Troubleshooting Windows Devices: Workspace ONE

Overview

This guide provides information about steps that may be used to troubleshoot numerous Windows device issues.

The materials within this guide focus on general means for addressing overall Windows issues and should serve as a starting point. Numerous references to other resources are provided to help you address specific issues.

The contents of this guide are focused on these areas:

Windows device communications
Windows settings
Logging
Validation and Troubleshooting
Common Windows device issues
Additional resources

Workspace ONE Windows Device Communications

When communications between Workspace ONE UEM and Windows devices are interrupted, issues such as configurations not applying correctly, unavailability of new applications, and unexpected policy results may occur. As such, understanding the flow and dependencies may help pinpoint where issues lay.

Communications

Communications between Workspace ONE and Windows devices occur via the following channels as HTTPS traffic over TCP 443:

OMA-DM/WNS
Intelligent Hub/AWCM

OMA-DM/WNS and Intelligent Hub/AWCM Explained

Real-time communication between Workspace ONE UEM and Windows devices occurs via two management systems:

Microsoft OMA-DM (Open Mobile Alliance Device Management) communicates via Windows Notification Services (WNS)

Omnissa Workspace ONE Intelligent Hub communicates via AirWatch Cloud Messaging (AWCM)

As shown in the diagram below, a multitude of capabilities are consolidated via APIs that ultimately communicate via OMA-DM or Intelligent Hub to manage and secure Windows devices.

Figure 1: Workspace ONE UEM Windows framework

Note that CSP signifies Microsoft Configuration Service Providers, which is discussed at length within the Workspace ONE UEM Baselines and Profiles article on TechZone.

OMA-DM/WNS

OMA-DM uses Windows Notification Services, sometimes called Windows Push Notification Services, for communication between Workspace ONE UEM and Windows devices.

OMA-DM sends various commands in Synchronization Markup Language (SyncML) for action on Windows devices. While the majority of the commands are applicable to registry keys, some may apply to files and permissions.

Figure 2: The role of SyncML and OMA-DM in Windows device management

Intelligent Hub/AWCM

Intelligent Hub interfaces with AWCM which then provides the communications interface between many Workspace ONE services as shown in the example below.

Figure 3: AirWatch Cloud Messaging (AWCM) provides centralized, secure communications

OMA-DM/WNS and Intelligent Hub/AWCM Comparison

There are some key similarities and differences between OMA-DM/WNS and Intelligent Hub/AWCM:

	OMA-DM	AWCM
Description	Native MDM client built into the Windows device	Workspace ONE Intelligent Hub installed on the device
Owner	Microsoft	Omnissa
Type	Open standard	Proprietary
Communication	Windows Notification Services (WNS)	AirWatch Cloud Messaging (AWCM)
Uses	Device communication Device enrollment Proﬁle conﬁguration using Microsoft CSPs Software distribution metadata delivery	Profile configuration for some non-CSP based Profiles Local policy enforcement Sensors, scripts, and workflows Baselines Unified App Catalog Hub Services Provisioning
Security	HTTPS via TCP 443	HTTPS via TCP 443
Troubleshooting log	com.airwatch.winrtdm	com.airwatch. windowsprotectionagent
Host name and port(s)	*.wns.windows.com over 80/443	awcm*.awmdm.com:443 (SaaS) and TCP 2001 (On-Premises)

Figure 4: OMA-DM and AWCM comparison

Because communications with Windows devices occur via both OMA-DM and AWCM, it is critical that both protocols are not impeded. The Troubleshooting section delves into validating OMA-DM/WNS and Intelligent Hub/AWCM functionality.

Ports

Workspace ONE components communicate over numerous ports, and blocked ports may cause communication failures. All external communications require TCP port 443 for secured traversal over the internet. For a complete list of the ports and protocols required, please see:

For Workspace ONE: https://ports.omnissa.com/home/Workspace-ONE-UEM
For Microsoft-related network requirements, https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints

Additionally, a third-party utility, the Intelligent Hub for Windows Troubleshooting tool, also known as HUBWTT, includes TestNet (test network) functionality to validate the required network ports from a Windows device.

Windows Settings

When troubleshooting Windows issues, settings that impact all Windows devices within your environment should be evaluated. These settings can be found within Groups & Settings > All Settings > Settings > Devices & Users > Microsoft > Windows and control various behaviors of the Windows devices in relation to Workspace ONE.

Figure 5: Windows device settings

Settings include Intelligent Hub check-in interval, privacy notification, device ownership type defaults, and Intelligent Hub update defaults.

The table below shows the individual Windows tabs and how these settings may affect troubleshooting. These settings should be reviewed when troubleshooting general Windows issues.

Tab Name and Docs Link	Key Settings	Troubleshooting Considerations
Intelligent Hub Application	Publish Workspace ONE Intelligent Hub	Also enables Repair Hub and Request Device Log functionality within Administrative Console Actions
Intelligent Hub Application	Intelligent Hub Automatic Updates	Presence of older version on user device may vary user experience
Intelligent Hub Settings	MDM Channel Security	All traffic inherently traverses securely via HTTPS; setting has no impact and will be deprecated
	Privacy > Collect Analytics	Enables crash reports collection
	Attributes for Unique Identifier > UEM & Client	For AD domain joined devices, determines match for Multiuser functionality; recommendation is UPN/UPN
Windows Health Attestation	Compromised Status Definition	All items not checked will not trigger compromised status for administrators; recommendation is to review all items and enable as appropriate to ensure administrative notification
Staging & Provisioning	Online Dropship Cache Server URL	Validate URL when experiencing provisioning issues
Auto Enrollment	Auto Enrollment	Only used for on-premises and no impact on SaaS

Figure 6: Individual tabs under Windows settings

Non-Workspace ONE Configurations and Processes that May Impact Windows Devices

Configurations and processes can impact Windows devices—sometimes without the Workspace ONE administrator knowing they exist.

GPO Conflicts

If your enterprise has Active Directory GPO(s) that set policies, these may cause unexpected device behavior or intermittent issues and cause seemingly countless administrative hours. Omnissa recommends that GPOs should not be applied to Windows devices.

Figure 7: Same setting configured in both GPO and Workspace ONE Baseline will create conflicts and seemingly intermittent issues

Scripts

Similar to GPOs, scripts may modify registry keys, Windows Services, Task Scheduler, or perform other actions. While Workspace ONE does provide scripting functionality and Freestyle Orchestrator, Active Directory and other tools may push out Powershell and other scripts.

For example, if a GPO or third-party tool invokes a script that enables a USB device type and a customized Baseline prohibits that same device type, a conflict will occur.

Agents/Clients

Some agents/clients installed on Windows devices can prevent Workspace ONE from functioning properly. Examples include:

Existing device management client, such as Microsoft Intune
Security clients and firewall configurations that disallow Workspace ONE communications

Logging, including Event Logs, Service Logs, and Syslog

Event Logs

Windows device event logs provide a plethora of useful details regarding endpoint communication and processes. Below is a list of key event logs; however, other event logs may likewise be useful.

All event logs listed below are accessed from the local device and should be prefaced with:

Event Viewer (Local) > Applications and Services

Functionality	Description	Event Viewer Log
OMA-DM Communications	Collects every interaction between the device and Workspace ONE UEM	> Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
Enterprise Data Protection	Collects logs related to WIP and Audits	> Microsoft > Windows > EDP Audit Regular Channel > Microsoft > Windows > EDP Audit TCB Channel > Microsoft > Windows > EDP App Learning
AAD & User Device Registration	Collects all information related to Azure Active Directory (Entra ID)	> Microsoft > Windows > AAD > Operational section > Microsoft > Windows > User Device Registration > Admin section
BitLocker	Collects BitLocker information	> Microsoft > Windows > BitLocker-API > Microsoft > Windows > BitLocker-DrivePreparationTool
DropShip Online	DropShip provisioning	> AirWatch-Provisioning Agent
Certificates	Validate certificates	> Microsoft > Windows > CAPI2 (enable log and reproduce errors). > Microsoft > Windows > CertificateServicesClient-Lifecycle-* (System and User). > Microsoft > Windows > CertPolEng

Figure 8: Useful Event Logs for troubleshooting

Intelligent Hub Logs

Captured logs can provide detailed event tracking and be useful for pinpointing complex issues.

Logs can be captured from the device or console, and then analyzed or provided to Global Customer Services. Workspace ONE UEM Device-Side Logging in Omnissa docs provides detailed information on what logs are provided on each device type.

Logs can be captured remotely from the console by following the instructions within the Windows Desktop Devices (Windows HUB) section.

Core Services

Detailed information is available at Core Services Logging section for all console side services, including how to capture and controlling log levels.

SysLog

Syslog can be configured for integration with your Security Information and Event Management (SIEM) tool, such as Splunk. Please see Omnissa docs for information about functionality and configuration.

Validation and Troubleshooting

In this section, validating the status of Windows devices and general troubleshooting will be discussed. For step-by-step details about troubleshooting and logging, please also see Omnissa documentation.

There are three key mechanisms that are useful for troubleshooting:

Detective Admin, are you ready to start searching for clues to resolve Windows device mysteries?

Workspace ONE Console

Because numerous monitoring data points are within the Workspace ONE admin console, this should be your starting point. Status information can be viewed, and actions can be taken directly from the console.

Device Status

After selecting a specific device, view the numerous options to view status of the device. Click Devices > Devices and select a device, which will then be presented within the Details View screen.

Figure 9: Device status provided within Workspace ONE UEM console Summary screen

The status information provides a holistic overview of the device. The update interval is dependent upon the Intelligent Hub configuration within the universal Windows settings. Please note that there is a difference between the "Last Seen" and "Last Check In" fields shown above.

Last check-in specifically tracks when Intelligent Hub last checked for pending commands, resources, and other updates
Last seen captures when the device presence was last observed

In addition to the summary information presented, additional details may be particularly pertinent when researching issues.

Troubleshooting Tab

After viewing the basic device information, the Troubleshooting tab within the Devices screen will likely be your starting point. To access this tab, click More > Troubleshooting.

Event Log

The default view provides an administrative Event Log of all actions that have occurred on the device, including the date, time, administrator that made the change, and other details.

Figure 10: Troubleshooting Event Log

The event message is a hyperlink and may be clicked to provide additional information.

Commands

In addition, the commands that were executed on the device are presented within the second tab. The status of these commands, e.g., pending, queued, and removed, may be useful to understand changes on the device.

Figure 11: Queued and pending commands after clicking the Query button

Queued and pending commands should be executed quickly if the device is online.

Administratively Gather Device Logs

Rather than logging onto the client device remotely or making requests of the user, a variety of logs can be administratively captured from the Workspace ONE UEM console. After selecting the device in the console, click More Actions > Request Device Log to administratively request the desired logs.

Two types of logs can be requested:

Hub, which provides Intelligent Hub details, as well as software distribution and provisioning based on the following logs:
- Application Deployment Agent: contains logs (RegistryExport.txt and AirWatchMDM-*.etl) related to deploying Win32 (EXE, MSI, ZIP) applications to devices. These logs are helpful to provide to your Workspace ONE UEM support representative when app deployment is not working as expected.
- DEEM Telemetry Agent: contains logs related to osquery and the telemetry agent on the device. You can see the results of the osquery data being sent to Workspace ONE Intelligence as well as any errors.
- Factory Provisioning Package: contains logs (PpkgInstallerLog.txt) related to the installation of the provisioning package (PPKG) seeded at the factory to pre-load the apps on the device.
- Provisioning Agent: contains the Provisioning Agent Event Log.
- Remote Management Client: contains logs related to errors with the Workspace ONE Assist client on the device during remote screen share/control, managing files, or launching the remote shell option from the Workspace ONE UEM console.
- Workspace ONE Intelligent Hub: contains all the Workspace ONE Intelligent Hub log files.
System, which focuses on environmental details, including local Event Viewer logs and running processes based on the following logs:
- PCRefresh: contains logs related to Enterprise Reset. More logs are visible after performing the Enterprise Reset action on the device.
- Windows: Contains the System & MDM Event Logs as well as a registry export of HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager which shows a list of successfully applied CSPs (profiles and apps) on the device.
- Environment: Processes.txt and Services.txt contain an export of currently registered services and running processes.

After these logs have been captured, they are shown as a zip file within the console under More > Attachments > Documents and can be unzipped and explored.

Figure 12: System Log files

Align the specific issue with the various log files that are generated. Omnissa docs provides a complete list of log files and information contained within it.

Key Administrative Console Actions

Under the Actions buttons in the upper right corner, queries and management/administrative actions can be initiated. Several key troubleshooting actions are described below.

Figure 13: Query and key More Actions options useful when troubleshooting

Query

Queries are particularly useful in understanding the state of the device at that point in time. While it is possible to select individual queries, it is typically more expeditious to select the Query button to query all Intelligent Hub services and send that status to the console.

Depending on the selected option, the full set of queries or individual queries will be listed on the Troubleshooting > Commands screen as pending until they are executed. Once complete, the query results will be available within the respective status screens upon refresh, including the Troubleshooting Event Log and Commands screens.

Reboot Device

Some issues are resolved by simply rebooting the device. Administrators can force the Windows device to reboot within five minutes, allowing the user to wrap up active work.

Request Device Log

This selection allows event logs from the Windows device to be gathered administratively without user effort. Note that this option is only available if Publish Intelligent Hub is enabled within Groups & Settings > All Settings > Settings > Devices & Users > Microsoft > Windows > Intelligent Hub Application, provided that the device has an active user session.

Repair Hub

Clicking Repair Hub administratively enables the ability to re-establish communication between a Windows device and the Workspace ONE Intelligent Hub. This feature re-installs the Intelligent Hub and remediates communication problems like HMAC errors, failed Hub upgrades, reinstates any removed Hub files from the system, and restarts any Hub-related windows services. The RecoveryService.log provides information regarding the status of the Workspace ONE Intelligent Hub auto recovery functionality.

Sensors

Sensors can be used to not only ascertain system resources, but also status of devices. For example:

When was the last time that the device successfully synchronized?
Is the device pending reboot?

Sometimes resolving a Windows device issue is as simple as rebooting or forcing synchronization. With these data points, it is simple to ascertain the most recent time that the device synchronized and/or rebooted.

Intelligence

Workspace ONE provides a plethora of information within Intelligence that may be useful for troubleshooting. As an example, when troubleshooting an issue related to Windows Updates compliance, a Sensor could be deployed in conjunction with a Dashboard or Report to display the devices that are Pending Reboot, and therefore have not completed their updates.

Figure 15: Intelligence reports showing Windows devices pending reboot

Likewise, a Dashboard could be leveraged to display device memory utilization over time.

Figure 16: Intelligence dashboard displaying memory utilization

Similarly, the Guided Root Cause Analysis (RCA) feature could be utilized to help determine the cause of application crashes, post a Windows Update.

Up to 16 widgets can be incorporated in a single Dashboard to display multiple metrics at once.

Figure 17: Customized Dashboard showing numerous metrics

Further, Experience Management provides built-in Dashboards and Reports to surface common problems such as long boot times.

Figure 18: Common issues such as long boot times displayed within built-in Dashboard

Intelligence can use and display data points that Sensors and the DEEM agent collect, displayed in the appropriate format for that data type, and filtered for those devices with particular values, providing for quicker resolution.

Validating OMA-DM/WNS and Intelligent Hub/AWCM Functionality

Because WNS and AWCM are the communications lifeblood for Windows devices, it is essential to ensure that both protocols are functioning properly. Both protocols traverse the network securely via HTTPS.

AWCM

AWCM to Workspace ONE UEM console communications can be verified from the Workspace ONE console. Go to Groups & Settings > All Settings > Settings > System > Advanced > Site URLs > AirWatch Cloud Messaging. Verify that the AWCM server is enabled, and then click Test Connection.

Figure 19: Validating AWCM connectivity

To validate Windows device to AWCM communications, two options are available:

Research entries within the AwclClient.log, which will display AWCM communications failures
Intelligent Hub for Windows Troubleshooting Tool (HUBWTT) TestNet

WNS

OMA-DM/WNS inherently communicates between Workspace ONE UEM and Windows devices securely via HTTPS.

The WNS status of a Windows device can be seen on the Devices page. Go to Devices > select the device and view the status within the Details View screen.

Figure 20: Validating WNS connectivity

User Device

Intelligent Hub Utilities

On the user device, Intelligent Hub provides some troubleshooting functionality directly on the Windows device.

To troubleshoot on the local device, right-click the Workspace ONE Intelligent Hub icon in System Tray > Troubleshoot. Two options are presented:

Collect Logs, wherein the user is prompted to select a local directory to save pertinent Event Viewer logs.
Hub Status, which is used to perform a quick test and displays helpful information about the device and services running on the device. It will reveal the unique Device UDID, Windows and Intelligent Hub Services status, whether the device can reach the Workspace ONE Management Server, and other details.

These options are also presented within Intelligent Hub app when the user clicks their name in the lower left corner. In addition, forced synchronization (Sync) can be initiated from the endpoint.

Event Viewer logs can provide valuable clues; however, please be aware these and other logs can be pulled administratively through the Workspace ONE Request Device Log functionality.

These logs are cumulatively stored within the following directory on the Windows endpoint device:

C:\ProgramData\AirWatch\UnifiedAgent\Logs

Omnissa docs provides a complete list of log files and information contained within each.

Below is an example of Hub Status output:

Figure 22: Hub Status report displayed on the Windows client device

Note that the status of Windows Services and Workspace ONE Intelligent Hub are reported. The state of these Windows Services depends on the functionality that you have enabled, such as device enrollment and software distribution.

Alternatively, an administrator may remotely access the local device using Workspace ONE Assist or request that the user collect specific data.

Workspace ONE Configurations Applied to Windows Device

On the Windows device, Workspace ONE settings can be ascertained via Settings > Accounts > Access work or school > Connected > Managed by Workspace ONE > Info.

Figure 23: Workspace ONE status information on the Windows device

In addition to the valuable status information presented, two key actions can be taken from this screen:

Sync, which forces synchronization with Workspace ONE UEM
Create report, which creates a detailed report entitled MDMDiagReport that shows all settings and policies (both Workspace ONE and GPOs) applied to this device:
- Device info
- Connection Info
- Device management account
- Certificates
- Enrolled configuration sources and target sources
- Managed policies
- Managed applications
- Wi-Fi profiles
- GPCSEWrapper policies
- Blocked group policies
- Unmanaged policies

For example, if Workspace ONE Baselines or Profiles are not applying correctly, the MDMDiagReport details exactly which policy settings are applied from which source. Keep in mind that this information is not static and is affected by the reapplication of policies.

Third-Party Utilities

Please note that the third-party utilities referenced below are downloaded, installed, and used at your own risk, and Omnissa takes no responsibility for the use of these tools. Please follow your enterprise requirements regarding the installation and use of third-party utilities.

Fiddler Everywhere

A free 10-day trial of Fiddler Everywhere is available from Telerik. This tool enables administrators to view and analyze network traffic between the client device and Workspace ONE, including OMA-DM and Intelligent Hub traffic.

Figure 24: Fiddler output

SyncML Viewer

SyncML Viewer is a free tool that is useful for assessing OMA-DM traffic and is available from GitHub. By viewing the SyncML protocol traffic between the Windows client and Workspace ONE, endpoint device activity can be monitored in real time via event tracing for Windows (ETW). After capturing OMA-DM traffic, it can be parsed, analyzed, or exported as a .txt file.

Figure 25: SyncML Viewer output

Intelligent Hub for Windows Troubleshooting Tool (HUBWTT)

The Intelligent Hub for Windows Troubleshooting Tool (HUBWTT.exe) is available within GitHub. It is a command line app that can be used to display Workspace ONE Hub for Windows (HUBW) configuration settings, as well as perform some functions to help with supporting HUBW:

Managed Applications Info
Baselines Info
Export HUBW LiteDB
General (HUBW), Sample and Custom Lookup info
LAPS Function
Logs Functions
Profiles Info
Scripts Info
Sensors Info
Test Network Function
Workflows Info

Figure 26: HUBWTT TestNet functionality

SysInternals: ProcMon and PSExec

Lastly, two common SysInternals tools can provide extensive details to research complex issues:

Process Monitor (ProcMon) provides detailed file system, registry, and process activity.
PSExec is a telnet-like tool that enables command prompt access.

Common Windows Device Issues and Resolution Checks

Based on input from Omnissa Customer Success and Technical Support, the most common Windows device issues and resolutions are:

Issue	Resolution Checks
Windows Baselines and Profiles not applying properly	Check whether AD GPOs and/or scripts are being applied as seen via Create Report on device Validate Profiles and Baselines on local device via HKLM\Software\Microsoft\PolicyManager\current\device Verify there are no conflicting policies applied across GPO, Profile, Baselines and Scripts Verify last device check-in time and force sync Reboot the device Check AWCM and WNS communication status
Apps not installing	Check AWCM and WNS communication status Validate apps on local device via HKLM\Software\AirWatchMDM\AppDeploymentAgent\{GUID}
Antivirus false positives	Validate exclusions: https://kb.omnissa.com/s/article/87149
Multiuser functionality	Ascertain prerequisites Validate Unique Identifier Attributes within Intelligent Hub settings After prerequisites met, new devices automatically enabled as multiuser; previous devices retain single user status Administratively designate single user or multiuser Restrict checkout for help desk and other users Groups & Settings > All Settings > Devices and Users > General > Enrollment > Restrictions
User on multiuser device is prompted to enter Organization Group ID	Validate single user/multiuser setting in Devices screen Set grouping to Fixed Organization Group within Groups & Settings > All Settings > Devices and Users > General > Shared Device > Grouping setting
BitLocker encryption	Review BitLocker encryption profile configuration Execute “manage-bde -status” on the local device Review BitLocker event logs Review Windows Device Health Attestation settings
Device log capture cannot be initiated from console	Validate that device is online Validate that Intelligent Hub is published within Groups & Settings > All Settings > Devices and Users > Microsoft > Windows > Intelligent Hub Application

Figure 27: Common Windows device issues

Additional Windows Device Resources

Troubleshooting more specific Windows functionality issues may require more additional information than is provided in this guide.

In addition to deep technical functionality explanations, these Omnissa TechZone guides provide troubleshooting information and steps:

Changelog

The following updates were made to this guide:

Date	Description of Changes
October 2024	Complete document rewrite.

About the Author and Contributors

The latest version was written by:

Jo Harder, Senior Technical Marketing Architect, Omnissa

Contributors and reviewers:

Ben Jacoby, Senior Enterprise Design Architect, Omnissa
Chris Halstead, Adoption Product Manager, Omnissa
Phil Helmling, Adoption Product Manager, Omnissa
George Gritten, Adoption Product Manager, Omnissa
Saraubh Jhunjhunwal, Staff Customer Success Engineer

Feedback

Your feedback is valuable. To comment on this paper, contact Omnissa Technical Marketing at tech_content_feedback@omnissa.com.