a Device
In the below example, baseline A, B, and C have all been assigned to the same device. They are ordered by the age of the baseline, meaning the longest living or oldest modified baseline will be stacked at the bottom. When applied, the baseline at the top of the stack has the greatest precedence and will override any overlapping policies. In this example, all of B is overwritten by A, and the result contains policies from baselines A and C.

Example 2: 3 Baselines Assigned to a Device
In the below example, baseline A, B, and C have all been assigned to the same device. Building off the above example, baseline B was recently modified and re-applied to the device. Using the same ordering and stacking method, B is list listed at the top of the stack. Notice now that the resulting applied policies contain policies from all baselines.

Applying New Baselines
The next question is, how do I move from one baseline to the next version of that baseline? Using the same ordering methods, the best method would be to create the next baseline and apply that baseline, then remove the older baseline you want to replace. This way, the device will always have a baseline assigned during the transition. Once again, if you want to match a Windows 10 version with a baseline version, it is recommended to assign the baseline to a Smart Group, which contains Windows 10 <version> or later.
Managing Baselines in a Multi-tenant Deployment
Before creating your baselines at the top-most or a lower-level organization group, let's explore what this looks like in the console. Overall, the same methods of applying baselines on devices apply with respect to ordering and precedence. Thus, if you create a top-level baseline and never modify it, all baselines will be stacked on top of this baseline, allowing admins below to modify any overlapping policies. Admins will only have visibility to baselines created at the same level or any child organization. The best way of seeing which baselines are applying to each device is from the device details view, then clicking on Baselines.
1. Parent Organization Group Admin View of Baselines
The parent-level admin has visibility and can edit, delete, and assign all baselines at the parent and children levels. Notice, the admin can see the Windows 10 1909 Security Baseline managed by the Child of Tech Zone group.

2. Child Organization Group Admin View of Baselines
The child-level admin has visibility and can edit, delete, and assign baselines at its child-level and below. Admins do not have visibility to baselines assigned from a parent organization group.

3. Device View of Assigned Baselines, Device lives in the Child of Tech Zone group
The device is managed at the Child of Tech Zone organization group, thus inherits the parent baselines as well as the baseline assigned at the child-level.

You can choose how you want to deliver baselines with respect to organization groups and admins at those groups. Each use-case is different, but understanding how baselines are applied and managed in a multi-tenant environment can help you plan accordingly.
Using Custom Baselines (LGPO)
If you have an existing Group Policy Object (GPO) backup file, you can create a custom baseline with those policies. You can add additional policies to your existing GPO when creating a custom baseline. Custom baselines should be used sparingly as you lose out on compliance reporting, and easily editing the custom baseline as you will have to manually make changes then re-upload the GPO backup. If you have some non-ADMX GPOs that you want to quickly push to devices, then you can leverage a custom baseline. Deploying LGPO.exe to your managed Windows devices is also a requirement to using custom baselines.
1. Steps to Deploying a Custom Baseline
- Leveraging LGPO.exe to capture a GPO backup, or leverage a previously generated GPO backup.
- Create a new baseline in Workspace ONE UEM, choose the Custom Baseline, then click Upload.
- Upload the GPO backup, then optionally select any additional policies.
- Assign the custom baseline. Note the baseline will only apply after LGPO.exe is detected on the device.
Modernize Group Policies Using VMware Policy Builder
What is VMware Policy Builder?
Workspace ONE UEM delivers policies to devices through profiles. Many policies are available for direct configuration within the Workspace ONE UEM console.
If a policy is not available in the UI, you can use the Custom Settings profile. This profile allows you to upload XML to configure the Windows 10 Configuration Service Providers (CSPs) and publish its settings to devices. For more information on this topic, refer to the appendix section on Understanding Windows 10 Configuration Service Providers (CSPs) and Custom Settings Profiles.
The VMware Policy Builder tool is a VMware Fling that saves you time and effort creating the XML by:
- Generating XML (SyncML) using the form-based UI
- Configuring multiple CSPs
- Dynamically generating SyncML
- Filtering through options
The following video explains how VMware Policy Builder works in more detail:
Prerequisites
Before you can begin the exercises in this tutorial, you must meet the following prerequisites:
- My VMware account
- If you don't currently have a My VMware account, register at: https://my.vmware.com/web/vmware/registration
- If you believe you have a VMware account, but you are not sure of the password, go to: https://my.vmware.com/web/vmware/forgot-password
- Enrolled Windows 10, 1709 or later device. The examples will show using 1903 or later versions.
Logging In To VMware Policy Builder
1. Open VMware Policy Builder
In your browser, navigate to https://vmwarepolicybuilder.com.
2. Log In to VMware Policy Builder

If you have a My VMware account do the following to log in.
- Enter the email address you use for My VMware account.
- Enter the password for your My VMware account.
- Click the Login button to log into the Policy Builder.
If you do not have a My VMware account, click on Sign up for an account to get started.
Reviewing VMware Policy Builder Features
Most of the steps in this exercise use the VMware Policy Builder. This section walks through the VMware Policy Builder's UI and its key features.

- Click CSPs to see the list of Configuration Service Providers (CSPs) the tool can configure.
- Select a CSP and click Configure to enter configuration parameters and automatically generate SyncML.
- Click Modify to open a page which allows you to paste in and modify existing SyncML.
- Click Generate GUID to create and copy a GUID to the clipboard. Some CSP configurations require a GUID to be passed in. You can also use this for generating GUIDs which are needed when manually constructing custom settings profiles, for example, for application ADMX policies.
- From the drop-down menu, select the supported Windows 10 operating systems you want to use. CSPs are unique and specific to the OS version you are targeting.
- From the MDM Security Baselines drop-down menu, access install and remove settings required for deploying baselines. Use the tooltip for more information.
- Review the list of CSPs and associated Device Description Framework (DDF) files. DDF files contain the configuration details of a CSP in XML format.
Setting Application Defaults
In this section, use VMware Policy Builder to create and configure an application defaults custom profile for a Windows 10 device - something that is routinely done through traditional group policy management. Keep in mind this policy is only supported on Azure AD joined devices, for more information on this policy refer to Application Defaults policies.
1. Open Policy CSP Settings

- Type
Policy
in the filter box, to quickly find the Policy CSP. - Select the Policy check-box.
- Click the Configure button to begin creating a custom policy.
2. Configure the Application Defaults Policy

- Collapse User and expand Application Defaults.
- Enter the Application Defaults XML into the Default Associations Configuration field. You can obtain this XML by running the following command with elevated permissions on a Windows 10 command prompt with the desired associations configured:
dism /online /export-defaultappassociations:appassoc.xml
- Select Replace. Using replace allows us to set these settings and re-push the custom profile if we need to make changes in the future.
- Click the Copy button to copy the SyncML.
- Notice the SyncML is generated for you dynamically including the configuration data you entered. Policy Builder uses the following format when it detects XML
<![CDATA[<xml_data>]]>.
You may have noticed that the reference for the Application Defaults policy said that the XML needs to be base64 encoded then place between the<Data>
tags. Both of these options are supported but the main point here is VMware Policy Builder is intelligent and knows how to support both options dynamically.
Note: Keep track of the copied SyncML, because its required to for the Workspace ONE UEM configuration.
Creating an Application Defaults Custom Settings Profile
In this section, create a Custom Settings profile for Windows 10 that contains the SyncML generated in the policy builder. Then, use Workspace ONE UEM to push the application defaults policy to an Azure AD Joined Windows 10 device, and verify the setting applied.
2. Select Platform

Select the Windows icon.
Note: Make sure that you select Windows and not Windows Rugged.
3. Select Device Type

Select Windows Desktop.
4. Select Context

Select Device Profile.
5. Configure General Settings

- Enter
Application Defaults
as the Name. - Under Smart Groups, select All Corporate Dedicated Devices.
6. Open Custom Settings

- Scroll down to the bottom on the left pane, and select Custom Settings.
- Click Configure.
7. Configure Custom Settings

Paste the SyncML you copied earlier into the textbox next to Install Settings, leave all other defaults.
8. Generate Delete SyncML

Back in VMware Policy Builder:
- Select Delete. Selecting Delete will remove the configured policy and is needed for the Removing Settings portion of the Custom Settings profile.
- Click Copy.
9. Remove Settings

Back in the Workspace ONE UEM console:
- Paste the SyncML you copied into the textbox next to Remove Settings, leave all other defaults.
- Click Save and Publish.
10. Confirm Device Assignment and Publish

- Verify the profile is assigned to the correct device.
- Click Publish to push the custom profile down to your Windows 10 device.
Updating an Existing Secure Assessment CSP
In this exercise, we will use VMware Policy Builder to update existing SyncML and update the Secure Assessment (test taking) settings.
1. Copy Existing SyncML
<Replace>
<CmdID>7799f76f-68c4-45fd-a068-ec08e9df04ac</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/SecureAssessment/LaunchURI</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>https://techzone.vmware.com</Data>
</Item>
</Replace>
<Replace>
<CmdID>f7d12e74-cd43-4f9c-9c85-a99a7abffadd</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/SecureAssessment/TesterAccount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>student</Data>
</Item>
</Replace>
<Replace>
<CmdID>1e71adb5-5cd5-4ae1-ab58-26dc1870e918</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/SecureAssessment/AllowScreenMonitoring</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Replace>
<Replace>
<CmdID>ea2fd9fb-bbf0-4e70-add4-6a919d2979de</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/SecureAssessment/RequirePrinting</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Replace>
<Replace>
<CmdID>7ae93f1d-d480-4265-8809-1c472776ea6b</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/SecureAssessment/AllowTextSuggestions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Replace>
Click to copy
Select all of the SyncML above. For existing custom settings profiles, you can select the radio button next to the profile, then click on the </XML> button. Only copy the XML from <Replace> to </Replace> being sure not to copy the <Atomic> tags.
2. Paste the SyncML

- Click the Modify button.
- Paste the copied SyncML into the SyncML pane. Notice the SyncML dynamically updated. Update the Launch URL from
https://techzone.vmware.com
tohttps://bit.ly/2zk0QTP
. - Update Allow Screen Monitoring, Require Printing, and Allow Text Suggestions from On to Off.
- Click the Copy button to copy the SyncML. Notice how when you make updates via the UI on the left, that the SyncML is updated on the right.
Creating a New Secure Assessment Custom Settings Profile
Now that we have updated our Secure Assessment SyncML, you will either be updating the SyncML in the existing custom settings profile or creating a new secure assessment custom settings profile. In this example, we will be creating a new secure assessment custom settings profile.
2. Select Platform

Select the Windows icon.
Note: Make sure that you select Windows and not Windows Rugged.
3. Select Device Type

Select Windows Desktop.
4. Select Context

Select Device Profile.
5. Define the General Settings

- Enter a profile name, such as
Secure Assessment
in the Name text box. - Scroll down to Smart Groups, click the field, and select All Corporate Dedicated Devices from the list that populates.
Note: Do not click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.
6. Open Custom Settings

- Scroll down to the bottom on the left pane, and select Custom Settings.
- Click Configure.
7. Configure Custom Settings

Paste the SyncML you copied earlier into the textbox next to Install Settings, leave all other defaults.
8. Generate Delete SyncML
Back in VMware Policy Builder:
- Select Delete for Launch URI and Tester Account. Selecting Delete will remove the configured policy and is needed for the Removing Settings portion of the Custom Settings profile.
- Click Copy.
9. Remove Settings

Back in the Workspace ONE UEM console:
- Paste the SyncML you copied into the textbox next to Remove Settings, leave all other defaults.
- Click Save and Publish.
10. Confirm Device Assignment and Publish

- Verify the profile is assigned to the correct device.
- Click Publish to push the custom profile down to your Windows 10 device.
Configuring Custom Settings to Use Pre-released Configuration Service Providers (CSPs)
The Custom Settings payload provides a way to use newly released Windows functionality in Workspace ONE UEM. When you want to use the new features supported on Windows Insider builds, you can use the Custom Settings payload and SyncML (XML) code to activate or deactivate certain settings manually.
Requirements
You must generate SyncML code to leverage the Custom Settings payload using one of the following methods:
- Leverage samples from VMware Code Sample Exchange
- Use existing profiles to create custom settings
- Manually create SyncML
Microsoft publishes a Configuration Service Provider (CSP) reference site: https://aka.ms/CSPList
The custom settings profile appends the appropriate SyncML atomic tags to the beginning and the end of the code. You must generate the appropriate code between any <Add>, <Replace>, <Delete>, or <Exec> tags.
Optionally, you can also condense the size of the code by removing all whitespace, and linearizing the SyncML code.
SyncML without Atomic Tags Sample
The following text is an example of SyncML without atomic tags.
<Replace>
<CmdID>1f67a1bf-2d83-497f-ab4f-dc94a1c17449</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Reboot/Schedule/DailyRecurrent</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>2020-04-21T08:30:00</Data>
</Item>
</Replace>
Making Updates/Deleting Custom Settings Profiles
Workspace ONE UEM automatically uses built-in logic for fully integrated payloads. For instance, when removing a profile, Workspace ONE UEM sends a delete action to remove the profile payload’s configurations.
In contrast, when using Custom Settings, you must use the delete tag to remove settings. However, do not include the data tags - only the LocURI is needed.
To update custom settings, use the replace tag.
Remove Scheduled Daily Reboots Sample
<Delete>
<CmdID>1f67a1bf-2d83-497f-ab4f-dc94a1c17449</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Reboot/Schedule/DailyRecurrent</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data/>
</Item>
</Delete>
Using Samples from VMware Sample Exchange
Workspace ONE UEM provides a seamless experience when using custom settings for Windows 10 devices. You can find fully tested and validated samples at the VMware Code Sample Exchange. Pay attention to the support Windows 10 Edition as some samples apply only to Surface Hub devices (Team) or require Enterprise or Education editions. For more information and to access the samples, see VMware Sample Exchange.
Using Existing Profiles to Create Custom Settings
Many organizations who deploy on-premises or dedicated SaaS environments may not be able to use the latest feature updates to keep up with Windows 10 releases. You can use your user acceptance testing (UAT) environment to create the profile and then export the generated SyncML, and paste it into your production environment. This allows you to take advantages of newly released capabilities between the time it is released and your production environment is upgraded to support these features.
1. Create a Windows Profile
Create a Windows profile from the Workspace ONE UEM Console using existing payloads. For new features, copy SyncML from your UAT environment, then paste the SyncML into a custom settings profile in your production environment.
Before you begin, make sure the Windows 10 version and edition are supported. Additionally, you must verify there are no Workspace ONE Intelligent Hub dependencies.
Important: Only use this procedure to test new CSP capabilities before deciding to upgrade your environment to the latest version.
Deliver Policies with Dynamic Environment Manager Configurations
Overview of Dynamic Environment Manager
VMware Dynamic Environment Manager delivers personalization and centrally managed policy configurations across virtual, physical, and cloud-based Windows desktop environments. IT administrators control which settings users are allowed to personalize, and administrators can map environmental settings such as network drives and location-specific printers.
User-specific Windows desktop and application settings can be applied in the context of client device, location, or other conditions. Policies are enforced when users log in, launch an app, reconnect, or when some other triggering event occurs.
Dynamic Environment Manager also has a feature for configuring folder redirection for storing personal user data, including documents, pictures, and so on.

VMware Dynamic Environment Manager Integrates with Workspace ONE UEM with 3 steps:
- Install the Dynamic Environment Manager console
- Download and install the lightweight Dynamic Environment Manager console to customize your configuration files.
- Create configuration files in the Dynamic Environment Manager console
- Use the Dynamic Environment Manager console to create, customize, and download your configuration files.
- Deliver Dynamic Environment Manager Configurations with Workspace ONE UEM
- Leverage the power of UEM Device Profiles to upload and deliver your configuration files to the right devices through Smart Groups.
Workspace ONE UEM Integration Requirements
To integrate with Workspace ONE UEM, ensure you have the following components installed and configured:
- Workspace ONE UEM version 2109 or later
- Note: Workspace ONE UEM requires a Content Delivery Network (CDN) to be integrated. This is enabled by default for SaaS Environments. If your Workspace ONE UEM environment is on-prem, you must integrate with a CDN.
- Workspace ONE UEM CDN Integration can be found here: Integrating Workspace ONE UEM with Content Delivery Network
- VMware Dynamic Environment Manager 2106
- VMware Dynamic Environment Manager 2106 admin console
Recommended Dynamic Environment Manager Materials
If you are not familiar with the capabilities of Dynamic Environment Manager, this section contains helpful resources to review before exporting your configuration into Workspace ONE UEM.
- Dynamic Environment Manager Activity path covers all aspects from
- Tech Zone: Quick-Start Tutorial for VMware Dynamic Environment Manager
- Tech Zone: Managing Profiles and Policies for Windows Desktops: Dynamic Environment Manager Operational Tutorial
- Tech Zone: Profiling Applications: VMware User Environment Manager Operational Tutorial
- YouTube Series: VMware User Environment Manager video series
- VMware Docs: VMware Dynamic Environment Manager (Formerly Known as VMware User Environment Manager) Documentation
Create a Configuration in Dynamic Environment Manager
1. Creating a Configuration in Dynamic Environment Manager
BEFORE YOU BEGIN:
Before beginning this part of the tutorial, it is assumed that you have:
- Installed the Dynamic Environment Manager Admin Console on your machine
- For more detailed steps, see Tech Zone: Quick-Start Tutorial for VMware Dynamic Environment Manager.
- Installed the Dynamic Environment Manager agent on a Workspace ONE UEM managed device
- For more detailed steps, see Deploying Traditional Win32 Applications to Windows Devices: Workspace ONE Operational Tutorial.
2. Importing Chrome ADMX Settings
Now, we will import Chrome AMDX Settings into Dynamic Environment Manager. To download the Chrome ADMX files, see Chrome Enterprise policy list.
2.1. Open the Dynamic Environment Manager Management Console

- In the Dynamic Environment Manager Console, ensure you are in the User Environment tab.
- Select Manage Templates.
- Select Add Folder.
2.2. Import ADMX Templates

- Select the root of the folder that contains the ADMX Templates.
- Click OK.

Review the folder location and click OK.

This will import the AMDX Templates for modification.

- Review the AMDX Templates imported.
- Select Validate to validate the AMDX Templates.
3. Editing ADMX Policy in Dynamic Environment Manager

- Select ADMX-based Settings.
- Click Select Categories to edit the policies.

- Select any categories you want to edit the policy for.
- Click OK.

- Enter a Name for the policy. For example,
Chrome Settings
. - Review the number of categories selected.
- Click Edit Policies to make modifications to the policy.

Select a Policy to edit it.

After the policy is edited, click OK.

Note that the Policy State should change. In this case, it has changed to Enabled.

- Review the configured ADMX policies.
- Click Save.
4. Exporting Configuration to Workspace ONE UEM
Next, we need to export the Dynamic Environment Mnager Configuration Settings into a *.demconfig file to upload into Workspace ONE UEM.

- In the Dynamic Environment Manager console, after you have made all the configuration settings you want to change, click the star icon.

Select Import NOAD.xml

- In the Dynamic Environment Manager installation location, you will find a folder called
NoAD Mode
. - Within the NoAD Mode folder, select NOAD Workspace ONE UEM Sample XML.
- Click Open.

Select Import License File.

- In the Dynamic Environment Manager download location, you should have downloaded the VMware
DEM.lic
file. - Click Open.

After you have imported the License File AND the NOAD.xml then Save the Config. Save it to a location so you can upload this config to Workspace ONE UEM.
IMPORTANT: When saving the DEM Config - Ensure you have imported the License File AND the NOAD.xml.
Upload Configurations into Workspace ONE UEM
BEFORE YOU BEGIN:
Before beginning this part of the tutorial, it is assumed that you have:
- Installed the Dynamic Environment Manager Admin Console on your machine
- For more detailed steps, see Tech Zone: Quick-Start Tutorial for VMware Dynamic Environment Manager.
- Created and exported a configuration (*.config file) from Dynamic Environment Manager
- Installed the Dynamic Environment Manager agent on Workspace ONE UEM managed device(s)
- For more detailed steps, see Deploying Traditional Win32 Applications to Windows Devices: Workspace ONE Operational Tutorial.
1. Create New Policy in Workspace ONE UEM
1.1. Add New Policy

- In the Workspace ONE UEM Quick settings, Select Add.
- Select Profile.
1.2. Select Windows Platform

Select the Windows Platform.
1.3. Select Windows Desktop

Select Windows Desktop.
1.4. Select Device Profile

Select Device Profile.
2. Configure Policy General Settings

- Select the General tab.
- Give the Policy a name. In this example, it is
Dynamic Environment Manager
- Give the Policy a description. In this example, it is
Chrome ADMX
- Select the target Smart Groups.
3. Upload DEM Config

- Select the Dynamic Environment Manager Payload.
- Click Configure.

Click Upload to upload your DEM Config file.

Select Choose File.

- Select your DEM config file and ensure that the file has been selected.
- Click Save.

- Review the DEM Config file selected.
- Click Save and Publish to deliver the profile.
4. Review Device Assignment

Review the Device Assignment and click Publish.
5. Review Policy in Workspace ONE UEM

Review the Policy In Workspace ONE UEM admin console. Ensure it has an Assignment Type and Assigned Groups.
6. Update DEM Configuration Files

In the Workspace ONE UEM console, navigate to the DEM Policy and select Edit.

- Navigate to the Dynamic Environment Manager payload.
- Click to Download the DEM Config (You can edit this in the DEM Console).
- Click Add Version to add a new version of the DEM Config.
- After Config changes have been made to the DEM Config, click Change and upload the new DEM Config file.

In the Dynamic Environment Manager Console, click the star and select Open. Navigate to the downloaded DEM Config file and make any changes necessary. Save the file and upload this new Config to Workspace ONE UEM.
Confirm That the Policy Is Applied
In this section, you confirm that the policy is applied in both Workspace ONE UEM and on the device.
1. Review Policy in Workspace ONE UEM Admin Console

On the Device Details View, confirm that the Dynamic Environment Manager policy is applied.
- Select the Profiles tab.
- Confirm the Dynamic Environment Manager Policy is applied.
2. Review Policy on Device

As we are applying Chrome ADMX Policies via Dynamic Environment Manager, we will confirm the Chrome Settings are applied.
- Open the Chrome Browser and select the Menu.
- You will notice Managed by your Organization - this means that Chrome settings are applied.

As we have configured the Home page, we can confirm this setting in the Chrome Settings.
- In Chrome, navigate to the On startup tab.
- Review the Home Pages that have been configured.
You have successfully added the Dynamic Environment Manager Configurations to Workspace ONE UEM for deployment.
Congratulations!!
You have now:
- Installed the Dynamic Environment Manager Console.
- Deployed the Dynamic Environment Manager agent to Workspace ONE UEM managed devices.
- Configured a policy in Dynamic Environment Manager.
- Uploaded the Dynamic Environment Manager config to Workspace ONE UEM.
- Confirmed the Dynamic Environment Manager policy has been applied.
Manage Baselines and Group Policies
Overview
This section provides you with the information needed to:
- Validate policies on the Windows 10 devices.
- Ensure devices comply with assigned baselines.
- Enable group policy enforcement.
Validating Configured Policies
Using Microsoft Security Compliance Toolkit
You can use Policy Analyzer which is part of the Microsoft Security Compliance Toolkit to generate reports of the local policies applied to a device or to compare local policies to various baselines for validation or even compare various baselines to each other.
- Download Policy Analyzer from the Microsoft Security Compliance Toolkit. You can choose to also download Windows 10 Security Baselines files. These can be used later to compare these policies to the local policies on the device.
- Extract the PolicyAnalyzer.zip file, then launch PolicyAnalyzer.exe. Note for more information, refer to the Policy Analyzer PDF in the same directory.
- You can move any .PolicyRules files for a baseline into the Policy Rule sets in the directory to have it appear as an option in Policy Analyzer. If you select to capture the Local policy Policy Analyzer will save a Policy Rule file, I would recommend renaming this file to provide you with some clarity.
- It is recommended to capture the Local Policy before applying baselines from Workspace ONE then again after. You can compare (click View/Compare) both the before and after to the targeted baseline to see the differences. In the comparison window, navigate to View, then select Show only Conflicts.
Policy Analyzer is extremely useful for troubleshooting and for fully understanding what policies are being applied to the device. When you feel comfortable with the policies and how they are applied to the device, you can use the built-in Workspace ONE Baselines compliance capabilities.
The following image shows a sample comparison using Policy Analyzer of a Windows 10 1909 device local policies to the Windows 10 Version 1909 Security Baseline.

Leveraging MDM Diagnostic Information
There are two ways to generate a report which shows the applied configuration service provider policies on the device. You can use the Windows 10 settings GUI or leverage the command prompt to programmatically generate the report.
Option 1: Export your Management Log Files

Open the Windows 10 settings menu, then navigate to Accounts.
- Click Access work or school.
- Click Export your management log files.
- Click Export.
Option 2: Use Command Prompts
Alternatively, from the command prompt on a managed Windows 10 device, run the following command to see all of the configured modern policies, blocked group policies, and unmanaged policies. This command validates what is configured on the device and is a great troubleshooting resource.
%SYSTEMROOT%\System32\MDMDiagnosticsTool.exe -out <Output Folder Path>
Click to copy
Review the MDM Diagnostic Report
Both of the previous options will generate the following report which contains detailed information (when expanded) about the device and its configured policies. You can also use the Blocked Group Policies section to help visualize policy collisions between Workspace ONE UEM and group policies.

Enforcing Configured Group Policies
Enabling Local Enforcement of Baselines
There are multiple ways to enable local enforcement of baselines. To execute a script that adds the reapply registry key on a device, you can use:
- Sensors
- Product Provisioning
- Scripts in Apps & Books
- Custom Settings Profile (shown below)
Enforcing Configured Group Policies Using a Custom Settings Profile
This is a current workaround which needs to be complete to enable enforcement of baselines on Windows 10 devices. However, there are plans to enhance the product to not require this step.
Install Settings
<wap-provisioningdoc id="fd699da0-d511-4a60-b0aa-4c3e841c937e" name="customprofile">/
<characteristic type="com.airwatch.winrt.registryoperation" uuid="5a173f8a-2b03-4593-a846-5efc3eb9dce9">
<parm RegistryPath="HKLM\SOFTWARE\AIRWATCH\ReapplyBaseline" Action="Replace">
<Value Name="Interval" Data="6" Type="DWORD" />
</parm>
</characteristic>
</wap-provisioningdoc>
Click to copy
Remove Settings
<wap-provisioningdoc id="45d1450f-944e-46d3-8c3f-b333f93b1e7b" name="customprofile">/
<characteristic type="com.airwatch.winrt.registryoperation" uuid="c631d6ae-2ac1-46f6-a4a0-aeae9915c5cf">
<parm RegistryPath="HKLM\SOFTWARE\AIRWATCH\ReapplyBaseline" Action="Remove">
<Value Name="Interval" Data="6" Type="DWORD"/>
</parm>
</characteristic>
</wap-provisioningdoc>
Click to copy
The following screenshot shows what the device should look like after enabling the reapply baselines registry key.

Registry Item | Value |
---|---|
Path | Computer\HKEY_LOCAL_MACHINE\SOFTWARE\AIRWATCH\ReapplyBaseline |
Name | Interval |
Type | REG_DWORD |
Data | 0 - deactivated; Decimal value for reapply interval in hours |
Reviewing Baseline Compliance
Workspace ONE UEM 1910 introduced the ability to track endpoint compliance and monitor drift from the console. Thus removing the need for 3rd-party tools to check compliance.
1. View the Baseline Summary Tab

- In the Workspace ONE UEM console, navigate to Devices > Profiles & Resources > Baselines.
- Review the Compliance Status section. This view allows you to monitor and respond based on the level of compliance required by your InfoSec teams:
- Compliant = 100% compliance
- Intermediate Compliance = 99-85% compliance (for customers adhering to the Windows 10 Security Baseline or CIS Microsoft Windows Desktop Benchmarks)
- Non-Compliant = Less than 85% compliance
- Not Available = The Workspace ONE UEM console does not have a compliance sample for the device. You can force a sample by simply opening the baseline and publishing it again.
Note: Baseline compliance status only applies to baselines created using the UI. You cannot see the compliance status for custom baselines created using ZIP packages, unless you add additional policies from the add policies screen.
2. View the Baseline Devices Tab

- Click the Devices tab to view all of your devices along with details about their installation status and compliance.
- Click on the device’s Friendly Name to go to the Device Details page and view all the baselines and profiles assigned to the device.
- Click on the Compliance status link to bring up details about the device's policy set, and to identify which group policies are causing compliance issues.
3. Filter a Device's Compliance Status Details
The Compliance view gives you a list of all of the policies set on the device from the assigned baseline. From here, you can use the filter to find non-compliant policies.

- Expand the Status menu.
- Click Non-Compliant.
4. Review the Device's Non-Compliant Group Policies
This view gives you a clear picture of the non-compliant group policies on the Windows 10 device.

Summary and Additional Resources
Summary
This tutorial provided the steps and methodology for modernizing or migrating policies to the cloud using Workspace ONE Baselines, along with various other tools. Keep in mind that every use case is different, and the methodology discussed in this tutorial should serve as high-level guidelines. Just as Windows 10 is ever involving, so is our product. The product is continuously evolving to align with our vision of providing consumer-simple, yet enterprise-secure cloud-based policy management, validation, and enforcement using the VMware Workspace ONE platform.
Additional Resources
For more information about Windows Modern Management with Workspace ONE, you can explore the following resources:
Getting Started with Windows Modern Management
- Creating a Windows Virtual Machine to Test Workspace ONE
- Planning Your Windows Deployment: Workspace ONE Operational Tutorial
Windows Onboarding
- Onboarding Windows Devices Using Command-Line Enrollment: Workspace ONE Operational Tutorial
- Enrolling Windows Devices Using Azure AD: Workspace ONE UEM Operational Tutorial
- Drop Ship Provisioning: Workspace ONE Operational Tutorial
Windows Security and Policy Management
- Windows Modern Management Security Design and Implementation
- Understanding Windows Group Policies: Workspace ONE Operational Tutorial
- Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial
- Enabling BitLocker Encryption to Remote Windows Devices: Workspace ONE Operational Tutorial
Windows Application Management
Windows OS Patching
Windows Troubleshooting
Changelog
The following updates were made to this guide:
Date | Description of Changes |
---|---|
2022-12-11 |
|
2021-11-01 |
|
2021-07-21 |
|
2020-06-05 |
|
About the Authors and Contributors
This tutorial was written by:
- Darren Weatherly, Sr. Technical Marketing Architect, End-User-Computing Technical Marketing, VMware
- Josué Negrón, VMware Alumni
Appreciation and acknowledgment for contributions and feedback from the following subject matter experts:
- Robert Kiernan - Senior Customer Success Manager, VMware
- Mike Nelson, Sr. Solutions Architect, End-User-Computing R&D, VMware
- Fiona (Yongli) Xie, Sr. Consultant, Professional Services, VMware
- Adarsh Kesari, Staff Solutions Architect, End-User-Computing R&D, VMware
- Anjali Sinha, Member of Technical Staff, End-User-Computing R&D, VMware
- Camille Debay, Staff Customer Success Architect, Customer Success, VMware
- Saurabh Jhunjhunwala, EUC Customer Success Architect, VMware
- Lisa Matragrano, Sr. Product Marketing Manager, End-User-Computing Mobile Marketing, VMware
- Grischa Ernst, EUC Staff Customer Success Architect, Customer Success, VMware
- Scot Curry, Sr. Staff Solutions Engineer, End-User-Computing SE, VMware
- Chris Tillier, Sr. Solutions Architect, End-User-Computing R&D, VMware
Feedback
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.
Appendix
Understanding Windows 10 Configuration Service Providers (CSPs) and Custom Settings Profiles
1. Getting to the Custom Settings Profile Option
- Log in to Workspace ONE UEM console.
- Navigate to Devices->Profiles & Resources->Profiles, then click on Add->Add Profiles.
- Select Windows, then Windows Desktop, and Device Profile.
- Input general information for the custom profile.
- Click Custom Settings, then Configure.
2. OMA-DM Client versus WAP-Provisioning
Management clients communicate to Workspace ONE UEM on behalf of the device. There are two primary management clients:
- OMA-DM (Open Mobile Alliance Device Management)
- Workspace ONE Intelligent Hub
The clients serve their own, distinct purposes, and rely on different services to establish real-time communication with Workspace ONE UEM. The Workspace ONE Intelligent Hub leverages wap-provisioning, while the OMA-DM client uses the OMA-DM protocol. The OMA-DM client is built into the Windows OS and owns the MDM relationship.
For more information, refer to Understanding the Workspace ONE UEM Solution Stack in the Troubleshooting Windows 10 Tutorial.
2.1. WAP-Provisioning Examples
The following have not historically been very well documented. A few examples are provided to explain how to use some of the wap-provisioning capabilities. Keep in mind, the Workspace ONE Intelligent Hub is required when leveraging wap-provisioning capabilities.
2.1.1. Create, Modify, or Delete Registry Keys
There are many ways of setting registry keys via Workspace ONE UEM, but one method you are likely not aware of is using a custom profile. This can be useful for quickly adding, editing or removing a registry key. You can use one profile to add or modify multiple key value pairs. For more details refer to How to Set Registry values using the Custom Settings Profile in Workspace ONE UEM.
2.1.1.1. Example 1: Registry Operation Template
<wap-provisioningdoc id="Insert GUID" name="customprofile">/
<characteristic type="com.airwatch.winrt.registryoperation" uuid="
Insert GUID
">
<parm RegistryPath="HKLM or HKCU with full path" Action="Replace/Remove">
<Value Name="Registry Name" Data="Registry Data" Type="String/Binary/DWORD/QWORD/MultiString/ExpandString" />
</parm>
</characteristic>
</wap-provisioningdoc>
2.1.1.2. Example 2: Generate a Chrome Browser Cloud Management (CBCM) Enrollment Token
For more information, refer to Enroll browsers with VMware Workspace ONE (Windows and macOS).
<wap-provisioningdoc id="Insert GUID" name="customprofile">/
<characteristic type="com.airwatch.winrt.registryoperation" uuid="
Insert GUID
">
<parm RegistryPath="HKLM\SOFTWARE\Policies\Google\Chrome" Action="Replace">
<Value Name="CloudManagementEnrollmentToken" Data="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Type="String" />
<Value Name="CloudManagementEnrollmentMandatory" Data="1" Type="DWORD" />
</parm>
</characteristic>
</wap-provisioningdoc>
2.1.1.3. Example 3: Remove the Chrome Browser Cloud Management (CDCM) Enrollment Token
<wap-provisioningdoc id="Insert GUID" name="customprofile">/
<characteristic type="com.airwatch.winrt.registryoperation" uuid="
Insert GUID
">
<parm RegistryPath="HKLM\SOFTWARE\Policies\Google\Chrome" Action="Remove">
<Value Name="CloudManagementEnrollmentToken" Data="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Type="String" />
<Value Name="CloudManagementEnrollmentMandatory" Data="1" Type="DWORD" />
</parm>
</characteristic>
</wap-provisioningdoc>
2.1.2. Executing PowerShell Commands
The examples below are for the install settings, you can choose what to use for remove settings. You can use an empty command or revert settings. This is not the only way to execute PowerShell commands/scripts within Workspace ONE, refer to How to Deploy PowerShell Scripts to see two other methods. If you want to deploy more complex scripts as opposed to just a simple command using this method, check out the PowerShell profile blog post.
2.1.2.1. Example 1: Create Firewall Rule
<wap-provisioningdoc id="Insert GUID" name="customprofile">
<characteristic type="com.airwatch.winrt.powershellcommand" uuid="
Insert GUID
">
<parm name="PowershellCommand" value="New-NetFirewallRule -DisplayName 'Block WINS' -Direction Inbound -Action Block -RemoteAddress WINS"/>
</characteristic>
</wap-provisioningdoc>
2.1.2.2. Example 2: Removing ConfigMgr Client
<wap-provisioningdoc id="Insert GUID" name="customprofile">
<characteristic type="com.airwatch.winrt.powershellcommand" uuid="
Insert GUID
">
<parm name="PowershellCommand" value="Invoke-Command -ScriptBlock {C:\windows\ccmsetup\ccmsetup.exe /uninstall}"/>
</characteristic>
</wap-provisioningdoc>
2.1.3. Modifying Profiles
This is not recommended but could be used in a case where you want to exclude one of the mandatory settings being pushed. Keep in mind, if you choose this option, you will lose out on using the dedicated UI for the profile, thus lifecycle management will require additional effort.
3. Standard Syntax for OMA-DM Protocol (SyncML)
Note that when using Workspace ONE UEM custom settings profiles, the Atomic node is not required as this is auto-populated for you and thus is not shown below. For more information refer to OMA-DM protocol common elements.
<command>
<CmdID>unique number in the profile</CmdID>
<Item>
<Meta>
<Format>int or chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Policy Scope/Vendor/MSFT/Policy/Config/policy sub-categories</LocURI>
</Target>
<Data>settings</Data>
</Item>
</command>
OMA-DM Elements | Description |
---|---|
Command (Cmd) |
Supported values for the Custom Settings profile are:
For more information refer to, DM protocol commands. |
Unique number in the profile (CmdID) | Unique number to identify each command in the profile. You can use 1, 2, 3… for example for each new command within a custom profile. The CmdID must be unique for each command in the same profile, however do not have to be unique across profiles. It is recommended to use a GUID value. |
Int or Chr (format) | Either integer (int) or character (chr). Based on the values specified (data) in the CSP policy. |
./Policy Scope/ (LocURI) |
Either ./Device/ if policies are applied to the device, or ./User/ if policies are applied only under user’s profile. For more information refer to, user targeted versus device targeted configurations. |
Policy sub-categories (LocURI) | Policy path defined from the Configuration Service Provider Reference site or in the ADMX file. |
Settings (data) | A valid value defined from the CSP or in the ADMX file. |
4. Supported Types of OMA-DM Policies
- Standard Microsoft CSP: Built-in to the Windows 10 OS, varies based on Windows 10 version and edition. Data can be integer (int) or string (chr). You can quickly build these profiles using VMware Policy Builder or refer below for the manual steps.
- Inbox ADMX-Backed policies: The OS group policies are included and located in the C:\Windows\PolicyDefinitions folder. Format is always chr. And settings require encoded XML or using <![CDATA[…..]]>. For more information refer to Understanding ADMX-backed policies. You can quickly build these profiles using VMware Policy Builder or refer below for the manual steps.
- Application or 3rd Party ADMX policies: These are 3rd party application settings that are defined in the ADMX. The ADMX will need to be downloaded and ingested into devices. Format is always chr. Settings require encoded XML or using <![CDATA[…..]]>. You can manually handle 3rd party ADMX Policies.
5. Creating Custom Profiles for Standard Microsoft CSP
- Find the reference to Microsoft-supported CSP using this link https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider or this short-link https://aka.ms/csplist.
- Search for the desired CSP setting, and ensure it’s supported for your device type, edition, and version. Click the CSP to obtain more information.
- Replace the highlighted code in yellow with the information provided from the reference.
<command>
<CmdID>unique number in the profile</CmdID>
<Item>
<Meta>
<Format>int or chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Policy Scope/Vendor/MSFT/Policy/Config/policy sub-categories</LocURI>
</Target>
<Data>settings</Data>
</Item>
</command>
5.1. Example 1: Set up a policy to NOT show the information for the last user who logged on
<Replace>
<CmdID>4986697b-474e-4c1c-a7fa-4026113788e3</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</LocURI>
</Target>
<Data>1</Data>
</Item>
</Replace>
5.2. Example 2: Set up a policy to display messages when user attempt to logon
<Replace>
<CmdID>90c1dda3-bcd6-4344-aa96-3bc15f07253a</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttempting</LocURI>
</Target>
<Data>This machine is for restricted user only</Data>
</Item>
</Replace>
6. Creating Custom Profiles for Inbox ADMX-backed Policies
You should be using VMware Policy Builder however we will discuss what is done on the back end to properly understand what is happening.
These inbox ADMX policies are processed into MDM policies during the OS-Build time and located in %SystemRoot%\policydefinitions. Only the ones listed in the reference link below are supported.
- Find the specific policy in the Microsoft CSP reference link or use the short-link http://aka.ms/CSPList. For this example, let's look at setting the Homepage for the Edge browser. To configure the Edge browser, we will be using the Policy CSP, and focused on Browser/Homepages. From here we can see the supported Windows 10 editions, the allowed Scopes (user/device) and a description of what this setting does, and most importantly the ADMX Info which contains the GP Name (HomePages) and the supported and expected values.
- Make a note of the GP name in the reference. In this example the GP name is HomePages.
- Copy the .admx file to a temporary location and open in Notepad++ or your preferred text editor.
- Find the policy definition in the .admx file using the GP name. The policy definition provides information on the registry key path for the setting, supported platform, and if the policy has parameters or if you can activate/deactivate the policy.
- Follow the SyncML syntax to modify the below example for your use case:
6.1. Example 1: Policy to Set Edge's Homepages
<Replace>
<CmdID>d1a2daaa-9388-412c-be94-ef8e4310712b</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Browser/HomePages</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>
<![CDATA[<techzone.vmware.com>,<login.vmware.com>]]>
</Data>
</Item>
</Replace>
6.2. Example 2: Deactivate the Use of Password Manager in Edge
<Replace>
<CmdID>6b2f77cb-3169-4934-b3fa-58994f7e50fc</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
Group Policy (GPO) & MDM Policy (CSPs) Processing & Precedence
Throughout the tutorial, various policy options were introduced and it quickly becomes apparent that having multiple mechanisms for setting/modifying the device's policies gets complex. We explored the overall best practices and methodology for modernizing and migrating policies. It is recommended to limit the overlap of technologies being used per device. Example, GPO vs MDM CSP vs Workspace ONE Baselines.
When you leverage a new mechanism, it is best practice to deactivate/un-assign the other method. However, we understand there will be use cases where this is not possible; most notably when working across teams: Workspace ONE UEM admin versus Domain GPO admin. The following section attempts to explain the processing order of policies and which policy types take precedence over others.
1. GPO Processing and Precedence

First, let's understand the processing and precedence for group policy objects. Overall the last write/applied takes precedence and overwrites existing policies. It is vital to understand the processing order for GPOs. Referring to the image you can see that local GPOs are processed first, therefore it also has the lowest precedence.
For more details, see Group Policy Processing and Precedence and Group Policy Hierarchy.
2. Default Order of Precedence for GPOs and MDM Policies

The default when applying both GPOs and MDM policies on a device is that GPO policies win, or supersede, MDM policies. Therefore, by default GPOs have higher precedence than MDM policies on the device. To more clearly define MDM policies, these are policies based on the Microsoft Configuration Service Providers (CSPs). Refer to Policy CSPs supported by Group Policy for more details regarding conflicts.
It is also important to note that throughout the tutorial we discuss leveraging Workspace ONE Baselines. Baselines are based on GPOs and depending on the policy can be applied on the device using DEM, SecEdit, AuditPol, or LGPO (only custom baselines).
2.1. Enabling the Control Policy Conflict to Allow MDM to Win

There is a way to force MDM policies to win, or supersede, GPO policies. In this case, MDM policies would have higher precedence than GPO policies on the device. There is a CSP that can be deployed to managed devices that enable this behavior. You can leverage the Control Policy Conflict part of the Policy CSP which sets the MDM Wins Over GP policy to ensure MDM (Policy CSPs supported by Group Policy) policies win over group policies.
Additionally, you can validate policy conflicts by Validating Configured Policies and using the MDM Diagnostics Tool to generate a report to see MDM versus GPO policy conflicts and which policy has precedence on the device.
2.1.1. Install Settings
<Replace>
<CmdID>c28cc6ca-982c-4490-955a-93ef2fb00936</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
Click to copy
2.1.2. Remove Settings
<Delete>
<CmdID>9ae93437-7c43-44d9-956c-6fcf9eeda756</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data/>
</Item>
</Delete>
Click to copy