Recently, I have written a few articles on Windows 365 as an organization at Synterex who is part of the Green Business certification challenged to reduce our carbon footprint. Additionally, fresh off the announcement in Barcelona at VMware Explore we will be exploring the fine world of Workspace ONE Registered Mode in Windows 365 to deliver DEEM inside of your Cloud PC. We will explore the easy setup inside of the WS1 console, deploying the client via Microsoft Endpoint Manager, and what my onboarding experience was like on my Cloud PC.
To be fully clear, the analytics we get inside of Microsoft Endpoint Manager are decent, but it is not DEEM. I think foundationally it is great, but we need to ability to enact instanteously on that data and proactively deliver support. DEEM is more than a buzzword and possibly the most impactful IT technology right now post-COVID. Without any further delay let’s get started!
What is WS1 Registered Mode?
Before we get too crazy, let’s talk about what Registered Mode actually is. Don’t get me wrong as VMware has decent documentation on this also. Let’s consider the model introduced by Good, which we now call “App Level Management” where you don’t fully enroll a device, but you enroll at the application level. Your company can only see what is in that application and everything else outside of it is “unknown.”
The concept is simple and elegant at the same time. With registered mode, you can simply log into the Workspace ONE Hub and perhaps you can install certain applications. This mode is called “Registered Mode” which is basically “App-Level Management” of the Hub.
Now, the EMM Managed Access concept comes into play. Any app that has EMM Managed Access enabled will require the user to do a “Step-Up Enrollment” (my words) to a full MDM experience. The reasons for it might vary e.g. requires VPN, privacy reasons, or just because your company feels like it. As you will come to learn, registered mode doesn’t play that well at this point with Windows 10, but it is a very solid foundation for iOS and Android user experiences in Workspace ONE.
Setting up Workspace ONE UEM for Windows Registered Mode
Much to my surprise, it is really easy setting up WS1 UEM Registered Mode. Honestly, the biggest effort is that you need a separate Org Group to handle it. As we discussed in the previous section, the idea around registered mode is that you will run into a situation to requires you to upgrade your enrollment to a fully-managed device. That isn’t the case in Windows 10/11 so it requires a bit of creativity.
As you will see in the video below, we setup a separate Organization Group for our Windows 365 devices and enable registered mode for Windows inside of that Org Group.
So, that was pretty simple. Next, we will cover the deployment of the Hub that makes the entire engine go!
Deploying WS1 Hub via Endpoint Manager to Cloud PCs
Now, we will deploy the WS1 Hub via Intune. The key is to write your command line argument correctly. That code is below: (obviously you can omit the AirwatchAgent.msi portion).
AirwatchAgent.msi /quiet ENROLL=Y SERVER=ds1688.awmdm.com LGName=SynterexWindows365 USERNAME=stagingsynterex PASSWORD=password ASSIGNTOLOGGEDINUSER=Y
It’s really simple as are all MSI deployments with Endpoint Manager. You just upload the MSI and pop in the command line argument and away you go! Check out the video to see more on how you make this happen:
As you saw, it’s simple. The application comes down from Endpoint Manager and it will be seamless if you are using Active Directory or you will need to provide a little bit of information if you’re Azure AD joined.
The Initial User Experience of Standalone Mode on Windows 365
The onboarding experience will vary as you will see in my video below, which focuses on an Azure AD join-Cloud PC environment. In a standard AD-joined or Hybrid environment it will be fully seamless on next login. In my case, I will just need to enter in my group ID and authenticate to complete my DEEM setup.
As you saw, it was minimally invasive at worst. You may need to login once, but once that is done you can go back to business as usual. As I wrote in the past, DEEM can be really useful. This isn’t going to be for everyone as some companies won’t have Intune and WS1 co-exist.
Summing Up My Thoughts on Standalone DEEM
Delivering a true Windows 365 DEEM solution is very beneficial to everyone. A few of the reasons I think it’s great are:
- You unify your Desktop Experience data to a single-pane-of-glass.
- The ability to execute scripts locally on Windows 365 devices when certain scenarios hit.
- Notifications can be delivered near instantly to your Cloud PCs
- Ties nicely with Experience Workflows to perform one-touch approvals from your Cloud PC with ease
Inevitably, DEEM has been largely a two-horse race for a few years with Nexthink and ControlUp. The real question is can VMware be a major player in this space. I believe the potential IS there, but can they move quickly enough and deliver on some of the major tenets of DEEM like Root Cause Analysis, deeper automation, and simplicity that guides desktop support and helpdesks to solving problems and delivering proactive support. Inevitably, proactive support is the next great frontier in IT, which we must strive for true greatness.