Windows Desktop - Endpoint Management

In this comprehensive walkthrough, you'll see how to demonstrate a Windows 10 desktop and VMware Workspace ONE.

The corporate-liable device use case utilizes the most Windows 10 management functionality. Therefore, enrolling into the Enterprise - EMM Demo (Corporate Owned) OG is the standard and provides the context of this document. Enrolling into BYOD is also supported and is intended to show a Windows 10 PC being under very light management without restrictions.

Before You Begin

In order to complete a Windows Desktop walkthrough, you'll need the following:

  • A valid VMware TestDrive account.
  • Enabled Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal.
  • Device: Windows 10 Enterprise, at least version 1607. Windows 10 1803 Business Editions is available here (TestDrive Office 365 account required).
    • Maintain either a VM snapshot, or System Restore point on physical device, for a fast roll back.
  • Network access from your device and TCP ports 80 and 443 enabled on your local network.
  • For the console-side discussion, be sure you already have the console open with the necessary console views already loaded in your browser's tabs.


In a traditional Windows environment, devices were managed through GPOs and complex systems management tools such as SCCM. With Workspace ONE UEM and Windows 10, configuration changes can be delivered in real-time, over-the-air, anywhere—not just when a system is on the corporate network.

Workspace ONE UEM brings industry leading, lightweight EMM coupled with the capabilities of traditional client management functions into a comprehensive Windows desktop management solution.

Workspace ONE UEM:

  • Provides advanced endpoint protection and security features like ensuring device compliance, protecting enterprise data and apps, setting BitLocker encryption, managing device password, controlling Windows Firewall and AntiVirus, setting device restrictions, and collecting location information.
  • With VMware Workspace ONE delivers a unified catalog experience to not only empower users to have all apps (desktop, virtual, web, and native) in one collection, but more importantly, provide secure and streamlined access to these apps.


Talking Points

  • Workspace ONE UEM supports several admin friendly and user friendly enrollment methods including the recommended direct agent enrollment, auto-enrollment (OOBE), and native enrollment.
  • With Workspace ONE agent enrollment, searching for the enrollment area in Windows settings, entering a server name (if there's no WADS, which is administrative overhead in itself), and waiting for the agent to install post-enrollment are all things of the past.

Alternatively, please see the Experience Workspace ONE on Windows 10 guide for Workspace ONE adaptive enrollment on Windows. 

Workspace ONE Intelligent Hub initiated enrollment is currently the recommended Windows enrollment method. To begin enrollment, go to


Download and run the Workspace ONE Intelligent Hub install. If prompted, install the Microsoft Visual C++ libraries. 


After installation completes you will be guided through enrollment.  When the agent opens, chose email enrollment, then enter your Workspace ONE UEM enrollment email address in the following format:



Proceed thru enrollment, choosing your enrollment Organization Group (OG) when prompted.

Choose Enterprise - EMM Demo (Corporate Owned).  The Enterprise - EMM Demo (Corporate Owned) flow contains the greatest functionality showcase and is, therefore, the standard. In addition to basic management, it contains wallpaper via product provisioning, Windows Information Protection (WIP), an automatically deployed Horizon Client via software distribution over CDN, system restrictions, App Locker, BitLocker, and administrator-managed Windows Updates. As mentioned in the introduction, this document entails the EMM demo.


Enterprise - BYOD Demo is also available to demonstrate the BYOD use case.  Being sensitive to a user's privacy where restrictions of any type would be considered intrusive on a personal device, not much change takes place on the device in the BYOD demo.

Authenticate using SAML provided by VMware Identity Manager. Input your credentials as listed below:

User name: {TestDrive username}

Password: {Testdrive password} 

After successful authentication, click next to allow Workspace ONE UEM to complete enrollment.

During enrollment Workspace ONE UEM provisioning processes are already taking place.  Enrollment is complete when you see this:


Next, check your device in the console and note that enrollment is complete!

In contrast to Workspace ONE Hub enrollment, with native Windows enrollment through Settings, the user must wait for the the agent to install.

Workspace ONE UEM Console Overview

Talking Points

  • An enrolled device will receive a set of automatically delivered profiles. Those profiles represent a baseline configuration how the PC should be set up, and additional profiles can be applied to meet specific requirements.
  • Profiles are the settings, when combined with compliance policies, the help enforce organizational security policies.
  • Passcode, Wi-Fi, per-app VPN, certificate issuance, app whitelist/blacklist, and device restrictions are just a few profile types that may be created for Windows 10.

Go to profiles on the left-side console menu. In "Search List," enter "WWE - W10 -" to quickly filter your view to only list Windows 10 desktop profiles.

Click through individual profiles to see review its payload.

Use the pre-configured "optional" device profiles as needed.

Switch to your browser tab open with the device list. Find your device by filtering by your username. Drill into your device details and discuss profiles, apps, content and other features your audience would find important.

On the profiles tab, note the installed statuses and the assignment types, automatic vs optional, using optional profiles to aid your discussion.

Find the Troubleshooting menu off of the More tab.

Discuss how Workspace ONE UEM enables the administrator to see real-time event logs—just as one would with SCCM—right in the Workspace ONE UEM console. Both events and command statuses can be readily accessed in real time!

VMware Workspace ONE

Talking Points

  • VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs.
  • Unified app catalog transforms employee on-boarding. Simply downloading the Workspace ONE app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization.
  • Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps!
    • Internal web apps through a secured browser and seamless VPN tunnel
    • SaaS apps with SAML-based SSO and provisioning framework
    • Native public mobile apps through brokerage of public app stores
    • Modern Windows apps through the Windows Business Store
    • Legacy Windows apps through Win32 package delivery
  • Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.

Launch Workspace ONE.

Note the preset VMware Identity Manager instance name:

Click Next, and then enter your TestDrive credentials.

After authenticated, wait for Workspace ONE to set up.

Once inside Workspace ONE, review both the Bookmarks and Catalog areas. From Workspace ONE's bookmarks review the simplicity of creating bookmarks to VDI, RDSH, web, and Thin Apps from the Catalog.

Be sure the mention the Win32 apps seen within the Catalog and mention details on those are coming up.

Go over the rapid and seamless access Workspace ONE provides for VDI, RDSH, and Thin Apps. Choose a VDI, like the NVDIA GRID desktop for your region, and allow Horizon to open it. You can also show bookmarking.

Also review the support of legacy Windows apps, like Internet Explorer 6. Many organizations still need to support legacy web apps and Workspace ONE makes it available in a snap.

Launch the IE 6 Thin App. (Your "Bookmarks" will vary from the screenshot.)

Discuss how users have fast and seamless access to a critical system only available thru a legacy browser.

Win32 Software Distribution over CDN

Talking Points

  • No longer do PCs need to be tied to local area network (LAN) computer management systems for native Win32 app management. Both Windows 10 desktops and Windows 10 mobile devices can now have Win32 apps managed over-the-air (OTA) by Workspace ONE UEM.
  • Workspace ONE UEM provides a variety of different application distribution options to meet the variety of installation scenarios found in an enterprise. The application deployment framework supports MSI, EXE and ZIP based deployments, public apps from the Windows Store, as well as, complex script-based applications through product provisioning.
  • Content Delivery Network (CDN) integration globally extends your organization's app deployment for fast and secure app delivery.

Windows's native VMware Horizon Client and Chrome are configured to automatically deploy. This apps are delivered by Workspace ONE UEM's software distribution over CDN.

Workspace ONE UEM's Win32 app distribution and management is doing the same thing that traditional LAN-based tools, like SCCM, have done with native apps—but Workspace ONE UEM is doing it over the air. Devices no longer have to be tied to the organization's LAN.

Several additaional Win32 apps are set up for software distribution. From Workspace ONE's catalog, select Windows Apps to filter out all Windows apps, both Win32 and UWP apps:

Choose one of the Win32 apps ("Win32" will be in the app's description) and push it to the device. 7-Zip is a good manual install app as its install is small-sized, so the deployment happens very quickly.


You need a 64-bit Office 365 installation to show the upcoming WIP section. You may use either the provided Office 365 install or one on your machine, but it must be a 64-bit Office 365 install to work with the WIP profile.

The provided Office 365 Pro Plus ZIP is a 2 GB download/install. Needless to say, given PC and network performance, installation can take a while. Unless you are required to show the Office installation live, have your machine set up with Office 365 Pro Plus 64-bit before the demo.

Apps delivered via software delivery are set up through the familiar AW workflow. Though with Win32 apps, comprehensive deployment, install, dependency, detection, and uninstall settings are available to suit various complex app deployment needs.

In the console, you can not only use the troubleshooting tab to view the status of the apps' installation command but also show that the app is being delivered from the globally-reaching CDN.

Product Provisioning

Talking Points

  • Product provisioning allows you to create products containing profiles, applications, and files/actions (depending on the platform). These products follow a set of rules, schedules, and dependencies as guidelines for ensuring your devices remain up to date with the content they need.
  • Products allow for complete customization through scripting, rule sets, schedules, and dependencies for ensuring your devices remain configured and up to date.
  • Product Provisioning can be used for advanced, script-based app deployments.

In TestDrive, the wallpaper that sets up in the corporate demo is managed via product provisioning.

Note: Admin role design doesn't currently allow access to view the production file/action or product.


Data Protection (Windows Information Protection)

Workspace ONE UEM Data Protection for Windows 10 is currently degraded. Using your TestDrive account, certain features, such as protected data copy/paste and protected document saving, are not functioning as expected. The issue is environmental and is NOT present in production implementations of Workspace ONE UEM with Windows 10 Enterprise and the native Office 365 desktop apps.

Improvements are in the works.

Talking Points

  • Issue at hand: Industry estimates state up to 75% of corporate data loss is committed unintentionally. WIP was built to address this issue.
  • As the convergence of work and personal data on the same device accelerates, the risk of accidental data loss also increases through services that your organization does not and cannot control through traditional desktop management methods.
  • Windows Information Protection (WIP) works by whitelisting enterprise applications to give them permission to access enterprise data from protected cloud resources and networks.
  • If end users move data to non-enterprise applications, actions and alerts can be triggered based on selected enforcement policies.
  • The data protection profile encrypts enterprise data and restricts access to approved devices. Encryption is managed thru a certificate in the data protection profile.

WIP Profile Summary

The TestDrive WIP profile has the following enterprise resources protected. Use them as you see fit.

Native apps:

  • Microsoft Office 365 Pro Plus 64-bit
  • Dropbox


  • Internet Explorer (32-bit & 64-bit)
  • Edge


  • TestDrive Office 365 Email
  • TestDrive Office 365 SharePoint
  • TestDrive Office 365 OneDrive

On the device, open Excel. Sign in with your Office 365 email address. While badges no longer appear either in or on the apps, WIP functionality is present.

Certificate authentication via VMware Identity Manager should authenticate you. Accept the prompts. (If using the provided Office 365 Pro Plus, it will not activate but will have all desired functionality.)

Open the SharePoint document, CommittedSales.xlsx. Open Other Workbooks > Site - VMware EUC - > Sales Workspace > Documents > CommittedSales.

Copy sensitive content form the spreadsheet.

Open browser tab to a personal mail account, like Gmail, and attempt to paste the protected content. Workspace ONE UEM-managed WIP won't allow it.

Open Wordpad. Attempt to paste the clipboard.

Notepad, on the other hand, is a protected app and content is permitted.

In Excel, save the document to your desktop. Note how the file can only be saved as a "Work" document type for the protected domain.

Talking Point

  • Alternative WIP profiles can be configured for different user groups, where, for instance, an executive group would be granted the ability to save as either work or personal.

Go to your desktop and show the protected document badged with the briefcase icon indicating the document is protected.

Open either Edge or Internet Explorer. Go to and enter your Office 365 email address.

Use the Workspace ONE UEM-managed certificate when prompted. VMware Identity Manager will sign you into your Office 365 mailbox.

Open an email with an attachment. Download the attachment to your desktop. Note the ability to only save it as a protected work document. Not only is the file under WIP policy, the organization's Office 365 site is too. All of the organization's Office 365 site content is protected and any organizational site can be protected just the same.

You can also open the Outlook native app, after a couple, quick wizard setup steps, and show that Outlook too is under the same WIP policy. WIP protects both the organization's web and native mail!

No matter what enterprise resource a document comes from, since it's protected, it's encrypted and can only be opened by other protected apps.

Additional WIP Talking Points

  • Enforcement polices within the data protection profile allow the admin to set limits on what the user can do with protected data. The most common and recommended enforcement polices are:
    • Encrypt and Block Data (This is the configuration.)
    • Encrypt data and allow user to move data to non-protected applications with an audit trail of any data transfer. The user is warned that their actions will be audited.


Talking Points

  • For the corporate dedicated device, a restriction profile may be configured to prevent access to functions such as changing date/time, modifying VPN, changing user account settings, enabling Bluetooth, using Cortana, disabling VPN over cellular, unenrolling, and many other functions that may be seen as an either increased security risk, an increase in cost, or lessened productivity.
  • Windows User Account Control (UAC) settings can be managed thru a Restrictions profile. While this setting is an excellent safe guard to malicious app installations, in some organizations it creates a lot of unnecessary help desk calls.
  • Workspace ONE UEM configures the native Windows AppLocker which prevents installation of undesirable apps by name, version, or publisher. Conversely, apps may be whitelisted by name, version, or publisher to only allow those apps.
  • Corporate branding can be extended to the desktop.
  • Native security features such as Windows Firewall Updates and Windows Insider builds can be managed.
  • With the combination of WIP, App Locker, and restrictions profiles, a device can be fully managed and secured on the corporate network just as was done with the complex legacy tools.


From the Workspace ONE UEM console, in your device's details, push the "WWE - W10 - Block Netflix" AppLocker profile.

After the profile installs, which should be very quickly, go to the Microsoft Store and attempt to install Netflix. The Workspace ONE UEM-managed AppLocker profile will block the installation of Netflix.

Organizations deploying very restrictive devices may wish to block the entire Microsoft Store. To show this, from the console, you can remove the 'Block Netflix' profile and push the 'Block Store' profile. This change should be able to be demonstrated live.

In addition to UWP apps being able to be blocked, Windows executable, Windows installer, publisher, and script rules may also be configured with an AppLocker profile.

System Restrictions

Talking Points

  • In the restrictions profile with its various possible payloads, a significant number of restrictions that might have been set via Group Policy Objects (GPOs) in the past are available to be configured.
  • Configuration Service Providers (CSPs) are made available to be configured to emulate many of the options available through GPO.

The "WWE - W10 - Restrictions CORP" profile automatically deploys. Open it to review its payload. This profile contains restrictions for internet sharing, region settings, bluetooth, and Windows Updates (Check the profile's description for the payloads currently configured.).

On the device, search for region settings. Workspace ONE UEM-managed policy should prevent changing them. Along with a red notification, settings will be grayed out.

From Search, enter "updates," to find the Windows Updates system setting. Show both the configuration and restriction on the Windows Updates screen.

Click the link "view configured update policies" to review the Workspace ONE UEM-configured policies.

Windows Updates

Talking Points

  • Windows updates in the enterprise can take weeks or even months to be installed on an organizations entire fleet of PCs due to on-local-network requirements to reach distribution servers. Workspace ONE UEM and Windows 10 UEM use the simplicity of the cloud and Microsoft Update Service to deliver updates regardless of device location.
  • Updates delivered through Microsoft Update can be controlled by Workspace ONE UEM. Options such as which “branch” to be on, as well as the ability to defer both quality updates and features allows granular control over when PCs get updates.
  • Workspace ONE UEM allows the ability to set Active Hours for when updates should be applied to prevent users from canceling reboots, or allowing prevent reboot situations, or to schedule distribution when electricity is cheaper.
  • Administrative approvals can target different groups of updates to the right groups of users or PCs, to make sure that PCs are healthy and secure.
  • WSUS servers can also augment Workspace ONE UEM and be used for PCs that are always available on the corporate network.

In, open Devices > Profiles & Resources > Profiles and search for "update." Select "WWE - W10 - Updates CORP" policy, open, and choose the Windows Updates payload.


Talking Points

  • The Workspace ONE UEM compliance engine can automatically monitor, notify, and take action on devices that not meet rules set up in compliance management.
  • A Windows 10 compliance policy is capable of taking action on critical security items such as device last seen, encryption state, firewall status, automatic updates, OS version, passcode, and Windows Health Attestation.
  • Workspace ONE UEM can manage Windows BitLocker Encryption on both physical and virtual machines. A recovery key created during encryption is stored in the Workspace ONE UEM Console and in the Self-Service Portal.
  • For Windows Health Attestation, Workspace ONE UEM pulls the necessary information from the device hardware and not the OS, compromised devices are detected even when the OS kernel is compromised.


Talking Points

  • A Workspace ONE UEM profile encrypts the Windows 10 desktop device via native BitLocker encryption. After disk encryption, the BitLocker encryption key is made available in the Workspace ONE UEM console. If a device is lost and then recovered, with the BitLocker key readily available to the security team in the Workspace ONE UEM console, potentially lost data can be recovered easily.
  • As of Workspace ONE UEM 9.1, BitLocker can also be managed with a password on devices without TPM. BitLocker managed by a password, instead of TPM, enables disk encryption on devices without TPM, like VMs running in older versions of Fusion or Workstation.

To demo BitLocker, from the console, push the WWE - W10 - BitLocker-Passcode profile and follow the prompts:

Check the Windows notification area. You'll need to reboot the device.

After reboot, you'll need to set the BitLocker password...

...and then drive encryption will complete in the background.

Review the PC's BitLocker status in the console...

...and view the recovery key.


Health Attestation

In order to show Health Attestation, you must be using Workstation 14, Fusion 10.1, or a physical PC with the TPM enabled and Safe Boot enabled. In Workstation or Fusion, first encrypt the VM, then add a new device (Trusted Platform Module) and ensure that you have enabled UEFI and Secure Boot in Options > Advanced.

Talking Points

  • It's a fact that some vulnerabilities compromise PCs prior to loading Windows, antivirus, and antimalware protections. Health attestation is able take measurements for things like Secure Boot, code integrity, BitLocker and boot manager and compare them against baselines stored in Workspace ONE UEM. If a device is compromised, it can be addressed via the compliance engine.
  • If a device falls out of compliance, notifications can alert admins, managers, and the user. As well, customizable device actions can occur using the Workspace ONE UEM compliance engine.

The device sends the Health Attestation report to the Workspace ONE UEM console for enterprise health checks and potential compliance rule triggering.

We can see here that Secure Boot is enabled, preventing a rootkit from compromising this PC prior to Windows booting up, and that BitLocker is seen as enabled at boot. Other security technologies that operate at boot are reported, and compliance policies can be defined to inform administrators that a PC has potentially be compromised.

Per-app VPN

VMware Tunnel is a Universal Windows Platform (UWP) app.  All UWP VPN apps utilize the native Windows VPN framework.  Please be advised that the native VPN framework has limitations.  Microsoft and VMware are working together to improve native UWP VPN functionality and performance.  Until improvements are made, per-app VPN is intended for for light duty use.   

Talking Points

  • Device level VPNs are not able to distinguish between work, personal, and rogue apps on an endpoint and when active will enable traffic between the entire device and datacenter. Workspace ONE UEM per-app VPN capability enables app-level security so only entitled users with validated devices using authorized apps are able to access the datacenter.
  • Embedded VMware Tunnel eliminates the need for a third-party VPN service and licensing fee ensuring that the service is delivered at a low TCO.

VMware Tunnel should install automatically via BSP integration.  Chrome browser—pushed from Workspace ONE's software distribution over CDN—is configured for per-app VPN. 

In Workspace ONE, find the HR Form website.

Launch the website using IE or Edge.  The connection will fail, demonstrating there's no device-wide VPN. 

Next, copy the internal URL, launch Chrome and input the URL.  Show the successful connection to the internal site. 

The VMware Tunnel app's UI is designed to simply display Tunnel status. Enterprise server will not show connectivity until the enabled per-app VPN app (Chrome) connects.

After showing the tunneled connection, go to the native VPN settings by typing "VPN" into Windows search.  Show the configured, native Per-App VPN profile. This is the VMware Tunnel's profile.  Disconnect it. 

Enterprise Wipe

Discuss the need for both manual and automated enterprise wiping of a device.  Workspace ONE UEM's customizable compliance polices can issue automatic wipes when a device falls out of compliance.  Unlike a device wipe which wipes the entire device back to a factory state, an enterprise wipe will only remove the organization's data.  With an enterprise wipe, any user data on the device—as in the BYO use case—cannot and will not be touched.

From the console, issue an enterprise wipe on your device.  Show the device's notification of the wipe.

Discuss the removal of the organization's data. Show native mail has been removed. Or, better yet, show removal of the certificates from the MMC console certificates snap-in for a security-minded audience.

For Additional Support

Review Our Knowledge Base

Submit a Ticket


Have more questions? Submit a request

Please sign in to leave a comment.