Module 2 - Management Components & Log Locations

Before we take a deeper dive into logs and troubleshooting its imperative that you completely understand each management component and agent/client involved in managing Windows 10 devices.

Knowing what and where to look will help you when troubleshooting and will help determine root cause.

1. Understanding the Workspace ONE UEM Windows 10 Solution Stack

There are many communication methods and clients used to manage Windows 10 devices. In this section we will explore all of these components in detail. We will reference this image in the following sections.

1.1. Communications Methods

Workspace ONE UEM communicates to Windows 10 devices using two different communication methods:

  • Windows Notification Service (WNS) - used by the native MDM client built into the device (OMA-DM client) much like APNs (iOS) or GCM/FCM (Android). This allows for real-time communications with Workspace ONE UEM. Ensure your devices or the network they are connected to are able to communicate to WNS for real-time communications, if WNS is blocked devices will fallback to using intervals to check-in with Workspace ONE UEM. Refer to Windows Notification Service (WNS) WIP and IP Ranges for whitelisting WNS on your network.
  • AirWatch Cloud Messaging (AWCM) - used by the Windows Unified Agent (AirWatch Protection Agent) for real-time communications with the device for deploying profiles and products. If AWCM is blocked the Windows Unified Agent will revert to the configured interval in the Workspace ONE UEM console. Ensure your device is able to connect to AWCM, you can obtain the AWCM hostname via the console under System > Advanced > Site URLs.

1.2. Agents and Clients

There are several background clients used to manage Windows 10 devices, here is a list of all of the agents and clients:

  • OMA-DM Client - Open Mobile Alliance (OMA) Device Management (DM) is a device management protocol used by Windows 10 devices. Enrollment and device communications use the OMA-DM protocol and is handled directly by the OMA-DM client on the device. Even when the Windows Unified Agent (AirWatchAgent.msi) is being used we are leveraging OMA-DM to enroll the device. The OMA-DM Client uses WNS as its communication channel with Workspace ONE UEM and leverages Microsoft Configuration Service Providers (CSPs) or APIs to configure the device (profiles) as well as VMware CSPs (customize built by VMware) for software distribution metadata being sent to the device.
  • Windows 10 Unified Agent (AirWatch Protection Agent) - AWCM for communication and is used for various profiles, local enforcement of policies, and product provisioning.
  • VMware AirWatch Agent (UWP - Store) - downloaded from the Microsoft Store, mainly used for GPS location tracking today
  • Workspace ONE app - unified app catalog for Windows 10 with SSO and conditional access capabilities
  • Software Distribution Client - when using Workspace ONE UEM Advanced+ and have Software Distribution enabled, Workspace ONE UEM will automatically install the Software Distribution client, which is used to install Win32 apps onto the device with granular capabilities compared to the Microsoft CSP.
  • Adaptiva Client - when using Peer Distribution in the console, the Adaptiva Client is automatically installed on assigned devices, used for P2P of Win32 apps deployed via Software Distribution
  • SCCM Integration Client - used to prevent SCCM from disabling MDM enrollment on SCCM pre-1710 and Windows 10 pre-1709
  • AirWatch Provisioning client - installed on Dell auto enrollment enabled devices, used to discovery where to enroll a pre-registered Dell device via
  • Dell Client Command Suite - in order to use the OEM Updates or BIOS profiles you must deploy the Dell Client Command Suite to your Windows 10 devices. Our Windows 10 Unified Agent communicates with these clients on the device to configure and manage the device.

1.3. Profiles (OMA-DM vs Unified Agent)

We have reviewed the different communication methods as well as the various clients, now let's take a deeper dive into which profiles fit into each option.


  • Passcode (uncheck use Protection Agent)
  • Restrictions
  • Exchange ActiveSync
  • VPN
  • Wifi
  • Credentials
  • Data Protection
  • Windows Hello
  • Windows Updates
  • SCEP
  • AppLocker (App Control)
  • Windows Licensing
  • Custom Settings (using OMA-DM)

Unified Agent (AWCM)

  • Product Provisioning
  • Passcode (checked use Protection Agent)
  • Exchange Web Services
  • Encryption (BitLocker)
  • OEM Updates
  • BIOS
  • Anti-Virus
  • Firewall
  • OMA-DM (using Protection Agent)

2. Event Viewer Logs

When in Event Viewer you can quickly see that there are many folders for logging categories and they are pretty easy to navigate. In this section we will examine a common list of the most used locations when troubleshooting. You can also enable Debug logging by going to View > Show Analytic and Debug Logs.

2.1. Most Important Event Logs

1. OMA-DM Communication - Most important; this log collects every interaction between the device and Workspace ONE UEM.

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > scroll down to DeviceManagement-Enterprise-Diagnostics-Provider > select the Admin section

2. EDP - Enterprise Data Protection: Collects logs related to WIP and Audits

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > EDP Audit Regular Channel

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > EDP Audit TCB Channel

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > EDP App Learning

3. AAD & User Device Registration - Azure Active Directory:  Collects all information related to Azure Active Directory and Joining via AAD

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > AAD > select the Operational section

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > User Device Registration > select the Admin section

4. Hello For Business & User Device Registration - Windows Hello for Business:  Collects all information related to setting up and using WHfB

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > HelloforBusiness > select the Operational section

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > User Device Registration > select the Admin section

5. Modern App Deployments: Shows all errors and logs for AppX deployments.

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > Apps and Appx (e.g. AppXDeployment-Server)

6. Assigned Access - Logs related to Assigned Access (Single App Mode)

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > AssignedAccess

7. BitLocker - BitLocker information, or you can use "manage-bde -Status C:" command first

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > BitLocker-API and BitLocker-DrivePreperationTool

8. AirWatch Provisioning Service for Dell Auto Enrollment - Collects information pertaining to the AW Provisioning Service, very detailed logs

• Navigate to Event Viewer (Local) > Applications and Services > AirWatch-ProvisioningAgent > select the Operational section

9. AirWatch - Logs related to the AirWatch Agent, however we will discuss better ways of troubleshooting than using these logs

• Navigate to Event Viewer (Local) > Applications and Services > AirWatch

3. Registry Locations

Everything that happens in Workspace ONE UEM with these devices can be found in the registry. We will go over some of the most important locations. Please note these locations for referencing at a later time.

3.1. Most Important Registry Keys

All MDM Profiles/Apps Pushed to Device - List of all the profiles (LocURI not values) pushed to the device, including applications. These are broken down by device profiles and user profiles identified by user's SID.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked

MDM Profiles and Values - Values of profiles on the device. Default values and the updated values. Again broken up by device and user profiles.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\{Enrollment GUID}\default\Device

Application Management - Status of app installations along with additional information.

Store/Modern Apps

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\EnterpriseModernAppManagement
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseAppManagement

MSI/Desktop Apps (Unified Agent, Software Distribution Client, Adaptiva Client, and all MSIs if using Workspace ONE UEM Standard)

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement

Software Distribution Apps

    • AppManifests will contain information regarding all of the settings selected in the console.
    • ContentManifests will contain where the device can download the software, such as Device Services URL, CDN URL, and P2P Content ID.
    • Queue/S-1-5-X  folders will contain the install status and logs for each application,  where S-1-5-18 will contain apps being pushed to the device and  S-1-5-21-X will contain apps being pushed to the user context.

Certificates, non SCEP - Certificate information for installed certificates.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates

Adaptiva Client Settings

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adaptiva\client

4. Logging Locations

Logging provides us the most insight into issues dealing with enrollment, application deployment and various other interactions we have with the devices using Workspace ONE UEM.

Knowing which logs to look will help you when troubleshooting and will help determine root cause.

4.1. Understanding the Log Files

  1. Windows 10 Unified Agent (Protection Agent) - %ProgramData%\AirWatch\UnifiedAgent\Logs
    1. AWProcessCommands.log: Contains information on installs that utilize the Protection Agent such as encryption and product provisioning
    2. NativeEnrollment.log: Contains information around the agent-based enrollment methods
    3. PowershellExecute.log: Contains information on PowerShell commands that are run via product provisioning
    4. TaskScheduler.log: Contains information on the Task Scheduler's local enforcement of policies as well as sending samples such as custom attributes to the console
    5. AwclClient.log: Contains information on communications between AWCM client and Workspace ONE UEM
    6. SSOCommunicationHandler.log: Contains information on post enrollment SSO for the Unified Agent
    7. Updater.log: Contains information on the auto updating of the Windows 10 Unified Agent
    8. AwAirWatchIpc.log: Contains information around communication with Workspace ONE app and other services
    9. WorkspaceOneProvisioning.log: Contains information around downloading and installing the Workspace ONE app
  2. AirWatch Provisioning Client - %ProgramData%\AwProvAgent
  3. Adaptiva Client - %WINDIR%\AdaptivaSetupLogs\Client
    1. AdaptivaClientMSISetup.log
    2. AdaptivaClientSetup.log
  4. Software Caching Locations
    1. Adaptiva Cache: C:\AdaptivaCache
    2. Software Distribution Cache: %ProgramData%\AirWatchMDM\AppDeploymentCache
  5. Workspace ONE app - C:\Users\{user}\AppData\Local\Packages\AirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4\LocalState\LogFiles\Workspace1.log

Tip: For more details around Workspace ONE UEM logging locations for both other platforms and the server side, please refer to the VMware AirWatch Logging Guide at VMware Docs.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.