Module 5 - Profile Troubleshooting

Profiles allow you to modify how the enrolled devices behave. This exercise helps you to configure and deploy a restriction profile that we can verify has applied to the device later in the section. We will see how to validate what happens if there is an error in the next section.

1. Add a Restrictions Profile

Add a Restriction Profile

In the upper-right corner of Workspace ONE UEM Console:

  1. Select Add.
  2. Select Profile.

1.1. Add a Windows Profile

Add a Windows Profile

Select the Windows icon.

Note: Make sure that you select Windows and not Windows Rugged.

1.2. Add a Windows Desktop Profile

Add a Windows Desktop Profile

Select Windows Desktop.

1.3. Select Context - Device Profile

Select Context - Device Profile

Select Device Profile.

Tip: Windows 10 profiles can be installed in the User or Device context, but most of your profiles will be device profiles. User profiles are mostly for user certificates and configuring mail accounts. Keep in mind user profiles will only apply to the enrolled/managed user on the device NOT all users. Thus, be sure to use a staging workflow to have the enrollment reassigned to the correct user.

1.4. Define the General Settings

Define the General Settings
  1. Select General if it is not already selected.
  2. Enter a profile name such as Windows Restrictions in the Name text box.
  3. Copy the profile name into the Description field.
  4. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Select the All Devices Assignment Group.
    Note: You may need to scroll down to view the Assigned Groups field.

Note: You do not need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

1.5. Select the Restrictions Payload

Select the Restrictions Payload

Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

  1. Select the Restrictions payload in the Payload section on the left.
  2. Click the Configure button to continue setting the Restrictions payload.

1.6. Adding a Restriction - Disable Cortana

Adding a Restriction - Disable Cortana
  1. Using the scroll bar on the right, scroll down to the Device Functionality section.
  2. Select Don't Allow for Cortana.
  3. Notice the 10 on the right side of the Restrictions window. These are all the restrictions that Workspace ONE UEM can apply to a Windows 10 computer.
  4. Click Save & Publish.

1.7. Publish the Restrictions Profile

Publish the Restrictions Profile

Click Publish.

Navigate to Profiles List View
  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.

1.9. Verify the Restriction Profile Now Exists

Verify the Restriction Profile Now Exists

You should now see your Restrictions Profile within the List View of the Devices Profiles window.

Note: If you need to edit the Restrictions Profile, this is where you would do so. To edit the profile, click the profile name, then select Add Version. Update the profile and click Save & Publish to push the new settings to the assigned devices.

2. Add a Custom Settings Profile

Custom Settings profiles allow you to configure SyncML leveraging CSPs to send to the device which can be created manually, via the VMware Policy Builder, or taken from code.vmware.com/samples. This exercise helps you to configure and deploy a custom settings profile that we can verify has applied to the device later in the section. We will see how to validate what happens if there is an error in the next section.

Add a Restriction Profile

In the upper-right corner of Workspace ONE UEM Console:

  1. Select Add.
  2. Select Profile.

2.1. Add a Windows Profile

Add a Windows Profile

Select the Windows icon.

Note: Make sure that you select Windows and not Windows Rugged.

2.2. Add a Windows Desktop Profile

Add a Windows Desktop Profile

Select Windows Desktop.

2.3. Select Context - Device Profile

Select Context - Device Profile

Select Device Profile.

Tip: Windows 10 profiles can be installed in the User or Device context, but most of your profiles will be device profiles. User profiles are mostly for user certificates and configuring mail accounts. Keep in mind user profiles will only apply to the enrolled/managed user on the device NOT all users. Thus, be sure to use a staging workflow to have the enrollment reassigned to the correct user.

2.4. Define the General Settings

Define the General Settings
  1. Select General if it is not already selected.
  2. Enter a profile name such as Configure Windows Password in the Name text box.
  3. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Select the All Devices Assignment Group.
    Note: You may need to scroll down to view the Assigned Groups field.

Note: You do not need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

2.5. Select the Custom Settings Payload

Select the Restrictions Payload

Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

  1. Select the Custom Settings payload in the Payload section on the left.
  2. Click the Configure button to continue setting the Custom Settings payload.

2.6. Adding a Custom Settings Profile

Adding a Restriction - Disable Cortana

Copy and paste the following custom SyncML into the Custom Settings text area 

<Replace>
  <CmdID>1</CmdID>
  <Item>
    <Target>
        <LocURI>./Device/Vendor/MSFT/Policy/Config/Security/ConfigureWindowsPasswords</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
      <Type>text/plain</Type>
    </Meta>
    <Data>1</Data>
  </Item>
</Replace>
  1. Click Save & Publish.

Helpful Links: This custom SyncML is leveraging the Configure Windows Passwords CSP, which is only supported on 1803 thus we will see this profile error out on our device later. To quickly generate your own custom settings profiles leverage the VMware Policy Builder at https://VMwarePolicyBuilder.com For more information about Microsoft CSPs please refer to http://aka.ms/CSPList this site will show you which editions and builds of Windows 10 each CSP supports.

Warning: When pushing <Exec></Exec> commands down to the device via a custom settings profile, you will want to uncheck the Make Commands Atomic checkbox. Only Add, Replace, Delete commands should be wrapped in Atomic tags.

2.7. Publish the Custom Settings Profile

Publish the Restrictions Profile

Click Publish.

3. Troubleshooting Profiles

In the previous sections we added two profiles, in this section we will see what a successful profile deployment looks like as well as a failure. We have reviewed how to use Fiddler, Event Viewer logs, Registry Keys, and log locations. All of these can be use to validate profiles and values. We can use Fiddler, Event Viewer, and Registry keys to validate the profile installed as well as the profiles values; however we use Fiddler to ensure Workspace ONE UEM is sending the device the correct values as well as checking for communicate from the server.

3.1. Validating Profile via Fiddler

In the Workspace ONE UEM console, re-push your Restrictions profile, then quickly switch back to Fiddler and notice the new traffic. When inspecting the the traffic received from the server we can see the SyncML for our Restrictions profile. We see a value of 0, since we are disallowing the use of Cortana.

3.2. Validating Profile via Event Viewer

If you open Event Viewer and navigate to Application and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin, you will see all of the events captured on the device sent from Workspace ONE UEM. The two most important Event IDs when dealing with profiles are 813 and 404, where 813 is Success and 404 is Failure. If you look at the details for the event you can see that AllowCortana was sent to the Device context with a value of 0 to disable Cortana, you can see that all of the items in the restrictions profile was also sent, this way if only element fails the other nodes are still applied. Lastly, you could verify in the registry which profiles/values are set on the device. This is best used after the fact and if you don't have access to the console to re-push the profile or look at the values.

Tip: Event IDs 813 and 404 are the most important when troubleshooting profiles or commands sent to the device. 813 is a success and 404 is a failure. Looking at the 404 failures, you can see details such as not found, unsupported value, or unsupported edition. You will generally see the not found when trying to push newer CSPs to older builds of Windows.

3.2.1. Profile Failure in Event Viewer

If you open Event Viewer and navigate to Application and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin, you will see all of the events captured on the device sent from Workspace ONE UEM. The two most important Event IDs when dealing with profiles are 813 and 404, where 813 is Success and 404 is Failure. If you look at the details for the event you can see that Configure Windows Passwords was not recognized on the device since this CSP is only supported on version 1803 and we are currently running 1709 on this device. You would also see errors if you attempt to push a Windows 10 Mobile only profile or a profile for Enterprise to a Pro or Home device.

Tip: Event IDs 813 and 404 are the most important when troubleshooting profiles or commands sent to the device. 813 is a success and 404 is a failure. Looking at the 404 failures, you can see details such as not found, unsupported value, or unsupported edition. You will generally see the not found when trying to push newer CSPs to older builds of Windows.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.