Earlier this year, I wrote a very highly regarded article comparing Intune against Workspace ONE UEM which has gone on to be my top article ever. I’m proud to announce a 3-part series on evaluating Intune against Workspace ONE UEM focusing on Windows, which is really hot right now with Microsoft Endpoint becoming a major player. We will be covering UEM Core, Application Management, and Security in each part. We all know that Microsoft does Windows better than anyone, but can Workspace ONE compete? Let’s find out in part one of this series focused on UEM core functionality.

What is UEM Core?

Before we go too deep, let’s talk about what UEM core actually is. UEM core is your base for Unified Endpoint Management. When we talk about core UEM, we talk about the tent stakes of UEM, which will include device enrollment, CSPs a.k.a profiles, device compliance, scripts, integrations and remote management. Many people regard UEM core as the minimal viable product for device management. Sure, deploying apps and security are very important, but you can run with a solid core.

Device Enrollment Free-for-All

Device Enrollment is an area sometimes overlooked, but is the real gatekeeper for device management. We will look at how Workspace ONE (the underdog) and Microsoft Endpoint Manager (the favorite) handle device enrollment in this face-off. Let’s do it!

Workspace ONE’s Device Enrollment Capabilities

You can slice up device enrollment into a few different areas: enrollment options, dropship provisioning, and enrollment restrictions. Let’s talk about enrolling devices with Workspace ONE.

WS1 Enrollment Options

We have a number of great ways to enroll. We will cover a few of the big ones that are super special. My favorite one is the command line enrollment you can see below.

##Download Intelligent Hub##
Invoke-WebRequest -Uri https://storage.googleapis.com/getwsone-com-prod/downloads/AirwatchAgent.msi -OutFile C:\temp\AirwatchAgent.msi
##Perform Silent Enrollment##
msiexec /i c:\temp\AirwatchAgent.msi /qn ENROLL=Y DOWNLOADWSBUNDLE=false SERVER=ds.awmdm.com LGNAME=mobilejon [email protected] PASSWORD=Password

Another option is doing a straight Workspace ONE Hub enrollment, you simply download the hub via https://getws1.com and input your email address (which will automatically find your WS1 environment), your credentials, and away you go enrollment yay!

The 3rd way you can enroll is what you can consider the new standard for Windows 10 in Azure AD Join. Provided you have Azure AD Premium and you setup your environment like I mentioned recently here, then it delivers a great experience. Basically, during the initial boot you will login with your email address and it automatically enrolls your device. Alternatively, when you login with Azure AD to your company, it will automatically enroll your device.

WS1 Dropship Provisioning

Workspace ONE gets some nice bonus points as they introduced an elevated version of Microsoft Autopilot called Dell Provisioning. You can read more about it here, but the gist is that you can dropship devices to your users that are pre-loaded with a collection of apps and it automates the domain join process. This year, VMware announced additional integrations with Lenovo and HP to do the same thing.

VMware does offer a few other lesser used enrollment options that you can read about here. Overall, they do an excellent job offering a few different solutions for enrollment. Now, we move onto the final part with enrollment restrictions.

WS1 Enrollment Restrictions

Enrollment restrictions are pretty basic. We can enforce restrictions to ensure that only company-approved operating systems can enroll, which is really what you need. I think it would be nice to enforce deeper enrollment restrictions, like security posture or something along those lines, but I’m good with what they are currently offering.

Workspace ONE’s Enrollment Score: 8.5

Intune’s Device Enrollment Capabilities

Intune enrollment is separated into the enrollment options that you have and enrollment restrictions. Let’s see if they can keep up with our friends at VMware!

Intune Enrollment Options

Intune’s device enrollment options are a bit more limited than Workspace ONE, which isn’t necessarily bad. Microsoft focuses heavily on the built-in capabilities in Windows 10 and relies on them. One of the things that I absolutely love is that the Intune Company Portal app (their enrollment agent) relies on Azure Same Sign-On and seamlessly logs you in the second you launch it. Just a fantastic user experience:

Coupled with that, a great feature Microsoft offers is the “Enrollment Status Page” which builds on that user experience I was talking about to deliver an informative approach to the enrollment. VMware offers a version of this, but only during OOBE that will show you the installation status I don’t talk about it much because its OOBE only and it should be more honestly. As you will read below, Microsoft’s is much more vast. Personally, VMware should add in some flags for apps to be required during OOBE:

You can configure a few different things to customize the Intune Enrollment Status Page:

• Set a time limit to complete installations and force it to error out.
• Decide whether to limit the status page to OOBE devices.
• Block device use until apps and profiles are installed.
• Allow users to reset device if install errors happen.
• Allow users to use device even if install errors happen.
• Block device access until required apps are installed.

Intune supports the same Azure AD join automated enrollment we referenced with Workspace ONE, which as highlighted earlier is an excellent offering. The one thing that hurts Microsoft is their lack of a dropship provisioning solution, which would be a great offering but as you will learn later integrations are still a weakness of Intune. You can read more about other enrollment options here, but I hit on the ones that I think matter.

Intune Enrollment Restrictions

As I’ve written about in the past, some stuff is sort of mailed in with Intune. They try to meet the minimally viable functionality. The enrollment restrictions are “ok” but they could be much more admin friendly. You’re expected to enter the right version numbers minimum and maximum to control who can enroll. I wish they made a bit more effort to simplify.

Intune’s Enrollment Score: 8.25

Workspace ONE’s Device Policy

When we discuss profiles, it’s really more about policy. In Workspace ONE, we cover policies with Windows 10 Profiles a.k.a. CSPs (Configuration Service Providers) and Windows Baselines. Both will be discussed as in the spirit of profiles, we are focused on deploying configuration to devices to take the concept of group policy to the cloud.

Workspace ONE Profiles

In Windows 10, you can deploy profiles at the user level or the device level. It’s a nuanced difference, but something that is not available with Microsoft Intune. By deploying to the user, certain payloads will only be available at the user level such as:

• VPN
• Credentials Payloads
• Single App Mode
• Web Clips
• Exchange ActiveSync
• SCEP
• Exchange Web Services
• Windows Hello
• User Data Sync aka Common Folder Sync
• Custom XML Payloads

Additionally, you can deploy profiles at the device level which gives you a few more options:

• Password
• Wi-Fi
• VPN
• Credentials
• Restrictions
• Defender Exploit Guard
• Data Protection
• Windows Hello
• Firewall
• Anti-Virus
• Encryption
• Windows Updates
• Proxy
• OEM Updates
• SCEP
• Application Control
• Windows Licensing
• Kiosk
• Personalization
• Peer Distribution
• Custom XML

There is obviously a ton of value when leveraging CSPs, but the clear challenges come as you try to transition away from domain-join and GPOs. On average, you can usually achieve 50-60% of your GPOs via CSPs. This 40% gap is something that VMware has been working on addressing whereas Microsoft sort of does baselines, but not in a very flexible manner. Let’s talk about Baselines.

Workspace ONE Baselines

Windows baselines are not a new concept. People have been using them for a long time in the server world. The basic idea is that baselines are a collection of industry-recommended settings to a device. The idea behind Windows 10 baselines are to bridge the gap between CSPs and GPOs. Workspace ONE powers CSPs with a cloud-based micro-service powering this amazing competitive advantage. VMware has a few different types of baselines:

• CIS Windows 10 Benchmarks that are built based on proposed benchmarks from CIS. One of the great things here is that they offer L1 and L2-level benchmarks that offer from solid attack surface protection to defense-in-depth.
• Windows 10 Security Baselines are proposed by Microsoft
• Custom Baselines are imports of GPO Backups powered by LGPO which you need to deploy to C:\ProgramData\Airwatch\LGPO\LGPO.exe

We’ll take you through a quick demo on creating baselines below. Just an additional reminder, you have to reboot to get your baseline to apply just like many GPOs.

As you can see, baselines coupled with CSPs bring security to the forefront on your Windows devices. VMware’s ability to not just deploy baselines, but allow you to add optional policies and upload custom policies provides a great solution.

Workspace ONE’s Policy Score: 8.75

Intune’s Device Profiles

I would say that my biggest issue with Intune profiles are that they split them between the “Configuration Profiles” section and the “Endpoint Security” section which is a bit confusing. Otherwise, they really hit a home run on their ability to customize. Some of the areas they address that VMware doesn’t are:

• Administrative Templates (gives you the ability to deploy most of the GPO items that you “might” be able to loop into one of the Workspace ONE baselines.

• More settings in caching, with the ability to delay downloads, advanced caching settings, setting RAM, disk, battery, and content sizes.
• Deeper Bios/UEFI configuration to let you disable hardware components and boot capabilities.
• Substantially deeper in device restrictions (read more here as there’s too many).
• Domain Join
• Edition Upgrade Profiles
• Endpoint Protection Profiles

• Deeper Windows Hello with PIN expiration, PIN recovery, anti-spoofing, and support for certificate trust
• Defender ATP Onboarding
• Network Boundaries
• Shared Device Profiles
• Deeper BitLocker settings e.g. recovery key rotation and hiding prompts

As expected, Intune’s support FAR exceeds the capabilities inside of Workspace ONE. You “could” handle some of this with registry keys, scripts, etc. but overall it’s a significant gap when you look at it without bias.

Intune Baselines

Intune supports your standard Windows baseline with very little wiggle room. You can modify the settings as you can see below, but otherwise that is the extent of it. One could argue that if you combine profiles and baselines of Microsoft against VMware that they are reasonably close. The difference-maker is that Intune makes it significantly easier to configure the profiles and settings that you are looking for.

Intune’s Policy Score: 9.75

Workspace ONE’s Device Compliance Capabilities

Workspace ONE’s device compliance is fairly straight forward. We can use the following aspects of Windows 10 to perform compliance tasks:

• MDM Terms of Use (within a certain period)
• Antivirus Status (Good, Not Monitored, Poor, Snoozed)
• Automatic Updates (Install Auto, Check but Choose, Never Check, etc.)
• Device Environment Status (Boot Debugging Enabled, OS Kernel Debugging Enabled, Safe Mode, Test Signing Enabled, VSM Enabled, WinPE)
• Device Last Seen (within a certain period)
• OMA DM Client Last Seen (within a certain period)
• Encryption (not encrypted)
• Firewall Status (Good, Not Monitored, Poor, Snoozed)
• OS Version (within a certain version)
• Passcode (not present)
• Roaming (is roaming)
• Compromised Status (compromised or not)

Based on what you choose, you can take an action:

• Block/Remove All Managed Apps or Specific Apps
• Wipe or Force Device Check-In
• Block/Remove All Profiles or Specific Profile
• Send Notifications

Overall it’s very effective traditionally, you can also leverage the native mail app using ActiveSync to enforce email compliance policies (but not many people aren’t using Outlook if we’re honest).

Workspace ONE’s Compliance Score: 9.5

Intune’s Device Compliance Capabilities

Intune focuses on different areas for device compliance:

• Device Health (BitLocker, Secure Boot, Code Integrity)
• OS versions and builds
• SCCM Compliance
• System Security (Password enabled, Encrypted, Firewall, TPM, AV, Antispyware, Defender Antimalware, Defender update status, Defender real-time protection)
• Defender ATP Risk Score Threshold

The actions they support are pretty underwhelming (email and retire), which is just not a good user experience. I will admit that Intune compliance offers a few nice areas like enforcing some of the key security mechanisms like secure boot and risk scores, but overall it’s a real dud compared to how great they are doing with profiles.

Intune’s Compliance Score: 7.5

Workspace ONE’s Script Support

VMware has invested a ton of effort into script deployment, which is a key feature for many platforms. Not only can you deploy scripts, but you can bundle numerous tasks and actions into a single “product” to let you do some amazing things. They will be evolving the current offering early in 2021 with Freestyle Orchestrator which revolutionizes things with the ability to build profiles, apps, and scripts together harmoniously.

Workspace ONE delivers this currently with “Product Provisioning” where you build a package of files/actions and deploy them with a “product”

You start with uploading some files as you can see below:

Once done, you add in actions known as manifests, where you can add multiple actions that are executed in order supporting several action types:

• Copy Files
• Create Folders
• Delete Files
• Install
• Move Files
• Remove Folders
• Rename Files
• Rename Folders
• Run
• Terminate
• Uninstall

One of the ways that they elevate this is within products where you can set dependencies, schedule deployment times, and specify conditions whether to run the product or not. It’s nice that you can tell it to run every 15 minutes on certain days, if the PC is plugged in, or if storage is encrypted.

Workspace ONE’s Script Score: 9

Intune’s Script Support

This was an area that I was VERY disappointed in. Microsoft does Windows better than anyone. Why is this all we can do? Running scripts as system or user (no admin) is a really easy thing to fix so I’m sure why that’s like this. Then there’s the whole “we don’t support batch files in Windows 10” SERIOUSLY MICROSOFT?

I would love to write more about script deployments in Intune but this is all they have. I’m incredibly disappointed in their efforts here.

Intune’s Script Score: 5

Workspace ONE PC Integrations

I could spend days talking about integrations, but we will focus on a few key areas that matter to PCs. Let’s discuss Workspace ONE Sensors, Workspace ONE Assist, and Workspace ONE Intelligence Integrations.

Workspace ONE Sensors

Workspace ONE Sensors are basically scripts that execute on the enrolled device, collect data, and write it up to Workspace ONE intelligence to fire off automations. You can access many of the sample scripts here. One that I wrote you can see here:

# Returns the current O365 Version
# Execution Context: System
$key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
$subKey = $key.OpenSubKey("SOFTWARE\Microsoft\Office\ClickToRun\Configuration")
$regkey_value = $subKey.GetValue("ClientVersionToReport")
return $regkey_value

You can build an automation with this that will take an action in the event your sensor tells you that they are on an old version of Office for example:

Some of the other actions that you can take with Workspace ONE can be seen here:

Workspace ONE Assist

I won’t spend too much time on this since you can read about assist here and you can enjoy the demo below. Basically, Assist is VMware’s remote management application that delivers a user-friendly experience that enables you to help your remote workers.

Workspace ONE Intelligence Integrations

VMware’s bread and butter is their reliance on a great group of partners. In Workspace ONE intelligence alone, you have the following integration points for PCs:

• Carbon Black
• Check Point
• Lookout
• Netskope
• Pradeo
• Wandera
• Zimperium

You can see below, one of the templates that show you how their automation powers a strong security posture:

VMware has several other partners in their Trust Network that enable you to do amazing things. Additionally you have many other things outside of security you can do with their integrations, such as the VMware Virtual Assistant and Mobile Flows. Overall, the possibilities are endless through a great UI to integrate APIs and their willingness to only limit you to your effort and creativity.

Workspace ONE Integration Score: 9

Intune Integrations

Microsoft Intune offers a few integration options for Windows. The most important one is the TeamViewer, which enables your remote management strategy. Overall, its a super easy thing to setup as you can see its just clicking a few buttons and logging into TeamViewer to authorize Intune:

You can check out the TeamViewer demo video below to give you a better idea of things:

You also have a few other integrations available like Cisco ISE integration, but overall Microsoft relies heavily on their product line and how it integrates across their suite, such as their EDR, Microsoft Defender ATP. You can also leverage Microsoft Flow to send user notifications post enrollment as read about here. My experience has been that Intune requires you to work a bit more directly with the other technologies to build custom solutions to problems. Another example that I love is this article where someone uses PowerShell and Flow to import devices into Autopilot.

Intune Integration Score: 8

Who’s the Winner?

So let’s tally things up. You can see below who won overall across our 5 main categories.

Product	Enrollment	Policies	Compliance	Scripts	Integrations/Remote Support	Total Score
Microsoft Intune	8.25	9.75	7.5	5	8	38.5/50
VMware Workspace ONE	8.5	7	9.5	9	9	43/50

Honestly, it’s a bit misleading. Grading policies is impossible because VMware does a really good job so it’s hard to give them a lower score even though Microsoft crushes them in this department. I think once you work out the “how” when it comes to deploying policies in Workspace ONE it is overall a better offering for PCs. Another item to consider is that TeamViewer is substantially cheaper than Workspace ONE Assist. These things matter. TeamViewer is only $2400 a year for 3 technicians, which is pretty short money. Comparatively, Assist will run you $10K for 3 years per 1000 devices roughly.

Final Thoughts

I thought I would share a few final thoughts on Part 1. Honestly, I was shocked that Intune didn’t destroy Workspace ONE on Core UEM. Intune continues to show rampant inconsistencies across their product line. They do such an amazing job on enrollment and policies, but they punt everything else basically. The argument to be made is “should being great at enrollment and policies” trump everything else? I would argue that with an emphatic NO. Compliance and scripts matter period. You can’t just be “good” at one thing and expect it can carry you. I would expect the lack of deployment capabilities for scripts especially zero batch file support in Windows will eventually catch up with you and cause major pain points. I’ll see you soon with Part Two. Everyone have a happy holiday!