Validating Workspace ONE UEM Console Settings

The first step when troubleshooting Windows devices is to check several of the console settings.

1. Navigate to All Settings

Open All Settings in Workspace ONE UEM Console

In the Workspace ONE UEM Console:

  1. Select Groups & Settings.
  2. Select All Settings.

2. Check Device Root Certificate

Check Device Root Certificate in Workspace ONE UEM Console

Although Workspace ONE UEM automatically generates the Device Root Certificate, you should always check this first. Checking the Device Root Certificate can save hours troubleshooting on the device.

  1. Navigate to System > Advanced > Device Root Certificate.
  2. Ensure that the Device Root Certificate is generated, and the Device Root Certificate is of type Pfx and not Cer.
  3. Check that the certificate is generated at your Organization Group and not Global—Global is sufficient for on-premises users but if you experience issues then generate at Customer Organization Group.

3. Check Workspace ONE Intelligent Hub

Verify the AirWatch Protection Agent is configured correctly in the Workspace ONE UEM console
  1. Navigate to Devices & Users > Windows > Windows Desktop > Intelligent Hub Application
  2. If you want to use the Hub for Product Provisioning, local enforcement, BitLocker, and so on, then ensure it is enabled and assigned to the correct ownership types.

Important: If you are enrolling devices that do not support pushing Win32 apps such as HoloLens, Surface Hub, Windows 10 Home, Windows 10 Core, and so on, then ensure that the agent is not selected.

4. Check Azure AD Settings

Azure AD Settings
  1. Navigate to System > Enterprise Integration > Directory Services.
  2. Verify Azure Integration is configured correctly in the console. The most common errors with Azure integration are as follows.
    • Not adding the on-premises app in Azure for URLs other than
    • Not matching the Immutable ID Mapping Attribute
    • Not using the correct data type for Immutable ID
    • Not using the Binary for objectGUID or ms-DS-ConsistencyGuid and String for any non-GUID value.

Note: If you cannot save your Azure AD for Identity settings, save your Directory Services options before enabling Use Azure AD For Identity Services. For example, if you add a new directory, save before continuing, or if you remove your directory, save before adding Azure.

Workspace ONE UEM can integrate with Azure in two models:

  • Pure Azure AD — Accounts are directly created in Azure and are not sourced from anywhere else (for example, on-premises AD or another IdP). During out of box enrollment (OOBE) these accounts are automatically created in Workspace ONE UEM, just-in-time.
  • Hybrid Azure AD — Accounts are sourced from on-premises AD or a third-party identity provider. In this case, you must configure the Immutable ID Mapping Attribute to match the Source Anchor in Azure AD Connect, or the Immutable ID value being sent from the third-party.

5. Confirm Shared Device Options

Shared Device settings in the Workspace ONE UEM console.
  1. Navigate to Devices & Users > General > Shared Devices.
  2. If you use any of the staging workflows (command-line, PPKG, and so on) where the Windows 10 device is auto-reassigned to the end user by means of a staging account, validate that either Fixed Organization Group or User Group Organization Group is selected for the Group Assignment Mode.

Important: If you do not change the Group Assignment Mode, the agent prompts the end user for a group ID after reassignment. This can negatively impact the user experience.

6. Verify TLS Mutual Auth for Windows Setting

Disable TLS Mutual Auth for Windows 10 in the Workspace 1 UEM console
  1. Navigate to Devices & Users > General > Enrollment.
  2. Click Optional Prompt. 
  3. If you are on the latest version of the console, you will not see this option. If you are on an older version, verify that Enable TLS Mutual Auth for Windows is set to your required setting. Most customers have this deactivated. If you are unsure, deactivate this setting to prevent communication issues with Windows devices.

Note: Enabling this option forces Windows devices to use endpoints secured by TLS Mutual Authentication. This requires additional setup and configuration.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.