Workspace ONE UEM communicates to Windows 10 devices using two different communication methods:

• Windows Notification Service (WNS) - used by the native MDM client built into the device (OMA-DM client) much like APNs (iOS) or GCM/FCM (Android). This allows for real-time communications with Workspace ONE UEM. Ensure your devices or the network they are connected to are able to communicate to WNS for real-time communications, if WNS is blocked devices will fallback to using intervals to check-in with Workspace ONE UEM. Refer to Windows Notification Service (WNS) WIP and IP Ranges for whitelisting WNS on your network.
• AirWatch Cloud Messaging (AWCM) - used by the Windows Unified Agent (AirWatch Protection Agent) for real-time communications with the device for deploying profiles and products. If AWCM is blocked the Windows Unified Agent will revert to the configured interval in the Workspace ONE UEM console. Ensure your device is able to connect to AWCM, you can obtain the AWCM hostname via the console under System > Advanced > Site URLs.

There are several background clients used to manage Windows 10 devices, here is a list of all of the agents and clients:

• OMA-DM Client - Open Mobile Alliance (OMA) Device Management (DM) is a device management protocol used by Windows 10 devices. Enrollment and device communications use the OMA-DM protocol and is handled directly by the OMA-DM client on the device. Even when the Windows Unified Agent (AirWatchAgent.msi) is being used we are leveraging OMA-DM to enroll the device. The OMA-DM Client uses WNS as its communication channel with Workspace ONE UEM and leverages Microsoft Configuration Service Providers (CSPs) or APIs to configure the device (profiles) as well as VMware CSPs (customize built by VMware) for software distribution metadata being sent to the device.
• Windows 10 Unified Agent (AirWatch Protection Agent) - AWCM for communication and is used for various profiles, local enforcement of policies, and product provisioning.
• VMware AirWatch Agent (UWP - Store) - downloaded from the Microsoft Store, mainly used for GPS location tracking today
• Workspace ONE app - unified app catalog for Windows 10 with SSO and conditional access capabilities
• Software Distribution Client - when using Workspace ONE UEM Advanced+ and have Software Distribution enabled, Workspace ONE UEM will automatically install the Software Distribution client, which is used to install Win32 apps onto the device with granular capabilities compared to the Microsoft CSP.
• Adaptiva Client - when using Peer Distribution in the console, the Adaptiva Client is automatically installed on assigned devices, used for P2P of Win32 apps deployed via Software Distribution
• SCCM Integration Client - used to prevent SCCM from disabling MDM enrollment on SCCM pre-1710 and Windows 10 pre-1709
• AirWatch Provisioning client - installed on Dell auto enrollment enabled devices, used to discovery where to enroll a pre-registered Dell device via discovery.awmdm.com
• Dell Client Command Suite - in order to use the OEM Updates or BIOS profiles you must deploy the Dell Client Command Suite to your Windows 10 devices. Our Windows 10 Unified Agent communicates with these clients on the device to configure and manage the device.

We have reviewed the different communication methods as well as the various clients, now let's take a deeper dive into which profiles fit into each option.

OMA-DM (WNS)

• Passcode (uncheck use Protection Agent)
• Restrictions
• Exchange ActiveSync
• VPN
• Wifi
• Credentials
• Data Protection
• Windows Hello
• Windows Updates
• SCEP
• AppLocker (App Control)
• Windows Licensing
• Custom Settings (using OMA-DM)

Unified Agent (AWCM)

• Product Provisioning
• Passcode (checked use Protection Agent)
• Exchange Web Services
• Encryption (BitLocker)
• OEM Updates
• BIOS
• Anti-Virus
• Firewall
• OMA-DM (using Protection Agent)

1. OMA-DM Communication - Most important; this log collects every interaction between the device and Workspace ONE UEM.

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > scroll down to DeviceManagement-Enterprise-Diagnostics-Provider > select the Admin section

2. EDP - Enterprise Data Protection: Collects logs related to WIP and Audits

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > EDP Audit Regular Channel

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > EDP Audit TCB Channel

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > EDP App Learning

3. AAD & User Device Registration - Azure Active Directory:  Collects all information related to Azure Active Directory and Joining via AAD

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > AAD > select the Operational section

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > User Device Registration > select the Admin section

4. Hello For Business & User Device Registration - Windows Hello for Business:  Collects all information related to setting up and using WHfB

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > HelloforBusiness > select the Operational section

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > User Device Registration > select the Admin section

5. Modern App Deployments: Shows all errors and logs for AppX deployments.

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > Apps and Appx (e.g. AppXDeployment-Server)

6. Assigned Access - Logs related to Assigned Access (Single App Mode)

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > AssignedAccess

7. BitLocker - BitLocker information, or you can use "manage-bde -Status C:" command first

• Navigate to Event Viewer (Local) > Applications and Services > Microsoft > Windows > BitLocker-API and BitLocker-DrivePreperationTool

8. AirWatch Provisioning Service for Dell Auto Enrollment - Collects information pertaining to the AW Provisioning Service, very detailed logs

• Navigate to Event Viewer (Local) > Applications and Services > AirWatch-ProvisioningAgent > select the Operational section

9. AirWatch - Logs related to the AirWatch Agent, however we will discuss better ways of troubleshooting than using these logs

• Navigate to Event Viewer (Local) > Applications and Services > AirWatch

All MDM Profiles/Apps Pushed to Device - List of all the profiles (LocURI not values) pushed to the device, including applications. These are broken down by device profiles and user profiles identified by user's SID.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked

MDM Profiles and Values - Values of profiles on the device. Default values and the updated values. Again broken up by device and user profiles.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\{Enrollment GUID}\default\Device

Application Management - Status of app installations along with additional information.

Store/Modern Apps

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\EnterpriseModernAppManagement
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseAppManagement

MSI/Desktop Apps (Unified Agent, Software Distribution Client, Adaptiva Client, and all MSIs if using Workspace ONE UEM Standard)

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement

Software Distribution Apps

• HKEY_LOCAL_MACHINE\SOFTWARE\AirWatchMDM\AppDeploymentAgent
  • AppManifests will contain information regarding all of the settings selected in the console.
  • ContentManifests will contain where the device can download the software, such as Device Services URL, CDN URL, and P2P Content ID.
  • Queue/S-1-5-X  folders will contain the install status and logs for each application,  where S-1-5-18 will contain apps being pushed to the device and  S-1-5-21-X will contain apps being pushed to the user context.

Certificates, non SCEP - Certificate information for installed certificates.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates

Adaptiva Client Settings

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adaptiva\client

1. Windows 10 Unified Agent (Protection Agent) - %ProgramData%\AirWatch\UnifiedAgent\Logs
   1. AWProcessCommands.log: Contains information on installs that utilize the Protection Agent such as encryption and product provisioning
   2. NativeEnrollment.log: Contains information around the agent-based enrollment methods
   3. PowershellExecute.log: Contains information on PowerShell commands that are run via product provisioning
   4. TaskScheduler.log: Contains information on the Task Scheduler's local enforcement of policies as well as sending samples such as custom attributes to the console
   5. AwclClient.log: Contains information on communications between AWCM client and Workspace ONE UEM
   6. SSOCommunicationHandler.log: Contains information on post enrollment SSO for the Unified Agent
   7. Updater.log: Contains information on the auto updating of the Windows 10 Unified Agent
   8. AwAirWatchIpc.log: Contains information around communication with Workspace ONE app and other services
   9. WorkspaceOneProvisioning.log: Contains information around downloading and installing the Workspace ONE app
2. AirWatch Provisioning Client - %ProgramData%\AwProvAgent
3. Adaptiva Client - %WINDIR%\AdaptivaSetupLogs\Client
   1. AdaptivaClientMSISetup.log
   2. AdaptivaClientSetup.log
4. Software Caching Locations
   1. Adaptiva Cache: C:\AdaptivaCache
   2. Software Distribution Cache: %ProgramData%\AirWatchMDM\AppDeploymentCache
5. Workspace ONE app - C:\Users\{user}\AppData\Local\Packages\AirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4\LocalState\LogFiles\Workspace1.log