Win10 Management

Articles in section

Clean PC

External links:

CleanPC is the ability to remotely execute a PC Refresh (via MDM) which users can do manually on their device by going to Settings > Update & Security > Recovery > Reset this PC > Get Started, then you are presented with Keep my Files or Remove Everything.

This best explains the differences between Retaining User Data and without Retaining User Data. Calling these CSPs will un-enroll your device. If you are using the AirWatch Agent this will also be removed when calling retaining user data option. When the AirWatch Agent is removed this will un-enroll your device.

Subsections of Win10 Management

AppLocker

External link: https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps

AppLocker contains capabilities and extensions that allow you to create rules to allow or deny applications from running based on unique identities of files and to specify which users or groups can run those applications.

Using AppLocker, you can:

  • Control the following types of applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), DLL files (.dll and .ocx), and packaged apps (.appx).
  • Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
  • Assign a rule to a security group or an individual user.
  • Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).
  • Use audit-only mode to deploy the policy and understand its impact before enforcing it.
  • Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.
Note

AppLocker is only supported on Windows 10 Enterprise and Education SKUs when using GPOs, however, when configuring via MDM (AirWatch) all versions are supported

Create AppLocker Rule (Windows side)

Use a test Windows 10 device.

Creating the AppLocker Configuration File

  • Click on the Windows logo
  • Enter “group policy”
  • Click Edit group policy

AppLocker GPO

  • Go to Windows SettingsSecurity SettingsApplication Control Policies → AppLocker
  • Click Configure rule enforcement

Enforce Packaged App Rules

In this example we will block the Xbox application (.appx). If you wanted to block RegEdit then you would configure the Executable rules.

  • Check Configured under Package app Rules; Enforce rules option is default,
  • You should ALWAYS test the rules before applying them, to do so, change the “Enforce rules” option to “Audit mode”. Once you’ve confirmed that the policy you’ve created at the end of the lab is working as expected then you return and change this back to “Enforce rules”
  • Click Apply & OK

Create Default Rules

  • Click Packaged app Rules, to start configuring the rules.
  • Right click in the white space to the right of the window
  • Select Create Default Rules

Edit Default Rule

For blacklisting only a few apps, start with an Allow rule and add your blacklisting exceptions. If you want to only allow a few apps then convert the default to a Block and whitelist your exceptions.

  1. Right click on the default rule
  2. Click Properties

Exceptions

  1. Click Exceptions
  2. Click Add…

Packaged App Reference

  1. Select Use an installed packaged as a reference
  2. Click Add…

Select Packaged Application

  1. Using the scroll bar, scroll to the bottom
  2. Check the Xbox app with Package Name of Microsoft.XboxApp & click OK

Package Name

All of the package’s information is pre-populated. You can block the Xbox app based on the specific version, package name, or by the publisher. We want to block any version of the Xbox application.

Raise the lever from Package version to Package name & click OK

Confirm Exceptions

  • Click Apply & OK
  • Now is the time to test if the policy is functioning correctly, if you can no longer access the xbox application on the device then you know that the policy working as expected.
  • As long as you do not see any other issues with the current configuration, go back to the app locker settings referred to in section 1.2 and change the “Audit mode” option to “Enforce rules”

Export AppLocker Policy

  • Right click AppLocker
  • Click Export Policy…
  • Save Policy as XML

Clear Policy

Now that we have exported our policy, we want to remove it from our test device.

  • Right click AppLocker

Click Clear Policy & Yes & OK

Create AppLocker Profile (AirWatch side)

Creating the Application Control Profile

  • In the AirWatch console go to click Device → Profiles → Add Profile → Windows → Windows Desktop → Device
  • Enter a profile name and select a Smart Group for the Assigned Groups
  • Select Application Control at the bottom of the policy list
  • Check the Import Sample Device Configuration box & click Upload
  • Upload the XML file create in the previous steps
  • Save & Publish the profile

Verify Profile

You should now see your Block Xbox Application Control (AppLocker) profile.

Bat Scripts

Device -> Staging & Provisioning -> Components -> Files/Actions -> Add Files/Actions button -> Windows Desktop button.

  • Files tab - script file itself
  • Manifest - permissions to run script with, folder where script is downloaded and run from, and type of action. To circumvent a bug in AirWatch 9.1.1 a batch file can be run by using the “Install” command instead of the “Run” command…

Note though that the ECHO command is always suppressed on the endpoint and even the pause command is escaped.

The script is run using System, Admin or User permissions - defined in the script Manifest.

The script is inserted in the Product (Device -> Staging & Provisioning -> Product List View → Add Product) with deployment options like Compliance triggers or Schedule for installation.

Desktop Auto-Enroll

Tip

The MVC4 Package is required. A lightweight version of the MVC4 installer is included, however the full version (which can be baked into the image) can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?id=30683

In order for machines to register you need to ensure they have a proper serial number. While this is never an issue on physical machines virtual machines often need updates to get working.

For FUSION Machines:

  1. Before you start the VM navigate to the root folder for the VM. You’ll see a config file with a .vmx extension.
  2. If you insert the following two lines in the .vmx file, it will boot with a shorter 12 Char serial number. Without this you cannot use WS1 or any feature that relies on serial number.
  3. SMBIOS.useShortSerialNumber = “TRUE”
  4. SMBIOS.use12CharSerialNumber = “TRUE”

For VSphere Machines:

  1. In the vSphere Web Client, navigate to the vCenter Server instance.
  2. Select the Manage tab.
  3. Select Advanced Settings.
  4. Click Edit.
  5. Add the following two lines:
  6. SMBIOS.useShortSerialNumber = “TRUE”
  7. SMBIOS.use12CharSerialNumber = “TRUE”

Step 1: Copy the contents of the AirWatch folder (optionally just copy the AirWatch folder) to a location of your choice. My preferred location for the files/folders is C:\Installs\AirWatch.

Step 2: Create a staging user in the AirWatch console at the top Organization Group. Set the staging mode to: Single User, Advanced: Enroll on behalf of user. Record the username and password of this user.

Step 3: (Optional): Download the latest agent (you can use the download_latest_agent1.ps1 in \setupfiles) then copy that agent to the same folder as the localdevice.exe OR Registration.cs file. Rename the file to AirWatchAgent.msi (you may need to replace an existing file).

Step 4: Create an AirWatch Administrator account API Service Account in AirWatch with Console Administrator role. Using a Base 64 encoder get the encoded string using the format:

`username:password`

Copy the encoded string to be used later in the INI file.

Step 5: Ensure that you have a Rest API key generated in the AirWatch Console. Settings -> General -> Advanced -> API -> REST API

Step 6: Modify the localdevice.ini file to reflect the correct settings. ; represent comments in ini files.

#************************************#
# 		 INI SAMPLE FILE			 #
#************************************#
[Config]
Authorization=Basic %BASE_64_ENCODED_API_CREDENTIALS%
API_Key=%API_KEY%
API_Server=https://%API_SERVER_URL%/api
Enrollment_Server=%ENROLLMENT_SERVER_URL%
;LocationGroupID is Optional - can search by group id
LocationGroupID=%LOCATIONGROUP_ID% 
GroupID=%GROUP_ID%
AdminEmailAddress=%ADMIN_EMAIL_ADDRESS%
StagingUser=%STAGING_USERNAME%
StagingPassword=%STAGING_PASSWORD%

[SMTP]
UseSMTP=0
SMTPServer=%SMTPServer%
Sender=%SMTPSender%

[Staging]
AllowedStagingUsers=%UserAccount% 
;Deliniate multiple accounts using commas.  Use a period to represent local machines
;Azure Users 

[Debug]
EnableDebug=0
DebugUser=%DebugUserName%
;This section is for testing only.  Delete entire section when deploying.

Step 7: In the imaging software you will like to use, you will need to copy the software to the install path, and either have the scheduled task built OR have an instruction to install the scheduled task. The recommended approach is the \setupfiles\install_task_psonly.ps1

Step 8: On user login the device will:

  1. Register with AirWatch
  2. Enroll

Packet Sniffing

External link: https://techzone.vmware.com/troubleshooting-windows-10-vmware-workspace-one-operational-tutorial#968025

Use Fiddler. Fiddler is a free web debugging proxy server tool (local MitM-attack) which logs HTTP(S) (with decryption, using fake certificate) traffic to quickly obtain all network communications to and from the device.

Installation

  • Download and install Fiddler on Windows 10 client device

https://www.telerik.com/download/fiddler

  • Run Fiddler, click Cancel to disable warning

Configuration

  • Select WinConfig button

  • Choose No in “Orphaned Exemption Record Found” message window

  • In “AppContainer Loopback Exemption Utility” window, choose Exempt, then Save Changes, then close the window This setting captures UWP application traffic and setting on Windows 10. By default, Fiddler captures traffic only for Win32 app types.

  • Use Menu Tools → Options…

  • Check Decrypt HTTPS Traffic

  • Confirm all warnings: Yes, Yes, Yes, OK

  • Configure filters: most simple way is to only show traffic from specific hosts

  • Toggle Capture traffic in Menu File → Capture Traffic, OR use F12 hotkey

Traffic Inspection

  • Click Inspectors
  • Select Raw. Because most MDM/IDM communication is in SyncML format, for Windows 10, always select XML.
  • If inspecting HTTPS packets, they may be encoded, the click “Response body is encoded. Click to decode” message.

Enrollment Troubleshooting

The most important sessions which deal with enrollment are the Policy.aws and Enrollment.aws messages and the authentication traffic in them.

SCCM Enroll Check

#Compliance Script. For use in SCCM Compliance item as a discovery script.
#Checking first for Airwatch Enrollment
$val = (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\*" -ErrorAction SilentlyContinue).PSChildname
 
#Now checking whether enrollment is with a real user or the staging user
$path2 = "HKLM:\SOFTWARE\Microsoft\Enrollments\$val"
$val2 = (Get-ItemProperty -Path $PATH2 -ErrorAction SilentlyContinue).UPN
 
#This will be "Completed" if it is staged enrollment has completed but not yet flipped to final user
$staging = (get-itemproperty -path HKLM:\SOFTWARE\AIRWATCH\EnrollmentStatus -ErrorAction SilentlyContinue).status
$reassignment = (get-itemproperty -path HKLM:\SOFTWARE\AIRWATCH\Reassignment -ErrorAction SilentlyContinue).status
 
 
if ($staging -eq "Completed" -and $reassignment -eq $null)
{
    Write-Host "Non-Compliant"
}
Elseif ($val2 -like "*staging*" -or $val2 -eq $null)
{
    Write-Host "Non-Compliant"
}else
{
    write-host "Compliant"
 
}

Software Distribution

This feature is available through the Apps & Books section. The article also suggests ways to get the executable commands to enter for your Win32 applications in the AirWatch Console. It ends with steps to troubleshoot issues.

Validated Use Cases

AirWatch validated the success of the software distribution feature in the listed use cases. Review the list and see if your deployment is similar to the validated use cases.

  • Silent deployment of MSI applications
  • MSIs with multiple transforms, and the ability to deploy different transforms to different sets of users
  • 64 and 32 bit apps on 64 bit devices
  • Installers with registry validations and file checks after installation
  • Patch applied to an already deployed application
  • Application installation on system context and user context
  • A complete silent application installation
  • Application installation with dependencies
  • Packages with scripts that invoke multiple files (ZIP files that contain PowerShell scripts, EXE, and MST)
  • Installation of applications that require reboot
  • Applications with disk space, battery, and RAM checks
  • Uninstallation of installed applications

Application-specific templates

Internet Explorer

External link - Internet Explorer CSP Documentation

To deploy this sample, navigate to  Devices & User > Profile > Add > Windows > Desktop > Device > Custom Settings, then copy and paste the SyncML into the box and publish the profile.

  • Modify the values inside of the data tags.
  • Change the target of the policies to either device or user. Inside of you will want to change to either ./Device/ or ./User/ but be careful as some policies support User, Device, or Both.

Google Chrome

Deploy attached Chrome CSPs samples via AirWatch. To deploy navigate to Devices & User > Profile > Add > Windows > Desktop > Device > Custom Settings, then copy and paste the SyncML into the box and publish the profile.

  • Modify the values inside of the data tags.
  • Change the target of the policies to either device or user. Inside of you will want to change to either ./Device/ or ./User/ but be careful as some policies support User, Device, or Both, you can reference which are support by looking at the Chrome ADMX template.

Tips to Get Configurations

Review some ways to get the commands and criteria for the Win32 application. Enter the data in the AirWatch Console when you upload the Win32 application package.

Get the Install Command

Review a few ways to get install commands for Win32 applications.

Note: If an install command prompts for user interaction on the UI, then enter these commands with the User option in the Install Context option.

  • Call any script from the command-line that results in a successful installation of the Win32 application.
  • The MSI file has the install command pre-populated with silent parameters. You can edit and update these in the AirWatch Console.
  • If the EXE or ZIP file contains the MSI file of the Win32 application, use the msiexec command to install.

Get the Uninstall Command

Review some ways to get uninstall command for Win32 applications.

  • In a command-line session, use the /? or /help parameters to display supported actions. For example, Mysampleapp.exe /?.
  • Look at the HKEYs in the listed registries on the device.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
  • If the EXE contains an underlying MSI, use the msiexec uninstall command. For example, msiexec /x <path_to_file>.

Get Detection Criteria

Use detection criteria to determine if the Win32 application is on devices. To get the detection criteria, install the application and identify the checks on the device.

  • Product ID check

    • Run the wmic command and use WMIC Product where name=”.
    • Look at the HKEYs in the listed registries on the device for the product ID.
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
      • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
      • HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
  • File check

    • Look at the HKEYs listed for Product ID check to find the file criteria.
    • Look in the Program Files folder or the Program Files(X86) folder to find the file criteria.
  • Registry check 

  • Look at the HKEYs listed for Product ID check to find registries.

  • Look in HKEY_CLASSES_ROOT\Installer\Products.

Get Exit Codes

Use the environmental variable, %errorlevel%, to get exit codes. Use it in conjunction with built-in DOS commands like ECHO, IF, and SET to preserve the existing value of %errorlevel%.

  1. In a command-line session, run the install command for the Win32 application.
  2. Run ECHO %errorlevel%.
  3. The %errorlevel% variable returns the reboot exit code, if the Win32 application requires a reboot for installation.

Troubleshoot Software Distribution Issues

Win32 application installations involve the successful execution of multiple steps. If your application installation fails, follow the troubleshooting steps to find the issue.

Win32 Package Received Reported by App Deployment Agent

The App Deployment Agent on the user’s device handles Win32 application installations. The system deploys the agent to devices either upon enrollment or when it collects the latest App List sample from devices that are already enrolled.

The system holds the app-install commands in the queue until the agent reports back that the application installed.

Steps

Check the following components to see that the agent installed on your end-users’ devices.

  • In the AirWatch Console, check that the device successfully enrolled and syncs with the console.
  • Check the registry for the AW App Deployment Agent.
  1. Open a command-line session and run regedit. This opens the Registry Editor.
  2. In the Registry Editor, go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > EnterpriseDesktopAppManagement.
  3. Look for the AW App Deployment Agent. The correct status value for the AW App Deployment Agent is 70.
  • Check services on the device to ensure that the AW App Deployment Agent is running.
  • Check the registry for the AW MDM nodes.
  1. Open a command-line session and run regedit. This opens the Registry Editor.
  2. In the Registry Editor, go to HKEY_LOCAL_MACHINE > SOFTWARE > AirWatchMDM > AppDeploymentAgent.
  3. Find three nodes. If these three nodes are missing, then the device did not receive the Win32 application package.
  • App Manifest – This node contains information about the options set in the AirWatch Console on the Deployment Options tab.
  • Content Manifest – This node contains information about the options set in the AirWatch Console on the Files tab.
  • Queue – This node contains detailed logs about the installation of the application. You can view the logs to check the progress of the download of the application.

Win32 Application Installation Status

After the agent installs on devices, you can track the application installation to troubleshoot issues. The install status for the Win32 application displays the listed statuses. 

  1. Install command ready for device – The install command is queued on the device but the device has not checked in to the AirWatch system.
  2. Install command dispatched – The device checks in to the system and consumes the install command.
  3. Installing – The Win32 application is downloading and the installation is in progress on the device. 
  4. Installed – The installation is complete and the device sent an alert to the AirWatch Console.

Status Codes

Expand to see…
Status CodeDescription
TRANSFORM_CACHE_INPROGRESS = 0x700,
TRANSFORM_CACHE_FAILED,
TRANSFORM_CACHE_SUCCESSFUL,

Transform cache refers to any transformation on content downloaded. For example, unzip a zip package.

TRANSFORM_CACHE_FAILED: cache transformation precludes this operation. When unzip operation fails, this evaluation would fail. When runtime error happens, this evaluation would fail. Note that, unzip is running in non-overwrite mode, so if unzipping target directory already contains files which are also in the zip package, unzip would fail.

TRANSFORM_CACHE_SUCCESSFUL: cache transformation allows this operation.

SANITIZE_CACHE_INPROGRESS = 0x500,
SANITIZE_CACHE_FAILED,
SANITIZE_CACHE_SUCCESSFUL,

Sanitize cache would validate content cache against content manifest and delete any files that are not specified in content manifest.

SANITIZE_CACHE_FAILED: cache sanitize precludes this operation. When content files in cache folder are not matching ones specified in content manifest, this evaluation would fail. When runtime error happens, this evaluation would fail.

SANITIZE_CACHE_SUCCESSFUL: cache sanitize allows this operation

REQUIREMENTS_EVALUATION_INPROGRESS = 0x300,
REQUIREMENTS_EVALUATION_FAILED,
REQUIREMENTS_EVALUATION_SUCCESSFUL,

Requirements evaluation evaluate the conditions requirements to perform the install/uninstall operation. For example, evaluate memory, power, etc.

REQUIREMENTS_EVALUATION_FAILED: Requirements evaluation precludes this operation. When requirements are not met, this evaluation would fail. When runtime error happens, this evaluation would fail.

REQUIREMENTS_EVALUATION_SUCCESSFUL: Requirements evaluation allows this operation

PENDING_USER_SESSION = 0x800,
EXEC_DEPLOYMENT_INPROGRESS,
PENDING_EXEC_DEPLOYMENT_RETRY,
EXEC_DEPLOYMENT_FAILED,
EXEC_DEPLOYMENT_SUCCESSFUL,
PENDING_REBOOT,

PENDING_USER_SESSION: It's not used.

PENDING_EXEC_DEPLOYMENT_RETRY: "Install Command" / "Uninstall Command" execution failed and the client would retry again. Retry timeout and interval are specified through deployment manifest.

EXEC_DEPLOYMENT_FAILED: The "Install/Uninstall Command" execution precludes this operation after retrying. When command execution returns some exit code which is considered error (not matching success exit code, e.g), this evaluation would fail. When command execution is timed out, this evaluation would fail. When runtime error happens, this evaluation would fail.

EXEC_DEPLOYMENT_SUCCESSFUL: The execution allows this operation.

PENDING_REBOOT: The execution is finished and requires reboot.

PENDING_NETWORK_CONNECTIVITY = 0x600,
DOWNLOAD_CONTENT_INPROGRESS,
PENDING_DOWNLOAD_RETRY,

DOWNLOAD_CONTENT_FAILED,
DOWNLOAD_CONTENT_SUCCESSFUL,

/* Retry attempts elapsed and/or we need a new CM. We
* will suspend for a DOWNLOAD_CONTENT_FAILED for a given
* period of time, before rolling it back. */

"PENDING_NETWORK_CONNECTIVITY" indicates the underlying network condition has been changed and download would be reattempted in 5 mins interval with 3 retry count. (default).

"PENDING_DOWNLOAD_RETRY" indicates download would be reattempted in 5 mins interval with 3 retry count. (default)

FIRST_DETECTION_INPROGRESS = 0x100,
FIRST_DETECTION_FAILED,
FIRST_DETECTION_SUCCESSFUL,

Executes the detection criteria before installing or downloading the application.

Detection Failed indicates that the criteria defined was unable to detect the application or failed to be executed due to some runtime error which would abort the deployment. "LastStatusCode" would reflect the result.

Detection Successful indicates that the criteria were executed successfully and it successfully detected the application.

FINAL_DETECTION_INPROGRESS = 0x900,
FINAL_DETECTION_FAILED,
FINAL_DETECTION_SUCCESSFUL,

Final detection verifies the execution result in previous step. It has the same implications as first detection.

Detection Failed indicates that the criteria defined was unable to detect the application or failed to be executed due to some runtime error which would abort the deployment. "LastStatusCode" would reflect the result.

Detection Successful indicates that the criteria were executed successfully and it successfully detected the application.

DEPLOYMENT_OPERATION_QUEUED = 0x000a registry entry would be created under HKLM->SOFTWARE->AirWatchMDM->Queue

 DEPLOYMENT_OPERATION_FAILED = 0x40000000,

DEPLOYMENT_OPERATION_SUCCEEDED = 0x80000000,
DEPLOYMENT_OPERATION_SUSPENDED = 0xC0000000

DEPLOYMENT_OPERATION_FAILED: There are some runtime/fatal errors thrown and the operation is aborted.

DEPLOYMENT_OPERATION_SUCCEEDED: The operation is successfully performed.

DEPLOYMENT_OPERATION_SUSPENDED: On certain conditions, the operation has to be suspended. The suspended operation would be reattempted on predefined interval.

DEPENDENCIES_INPROGRESS = 0x400,
DEPENDENCIES_FAILED,
DEPENDENCIES_SUCCESSFUL,

Dependencies evaluation installs app dependencies. The installation of app dependency would go through the same deployment flow shown in this table.

DEPENDENCIES_FAILED: Dependencies evaluation precludes this operation. When dependency app deployment encounters failure on all evaluations here and the operation is considered being failed, for example, download failure or runtime error, this evaluation would fail.

DEPENDENCIES_SUCCESSFUL: Dependencies evaluation allows this operation

CHECK_REFERENCE_COUNT_INPROGRESS = 0x200,
CHECK_REFERENCE_COUNT_FAILED,
CHECK_REFERENCE_COUNT_SUCCESSFUL,

Reference Count is the count for app installation and number of apps who depends on it. The corresponding record/output for this stage is "InstallCount" in registry. The most significant bit in "InstallCount" is called "Permanent Bit" indicating whether the application is user installed. The remaining 31 bits are referring to actual reference count. If it is larger than 1 or it is equal to 0 for uninstallation, then the client state machine would preclude the following steps.

CHECK_REFERENCE_COUNT_FAILED: Reference count evaluation precludes this operation (install/uninstall). When the application is already installed/uninstalled, this evaluation would fail. When application is installed externally (user installed), this evaluation would fail. When any other runtime error happens, this evaluation would fail.

CHECK_REFERENCE_COUNT_SUCCESSFUL: Reference count evaluation allows this operation (install/uninstall).

Steps

If the installation fails after status #2, Install command dispatched, take these steps to find the reason for the failure.

  1. In the AirWatch Console, validate the configurations for the Win32 application on the Deployment Options tab.
    1. Go to Apps & Books > List View > Internal and edit the Win32 application.
    2. Select Edit > Deployment Options tab.
    3. In the How To Install section, review the Install Context configurations for Device or User.
    4. Review the Admin Privileges setting.
    5. Review the Install Command setting.
    6. Side-load the application to the device to see if this actions triggers the install command.
  2. In the AirWatch Console, look at the Console Event Logs to find the reason for the failure in HUB > Reports & Analytics > Events > Console Events.
  3. Look for a failure reason on the device.
    1. On the device, open a command-line session and run regedit. This opens the Registry Editor.
    2. In the Registry Editor, go to HKEY_LOCAL_MACHINE > SOFTWARE > AirWatchMDM > AppDeploymentAgent.
    3. Look in the Queue node at the log field.
    4. If there is no Queue node, look for a node with the device or user SID. This value has the Win32 application product code. Select the product code to view the reason for installation failure.

Review the App Installer  Flow chart  for a depiction of how the device validates the pre and post installation checks.

SQL Queries for Win Apps

Check DB

  • Check DB command id for Profile Installation
SELECT * FROM deviceCommandQueue.DeviceQueueAudit WHERE deviceid='';

  • Copy transaction id from SQL DB ‘CBDFAD47-28F4-4D63-(A1D-91C3542840’ and search in syncml inside Device Services logs

  • Request Sent to Device 1.2DM/1.2721174828C828F0E444B325860CB5C3037Dhttps://migtest.ssdevrd.com/DeviceServices/Dm.svc/token/uq7Qncbdfad47-28f4-4d63-9a1d-91c3542840161ca07aea-16ea-4989-b793-0fe0d44d28ae./cimv2/MDM_AppInstallJob/MDM_AppInstallJob.JobID=%22WC_96%22/Exec=CreateJobchrtext/plainJobData=<AppInstallJob id=“96”><WebApplication PackageFullName=“webclicp” ActionType=“1” DeploymentOptions=“1” IsBundle=“false”><ContentURLList><ContentURL>https://google.com</ContentURL></ContentURLList><FrameworkDependencies/></WebApplication></AppInstallJob> 

  • Response Received from Device 1.2DM/1.2722https://migtest.ssdevrd.com/DeviceServices/Dm.svc/token/uq7Qn174828C828F0E444B325860CB5C3037D110SyncHdr20021cbdfad47-28f4-4d63-9a1d-91c354284016Atomic200311ca07aea-16ea-4989-b793-0fe0d44d28aeExec200 

  • DB Queries

-- GENERAL QUERIES
 
SELECT * FROM dbo.Device WHERE DeviceID = '';
SELECT * FROM dbo.DeviceMappingWindowsPhone WHERE DeviceID = '';
SELECT * FROM deviceCommandQueue.DeviceQueueCommand;
SELECT * FROM deviceCommandQueue.DeviceQueue WHERE DeviceId = '';
SELECT * FROM deviceCommandQueue.DeviceQueueAudit WHERE DeviceId = '';
SELECT * FROM deviceCommandQueue.DeviceQueue WHERE DeviceID IN (9275,9276);
SELECT * FROM deviceCommandQueue.DeviceQueueAudit WHERE DeviceID IN (9275,9276);
 
DELETE FROM deviceCommandQueue.DeviceQueue WHERE DeviceID IN (9275,9276);
DELETE FROM deviceCommandQueue.DeviceQueueAudit WHERE DeviceID IN (9275,9276);
 
-- PROFILE QUERIES
 
SELECT * FROM deviceProfile.DeviceProfile WHERE DeviceProfileID = '';
SELECT * FROM deviceProfile.DeviceProfileVersion WHERE DeviceProfileID = '';
SELECT * FROM deviceProfile.DevicePlatformSettingGroup WHERE DevicePlatformID IN (11,12);
SELECT * FROM deviceProfile.DevicePlatformSetting WHERE DevicePlatformSettingGroupID = '';
SELECT * FROM deviceProfile.DeviceProfileSettingValue WHERE DeviceProfileVersionID = '' AND DevicePlatformSettingID = '';
 
EXEC [deviceProfile].[DeviceProfile_Delete] '';
 
SELECT * FROM deviceProfile.DevicePlatformSetting WHERE DevicePlatformSettingGroupID = 417;
SELECT * FROM deviceProfile.DeviceProfileSettingValue WHERE DeviceProfileVersionID = 42866 AND DevicePlatformSettingID IN (40646,40647,40674,40675);
SELECT * FROM deviceProfile.DeviceProfile WHERE DeviceProfileID = 9407;
SELECT * FROM deviceProfile.DeviceProfileVersion WHERE DeviceProfileID = 9407;
 
-- APPLICATION SPECIFIC
 
SELECT * FROM device application;
SELECT awapptargetidentifier,* FROM deviceapplication.application WHERE DeviceTypeID=12 AND ISSystemApplication=1;
 
-- DELETE DEVICE
 
EXEC Device_delete '';
 
-- SCHEDULER
 
SELECT * FROM interrogator.Scheduler WHERE DeviceID = '';
 
-- PRODUCTS
 
SELECT * FROM [provisioningPolicy].[PolicyEngineQueue];
SELECT * FROM [provisioningPolicy].[DevicePolicy];
SELECT * FROM [provisioningPolicy].[DevicePolicyJob];
SELECT * FROM [provisioningPolicy].[DevicePolicyJobStatus];
SELECT * FROM [provisioningPolicy].[PolicyEngineAction];
 
-- PATCH MANAGEMENT
 
SELECT * FROM osupdate.RevisionAssignment;
SELECT * FROM smartGroup.AWEntitySmartGroupAssignmentMap WHERE RevisionAssignmentID IN (18);
SELECT * FROM smartGroup.AWEntitySmartGroupAssignmentMap_Audit WHERE RevisionAssignmentID IN (18);
SELECT * FROM osUpdate.UpdateDeviceAssignment;
 
DELETE FROM smartGroup.AWEntitySmartGroupAssignmentMap WHERE RevisionAssignmentID IN (18);
DELETE FROM smartGroup.AWEntitySmartGroupAssignmentMap_Audit WHERE RevisionAssignmentID IN (18);
DELETE FROM osupdate.RevisionAssignment;
DELETE FROM osUpdate.UpdateDeviceAssignment;
 
SELECT * FROM osUpdate.UpdateEula;
SELECT * FROM osUpdate.UpdateEulaAcceptance;
SELECT * FROM osUpdate.UpdateMetaDataUpdateEulaMap WHERE UpdateMetadataID = 21117;
SELECT * FROM osUpdate.UpdateMetadata WHERE UpdateMetadataID = 21117;
SELECT * FROM osUpdate.Revision WHERE RevisionID = 189518;
SELECT * FROM osUpdate.UpdateDescription WHERE UpdateMetadataID = 21117;
 
EXEC osUpdate.LoadRevisionAssignments  @LocationGroupID=3711 , @RevisionID = @RevisionID;
 
SELECT * FROM osUpdate.UpdateEULA;
SELECT * FROM osUpdate.UpdateEulaAcceptance WHERE LocationGroupID = 3711;
SELECT * FROM osUpdate.UpdateEulaLocationGroupMap;
SELECT * FROM osUpdate.UpdateMetaDataUpdateEulaMap;
SELECT * FROM osUpdate.UpdateMetadata WHERE RevisionID IN (794,799,800);
 
--INSERT INTO osUpdate.UpdateEULA([Language],DescriptionText,[Hash],MSEULAID) VALUES ('en','EULA','rKUV1NrYBUeMDv3uQ8dOD0LqUX4=','3c7d5240-94f7-4df7-9c8c-489b8cf2b58a');
--INSERT INTO osUpdate.UpdateEULA([Language],DescriptionText,[Hash],MSEULAID) VALUES ('en','EULA','rKUV2NrYBUeMDv3uQ8dOD0LqUX4=','3c7d5240-94f7-4df7-9c8c-489b8cf2b58b');
--INSERT INTO osUpdate.UpdateEULA([Language],DescriptionText,[Hash],MSEULAID) VALUES ('en','EULA','rKUV3NrYBUeMDv3uQ8dOD0LqUX4=','3c7d5240-94f7-4df7-9c8c-489b8cf2b58c');
--INSERT INTO osUpdate.UpdateMetaDataUpdateEulaMap(UpdateMetaDataID,UpdateEULAID) VALUES (36,10);
--INSERT INTO osUpdate.UpdateMetaDataUpdateEulaMap(UpdateMetaDataID,UpdateEULAID) VALUES (37,11);
 
DELETE FROM smartGroup.AWEntitySmartGroupAssignmentMap WHERE RevisionAssignmentID IN (30,31,32);
 
-- WINDOWS AUTO-ENROLLMENT
 
SELECT * FROM dbo.SystemCodeCategory WHERE SystemCodeCategoryID = 420;
SELECT * FROM dbo.SystemCodeGroup WHERE SystemCodeGroupID = 420;
SELECT * FROM dbo.SystemCode WHERE SystemCodeGroupID = 420;

Command ID with Command Name details

Command NameCommand ID
DeviceInformation3
DeviceLock4
AppList Sample5
CertificateListSample6
InstallProfile

7

ProfileList8
ProvisioningProfileList9
RemoveProfile10
SecurityInformation12
BreakMDM15
InstallApplication21
ManagedApplicationList23
RemoveApplication24
RemoteControl34
ChangePasscode40
InstallProvisioningPolicy60
RemoveProvisioningPolicy61
EnterpriseReset64
OSUpdates100
HealthAttestation104
HealthAttestationCertificate105
HealthAttestationStatus106
SelectiveAppListSample116
ApproveUpdate126
UnApproveUpdate127
RemoveUpdate130
SyncSensors

143

SyncML

Create a Complete Block of SyncML

A complete block of SyncML code consists of the following attributes:

  • Runs from<[characteristic]>to<[characteristic]>
  • Uses Add, Delete, Replace, or Exec as a characteristic.
  • Does not contain text before or after the characteristics.
  • May or may not remove all whitespace and linearize the code block to condense its size.
For Example:

<Replace><CmdID>2</CmdID><Item><Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI></Target> <Meta><Format xmlns="syncml:metinf">chr</Format></Meta><Data> {"Account":"standard","AUMID":"AirWatchLLC.AirWatchBrowser_htcwkw4rx2gx4!App"}</Data></Item></Replace>

Update or Delete Settings

Manually apply tags to update or delete settings using a Windows 10 custom settings profile.

  • To update settings, use the replace tag: <Replace> to </Replace>
  • To remove settings, use the delete tag: <Delete> to </Delete>
For Example: Remove Kiosk Assigned Access Setting

<Delete><CmdID>2</CmdID><Item><Target> <LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI></Target></Item></Delete>

Configure a Windows 10 Custom Settings Profile

Create a block of SyncML code:

  1. Go to VMware Code Sample Exchange.
  2. Find the correct sample.
  3. Copy the text.

Copy the Profile Settings from the Latest AirWatch Console

  1. Log into a version of the AirWatch console that supports the desired profile functionality.
  2. Configure and Save this payload to create a profile.
  3. Find the new profile in the list view: 1) Click its radio button. 2) Click the </>XML option. 3) Copy the SyncML that appears.
  4. Paste the SyncML into a text editor, and edit it: 1) Remove lines of text so that all the code falls between the tags: <[ Add, Delete, Replace, or Exec ]> to <[ Add, Delete, Replace, or Exec ]> 2) Optionally, remove the whitespace, and linearize the SyncML.
  5. Copy the formatted code.

Create New SyncML

  1. Go to the Configuration Service Provider (CSP) Reference.
  2. Access the newest Windows Insider features.
  3. Follow the site’s available guidelines to create the code sample.
  4. Copy the text.

Publish SyncML code:

  1. Navigate to Devices > Profiles > List View > Add > Add Profile > Windows > Windows Desktop.

  2. Refer to the LocURI to determine the profile’s context.

    • User Profile: Select if the LocURI begins with ./User/.
    • Device Profile: Select if the LocURI begins with ./Device/.
  3. Configure General settings to determine how the profile deploys and who receives it.

  4. Select the Custom Settings payload.

  5. Click Configure, and paste the complete block of SyncML code in the text box.

  6. Select Save & Publish.

Windows SSO

External Links:

Configuration

  • You must have a CA with template for SSO. Refer to MobileSSO for iOS for configuring internal AirWatch CA with SCEP protocol.
  • Check WS1 Access network ports.

Certificate Chain

  • From version of vIDM 1903+ Cert Auth Service port TCP7443 must be opened for vIDM Appliance (regardless of connector).
  • Also certificate chain and private key must be pasted into vIDM Appliance Admin Portal (accessed via port TCP8443).

Reference document - https://docs.vmware.com/en/VMware-Identity-Manager/19.03/vidm-install/GUID-B625A0BA-2991-4F46-9D41-A1BD8C4D8BE2.html

On AirWatch / Workspace ONE UEM side

  • If inner AirWatch CA/SCEP is used, go to Groups & Settings → All Settings → Enterprise Integration → Workspace ONE Access → Configuration, click Certificate → EXPORT button
  • Go to Devices → Profiles & Resources → Profiles → ADD → Add Profile → Windows → Windows Desktop → User Profile and make a User profile
Warning

There is also a Windows Desktop → Device Profile. Do NOT use it for SSO/Conditional Access, it will not work!

  • Give it a Name. Example: “Win10 SSO”. Select a group in Smart Groups. For example, choose all devices (World icon)

  • Go to SCEP tab/payload, and set:

    Credential Source: **AirWatch Certificate Authority
    **Certificate Template: **Certificate (Cloud Deployment)
    **Issuer: CN=<Issuer name in certificate, example = name of current Organization Group>

On vIDM / Workspace One Access side

  • Go to Identity & Access Management → Manage and select Authentication Methods
  • Choose Certificate (Cloud Deployment) authentication method (pencil icon)
  • Check the Enable Certificate Adapter, then Select File and upload the Certificate (*.cer) which you downloaded from the AirWatch CA/SCEP from the step above, or from ADCS Domain CA
  • Click Save
  • Go to Identity & Access Management →  Identity Providers, click on Built-in IF you are NOT using the ESC connector. If you are using the Connector, choose it in the list
  • Find Authentication Methods area and select Certificate (Cloud Deployment) check box, then click Save
  • Go to Identity & Access Management → Policies and select default_access_policy_set, select Edit
  • In Configuration tab, ALL RANGES, select Device Type = Windows 10, and in “**then the user may authenticate using “**choose Certificate (Cloud Deployment)
  • (Optional) In “if the preceding method fails or is not applicable, then” choose Password (Cloud Deployment)
  • (Optional) Select the (****+) ADD FALLBACK METHOD and in “If the preceding method fails or is not applicable, then” select Password ( Local Directory)

Windows 10 Device Tests and Checks

  • On enrolled Win10 device, open MMC, select Menu File → Add/Remove Snap-In…, select My User Account

  • Check Personal folder to see that the profile certificate was delivered

  • Use Hub to access vIDM/Workspace ONE Access portal.

Troubleshooting certificate issues

CertificateAuthAdapterBase function header for requesting the certificate from Windows:

//function names & var names obfuscated
 
protected X509Cert[] getCert(@Nonnull String tenantId,
                             @Nonnull HttpServletRequest request,
                             @Nonnull HttpServletResponse response,
                             @Nonnull Map<String, String> attribVal,
                             @Nullable Map<String, String> inputParam) throws AuthAdapterConfigException { ... }
 
 
X509Cert[] certs = getCert(tenantId, request, response, attribVal, inputParam);
        if (certs == null || certs.length == 0) {
            logger.info("No certificates were provided by the browser"); // --> horizon.log
            if (certs == null) {
                adapterResponse.setStatus(AuthnAdapterResponse.AuthnStatus.FAILURE);
                logger.info(logId + " authentication failure, no certificate provided"); // --> horizon.log

getCert method returns the certificate, received from client browser HTTP-request. If not, it logs errors in horizon.log file on WS1 Access/vIDM.