Management Mode Options for Workspace ONE Windows Devices
Overview
Windows modernization rarely happens all at once. IT teams are navigating a complex mix of legacy tools, co-management scenarios, compliance requirements, and a desire to improve the employee experience all at the same time. Omnissa Workspace ONE is designed for exactly this reality.
Up until now, administrators have been presented with a binary decision about the Windows device management mode: basic monitoring or full management. A third option, Intelligent Hub Managed Mode, now provides increased flexibility.
This document provides deep insights into the three Workspace ONE Windows Management Modes:
- Registered
- Intelligent Hub Managed without OMA-DM management: New!
- Full MDM with OMA-DM management
Learn how these three modes compare at a feature level, as well as actionable guidance for IT teams evaluating the suitability of each mode or mix of modes.
Intelligent Hub with or without OMA-DM?
OMA-DM, the protocol at the core of Workspace ONE's Full MDM Windows enrollment, is a proven choice for deep operating system and security control. But it carries constraints that don't suit every scenario:
- It requires a user login to complete enrollment
- Only one vendor can actively use the OMA-DM stack on a device at a time
- It doesn't support co-management with SCCM
These limitations create friction precisely where modernization demands flexibility.
Before delving into the Management Modes, a brief explanation of Intelligent Hub and OMA-DM is helpful because the key difference between Intelligent Hub Managed Mode and Full Managed Mode is the exclusion or inclusion of OMA-DM.
Figure 1: What's the difference between OMA-DM and Intelligent Hub?
As you can see, Omnissa’s proprietary Intelligent Hub is fully capable of managing Windows devices, and this is the basis for the new Intelligent Hub Managed Mode. Read on to gain a deeper understanding of the applicability of each mode.
Understanding the three Management Modes
The chart below presents a high-level overview of the three Management Modes:
Figure 2: Management Modes
Hub Registered mode
Hub Registered is the lightest-weight enrollment option. Devices in this mode have the Intelligent Hub installed and are visible in UEM, but the platform does not attempt to exert deep configuration control over them.
Key capabilities:
- Digital Employee Experience (DEX) monitoring and remediation via sensors and scripts
- Lightweight presence for devices already managed by a third-party MDM
- Gateway to more capable modes — Registered devices can be stepped up to Intelligent Hub Managed without re-enrollment
License note: Hub Registered is available through the Employee Essentials license. For the full DEX capability set (Experience Management), an additional Experience Management license is required.
Intelligent Hub Managed mode – New!
Intelligent Hub Managed is the flagship new offering. It delivers comprehensive, enterprise-grade Windows device management using only the Intelligent Hub — no OMA-DM client enrollment, no dependency on Microsoft's MDM stack. This unlocks scenarios that were previously impossible or operationally challenging.
If your organization is migrating between MDM platforms or simply wants modern management without committing to the Microsoft MDM stack, this mode was built for you.
Key deployment scenarios:
- Teams migrating from another MDM solution, running workloads side-by-side without conflicting MDM enrollments
- Environments where OMADM enrollment is technically unavailable or operationally undesirable
- Device-based enrollment scenarios with no dependency on interactive user login (which OMA-DM mandates)
- Windows Server devices
This new mode will be detailed further in the Deep Dive section.
Intelligent Hub Managed is available to customers licensed under Workspace ONE Standard, Advanced, Enterprise, Desktop Essentials, or UEM Essentials.
Full MDM (OMA-DM + Hub)
Full MDM is Workspace ONE's established, full-stack Windows management mode. It combines native OMA-DM enrollment with the Intelligent Hub, giving IT access to the complete set of Microsoft CSP-based profiles, Autopilot/OOBE provisioning, enterprise reset, and more. For organizations that require deep OS-level controls delivered via the Microsoft MDM stack, Full MDM remains the appropriate choice.
Which Management Mode is optimal for my environment?
The best Management Mode for your Windows devices depends upon your requirements:
Figure 3: Functionality alignment to Management Modes
Deep Dive: What Intelligent Hub Managed Mode Delivers
The engineering investment behind Intelligent Hub Managed goes well beyond wrapping existing Hub capabilities. The following capabilities are either new, or newly unlocked for Hub-only deployments:
Enrollment & Provisioning
Intelligent Hub Managed supports the full range of scalable, enterprise-grade provisioning methods:
- Command-line and silent enrollment, with or without Active Directory
- Agent-based self-service enrollment
- Both Online and Offline Dropship Provisioning enabling zero-touch imaging workflows without any OMA-DM client
- Multiuser device management, allowing shared-use scenarios previously associated with Full MDM
Important: OOBE-based provisioning methods such as Windows Autopilot and Hybrid Azure AD Join are not available in Intelligent Hub Managed mode, as these flows have a hard dependency on OMA-DM. Customers who require Autopilot should evaluate Full MDM.
Configuration & Policy
Intelligent Hub Managed delivers an extensive configuration surface that rivals Full MDM for most production use cases:
- ADMX-based profile enforcement: Unlocks a wide range of Windows GPO equivalents delivered through the Hub, including OS update policies and Windows Hello for Business
- Hub-based profiles: Workspace ONE's proprietary profile format, applicable without any OMA-DM dependency
- Freestyle Orchestration: conditional, event-driven workflows for multi-step deployments
- Baseline support: enforce configuration compliance against industry-standard baselines
- Certificate management: device and user certificate distribution (SCEP support is on the near-term roadmap)
- Scripts: PowerShell and other scripting capabilities for bespoke configuration and remediation
- Windows Hello for Business: enforceable through ADMX-based profiles
Capabilities currently on the roadmap for Intelligent Hub Managed include firewall policy, local security policies, and offline domain join.
Software Distribution
Intelligent Hub Managed integrates with the Software Distribution (SFD) Agent to deliver a full application management lifecycle:
- Full application inventory and lifecycle management
- Native application types: MSI, Script-based, and EXE installers
- Self-service application catalog in the Intelligent Hub — users can install, uninstall, and launch applications on demand
- Ring-based phased deployments for controlled rollouts
- CDN and peer-to-peer delivery optimization for bandwidth-efficient distribution
Note on MSIX/APPX: MSIX and APPX application types will be appended to Intelligent Hub Managed Mode once the Software Distribution Agent adds support for these formats. This is an active workstream.
OS Update Management
Intelligent Hub Managed exposes a rich update management workflow, delivered primarily through ADMX-based policies and the Workspace ONE update management engine:
- Windows OS update delivery and scheduling via ADMX policies
- Granular Patch Management, available from UEM 2604 onward
- Updated dashboards and compliance reporting
- Pause and rollback capabilities
Device actions
IT administrators retain meaningful control over Intelligent Hub Managed devices through a comprehensive set of remote actions:
- Log collection for diagnostics and support
- Repair Hub
- Remote reboot
- Enterprise Wipe selectively removes corporate data and applications while preserving the OS
Full Device Wipe and Enterprise Reset remain exclusive to Full MDM enrollment, as they require the OMA-DM stack to issue the underlying MDM wipe commands.
Analytics & DEX
Intelligent Hub Managed devices participate fully in the Workspace ONE analytics and DEX ecosystem:
- Sensors: custom telemetry collection for monitoring and compliance scoring
- DEX device information: hardware, OS, and user experience data
- Security samples (firewall state, antivirus status, general device health): on the roadmap
- Full compliance engine and reporting: on the roadmap
Mode-aware UEM console experience
The Workspace ONE UEM console adapts to Intelligent Hub Managed devices automatically; the Device Detail tabs and available actions reflect what is supported for that enrollment type. Configurations, Workflows, Apps, Baselines, Scripts, Sensors, and Updates are all surfaced. OMA-DM-only resources continue to route exclusively to Full MDM devices, eliminating the risk of misconfigured policy delivery.
Adoption and migration paths
Figure 4: Adoption and migration paths for each Management Mode
New Enrollments
Intelligent Hub Managed can be set as the default enrollment mode for an Organization Group via All Settings → Devices & Users → General → Enrollment → Management Mode. Existing provisioning workflows: Dropship, manual and silent/command-line; enrollment continue to function without modification.
Step-Up: Registered to Intelligent Hub Managed
This is one of the most operationally significant capabilities is the server-side step-up mechanism. For devices currently in Hub Registered mode, administrators can promote them to Intelligent Hub Managed without requiring any end-user re-enrollment. The promotion is admin-initiated, the device automatically acquires full Hub-based management, and the transition is transparent to the end user. Step-up from Intelligent Hub Managed to Full MDM is targeted for delivery in UEM 2606.
Side-by-side with existing MDM tools
Because Intelligent Hub Managed does not enroll the OMA-DM client, it can co-exist on devices that are simultaneously enrolled in SCCM co-management or another MDM without creating enrollment conflicts. Teams can deploy Workspace ONE capabilities incrementally, validating workloads before deciding whether to transition to Full MDM or remain in Intelligent Hub Managed long-term.
Keep in mind that Intelligent Hub Managed Mode can be a permanent solution for a wide range of enterprise Windows management requirements. Or, for Windows Desktops, it may be a stepping stone to Full MDM.
Feature comparison: all Management Modes
The table below covers all capabilities across the three management modes. ✓ = Supported ✗ = Not supported Roadmap = Planned for a future release.
| Capability | Registered | Intelligent Hub Managed | Full MDM |
| Enrollment & Provisioning | |||
| Silent / command-line enrollment (with or without AD) | ✓ | ✓ | ✓ |
| Agent-based self-service enrollment | ✓ | ✓ | ✓ |
| Dropship provisioning (online & offline) | ✗ | ✓ | ✓ |
| Out-of-box experience (Autopilot / Hybrid Join) | ✗ | ✗ | ✓ |
| Multi-user / shared device management | ✗ | ✓ | ✓ |
| Offline domain join | ✗ | Roadmap | ✓ |
| Step-up from Registered to Intelligent Hub Managed | ✓ | In Progress | — |
| Configuration & Policy | |||
| Freestyle Orchestration & scripts | ✓ | ✓ | ✓ |
| ADMX-based policy profiles | ✗ | ✓ | ✓ |
| Hub-targeted profiles | ✗ | ✓ | ✓ |
| Baselines | ✗ | ✓ | ✓ |
| Certificate management | ✗ | Roadmap | ✓ |
| Windows Hello for Business | ✗ | ✓ (via ADMX) | ✓ |
| Encryption / BitLocker management | ✗ | ✓ | ✓ |
| Firewall management | ✗ | Roadmap | ✓ |
| Local security policies | ✗ | Roadmap | ✓ |
| BIOS / firmware management | ✗ | ✓ | ✓ |
| Microsoft CSP-based profiles | ✗ | ✗ | ✓ |
| Application Management | |||
| Application catalog (web & Horizon apps) | ✓ | ✓ | ✓ |
| Full app inventory & lifecycle management | ✗ | ✓ | ✓ |
| Native app deployment (MSI, EXE, script) | ✗ | ✓ | ✓ |
| Self-service install / launch | ✗ | ✓ | ✓ |
| Ring-based deployment | ✗ | ✓ | ✓ |
| CDN / P2P content delivery | ✗ | ✓ | ✓ |
| APPX / MSIX deployment | ✗ | Roadmap | ✓ |
| OS Updates & Patch Management | |||
| Windows OS update control (via ADMX) | ✗ | ✓ | ✓ |
| Granular patch management | ✗ | ✓ | ✓ |
| Patch dashboards & reporting | ✗ | ✓ | ✓ |
| Pause & rollback capabilities | ✗ | ✓ | ✓ |
| Device Actions & Remediation | |||
| Reboot device | ✓ | ✓ | ✓ |
| Log collection | ✗ | ✓ | ✓ |
| Repair Hub | ✗ | ✓ | ✓ |
| Enterprise wipe (corporate data) | ✗ | ✓ | ✓ |
| Full device wipe / factory reset | ✗ | ✗ | ✓ |
| Analytics & Digital Employee Experience | |||
| Sensors & data collection | ✓ | ✓ | ✓ |
| DEX device information | ✓ | ✓ | ✓ |
| Security samples (AV, firewall, health) | ✗ | Roadmap | ✓ |
| Compliance engine & reporting | ✗ | Roadmap | ✓ |
Figure 5: Comparison of Management Modes
Configuration
Once you’ve decided which Management Mode works best for your environment, configuration is straightforward as shown below.
Figure 6: Management Mode configuration
Summary and additional resources
Intelligent Hub Managed mode represents a significant evolution in how Workspace ONE approaches Windows device management. By decoupling management capability from OMA-DM enrollment, Omnissa gives IT teams architectural freedom they have not had before: the ability to deliver comprehensive, enterprise-grade Windows management without a dependency on Microsoft's MDM client and without forcing a disruptive full re-enrollment during migrations.
The three-mode model is deliberately additive, and Full MDM enrollment is not going away. Workspace ONE continues to invest in all three modes, giving customers the flexibility to choose the approach that best fits each segment of their fleet. An enterprise can run Registered devices for DEX-only endpoints, Intelligent Hub Managed where OMA-DM enrollment is not required or desired, and Full MDM where the full spectrum of operating system and security controls are needed, all from a single Workspace ONE UEM console, without any forced migration.
As the Intelligent Hub Managed roadmap continues to mature — expanding into firewall management, SCEP, and compliance reporting — customers will have an increasingly capable option available to them whenever it meets their requirements. The goal is flexibility, not replacement.
Additional resources
Please also see these Omnissa TechZone resources:
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 1132)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 1280)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2611 1333)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ETile View (with image and controls)%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Changelog
Create a new row at the top of the table, and enter a summary of relevant changes. Don’t include reformatting changes, minor rebranding, and other internal changes.
The following updates were made to this guide:
| Date | Description of Changes |
| 04/08/2026 |
|
Author and contributors
Written by
- Pooja Chengappa, Director of Product Management, Omnissa
Contributors and reviewers:
- Jo Harder, Principal Product Specialist, Omnissa
Feedback
Your feedback is valuable.
To comment on this paper, contact the Omnissa TechZone team at tech_content_feedback@omnissa.com.