VMware Digital Workspace Newsletter - Week 19









Weekly highlight:


Best practices for re-enrolling Windows Desktop devices in Workspace ONE UEM (84350)

  • The following are the best practices for re-enrolling a Windows Desktop device into Workspace ONE UEM. 
  • There are three different clients on Windows Desktop devices.
  • Native Device Management Client. (OMA-DM Client)
  • VMware Software Distribution Agent (VMware SfdAgent)
  • Workspace ONE Intelligent Hub

Each of the aforementioned client handles different mobile device management (MDM) tasks. You need to make sure associated records are removed for a clean re-enrollment.





HUBM-5175: On macOS Monterey for Intel devices, the "Force Reboot" functionality in the Software Update profile does not function correctly (88416)

  • For Intel-based macOS devices on macOS 12.0 or higher, the "Force Reboot" functionality in the Software Update payload does not function correctly. If the Workspace ONE Intelligent Hub identifies that an update is available, the user will receive a notification that the update is available and, depending on the configured settings, an option to defer or begin the install. Ultimately, if the user chooses to begin the install, the softwareupdated process will be initiated, but the device will not actually install the OS update.
  • The Workspace ONE team is currently investigating the issue with Apple.
  • Workaround and more info in https://kb.vmware.com/s/article/88416?lang=en_US&source=email


Workspace ONE UEM Windows SCEP Profile certificate request fails when using Certificate Authority with Static Challenge (85956)

  • The Windows SCEP Profile payload fails to successfully install a certificate when using a Certificate Authority that is either:
    1. Configured to use Static Challenge
    2. Configured to use Dynamic Challenge with a Request Template that is missing EKU Attributes
  • Workspace ONE UEM 21.09 and older
  • When using a Certificate Authority with Static Challenge, the certificate payload must contain the CA Thumbprint. Unfortunately, the Certificate Authority configuration does not include a field to add a Root Certificate. This will be addressed with AMST-27570.
  • Windows SCEP profiles also require the configuration of EKU attributes in the Certificate Request Template. The Windows SCEP profile does not validate the Request Template configuration in the profile UI. This will be addressed with AMST-27570.
  • To deploy a Windows SCEP profile, you must create a Certificate Authority configured to use Dynamic Challenge and a Request Template that contains EKU Attributes.
  • The Workspace ONE team is currently working to implement the required changes to support the use of SCEP profiles for Windows
  • As a workaround, you can use the Dynamic Challenge configuration for Certificate Authorities, making certain to add the relevant EKU attributes in the Request Template as required by Windows.
  • KB-Reference: https://kb.vmware.com/s/article/85956?lang=en_US&source=email


Generate Installation Token in Certificate Signing Portal (88462)

  • New Workspace ONE (WS1) customers with an on premise deployment (perpetual licenses) must generate an installation token within the certificate signing portal (found within the My Workspace ONE portal) as part of their initial Workspace ONE UEM install. This token allows them to manually install WS1 UEM on their server.
  • To go into further detail, the certificate signing portal allows customers to sign a public SSL certificate from their vendor with VMware's unique security key to ensure secure communication between their organization's devices and Workspace ONE UEM during device enrollment.
  • Please follow the provided instructions in https://kb.vmware.com/s/article/88462?lang=en_US&source=email


Configuring VMware Tunnel Client for Standalone enrollment (88457)


HW-145794: How to deploy the VMware Identity Manager Connector in Legacy Mode (88033)

  • This article explains how to deploy the connector virtual appliance in legacy mode. Legacy mode requires allowing inbound connections to the connector appliance installed on-premises.
  • VMware Identity Manager Connector for Windows
  • The VMware Identity Manager connector is an on-premises component of VMware Identity Manager that provides directory integration, user authentication, and integration with resources such as Horizon 7. The connector is delivered as a virtual appliance that is deployed on site and integrates with your enterprise directory to sync users and groups to the VMware Identity Manager service and to provide authentication.
  • More info in KB https://kb.vmware.com/s/article/88033?lang=en_US&source=email.


Connection Server fails to send machine identifiers information to Horizon Agent and it becomes unreachable. (88439)

  • Connection server debug logs have log lines similar to:
    DEBUG (18D4-1CB4) <HARequestMsgThread> [PendingOperationSet] com.vmware.vdi.desktopcontroller.VirtualCenterDriver@2a4cbc2 Rejecting Prepare from ConnectionServer03 for DeletingNGVC on /DEVDI/vm/InstantCloneTest/SSDS-Pool2/ssds2-8(/DEVDI/vm/InstantCloneTest/SSDS-Pool2/ssds2-8) as operation underway (collision)
    DEBUG (18D4-1CB4) <HARequestMsgThread> [PendingOperationSet] com.vmware.vdi.desktopcontroller.VirtualCenterDriver@2a4cbc2 Rejecting Prepare from ConnectionServer03 for Configuring on /DEVDI/vm/ManualDesktops/GPU/display-gpu-02(vm-11881) as operation underway (collision)
    DEBUG (18D4-1CB4) <HARequestMsgThread> [PendingOperationSet] com.vmware.vdi.desktopcontroller.VirtualCenterDriver@2a4cbc2 Rejecting Prepare from ConnectionServer03 for RecomputeDigests on /DEVDI/vm/ManualDesktops/NavySW/NavySW-Rhap01(vm-17591) as operation underway (collision
  • Pending Operations on connection server has become unstable and paticipating connection server nodes started rejecting the operations.
  • One of the cause is network related issues which were present intermittently leading to this type of issue. Failing to send the Configure Pending Operation to persist the machine information in VMX settings marks the agent as unreachable.
  • A cleaner way to restore the environment is to shutdown all the connection servers and perform a rolling reboot operation.
  • KB-Reference: https://kb.vmware.com/s/article/88439?lang=en_US&source=email


End of Availability for VMware Horizon Standard Subscription (88256)

  • VMware is announcing the End of Availability (EOA) of the VMware Horizon Standard Subscription edition, effective April 30th, 2022. After this date, Horizon Standard Subscription will no longer be available for purchase. The EOA will not impact existing entitlements to functionality delivered for existing Horizon Standard Subscription customers through the term of their existing subscription.
  • We are excited to announce that existing Horizon Standard Subscription customers can renew on Horizon Standard Plus Subscription upon their existing term renewal. Horizon Standard Plus Subscription entitles customers to deploy VDI and apps on a single private or public vSphere-based cloud while consuming new SaaS services built for TCO reduction of Horizon environments.
  • Customers may also choose to upgrade to Horizon Enterprise Plus Subscription, which provides enhanced functionality over Horizon Standard Plus Subscription. Additionally, customers may also upgrade to Horizon Universal Subscription if they are consuming multi-cloud SaaS services and/or deploying desktop and apps through Horizon Cloud on Microsoft Azure. For more information on Horizon Standard Plus Subscription, Horizon Enterprise Plus Subscription, and Horizon Universal Subscription, visit http://vmware.com/go/horizon.
  • KB-Reference: https://kb.vmware.com/s/article/88256?lang=en_US


VMware Workspace ONE Mobile Flows End of Life Announcement (85939)

  • We are announcing end of availability for new sales of the VMware Workspace ONE mobile flows service. Mobile flows will reach end of general support on August 30, 2022.
  • This means that any out-of-the-box or custom integrations that have been set up for Workspace ONE Intelligent Hub or Workspace ONE Boxer with mobile flows will no longer be supported after August 30, 2022.
  • The Experience Workflows product will be the replacement for 3rd party system integration for micro-apps in Intelligent Hub. You will need to purchase the add-on for the upcoming product release, Experience Workflows for Workspace ONE.
  • You can also request a beta of Experience Workflows through the EUC Beta Portal or through your VMware account representative.
  • KB-Reference: https://kb.vmware.com/s/article/85939?lang=en_US&source=email


Highlighting High Priority KBs


Recently updated or added KBs


Digital Workspace Techzone, Blog and YouTube Updates


3rd Party Blogs and Industry News




Patch & Seed Script Updates Week19-2022




  • Workspace ONE UEM 21.05
    • Patch Level:
    • UM-7437         Automatic LDAP group sync skipped for customer intermittently
    • CMSVC-16057 Evaluate and Improve Scheduler Job resiliency in the event of DB connectivity issue
    • ARES-21981    Device preview page should show exclusions from the current edit only
    • AGGL-11714    Android 11: Work Profile devices are getting Android Legacy Profiles
    • AGGL-11710    CN1919 - DB Systel - Post OP2S migration, Android Devices are consuming commands slowly
    • AGGL-11668    Chrome URLWhitelist/URLBlacklist does not work on the latest Chrome Versions.
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2105/rn/Workspace-ONE-UEM-2105-Release-Notes.html#21-5-0-55-patch-resolved-issues-resolved
    • Last Update: CW18




  • Workspace ONE UEM 22.03
    • Patch Level 22.3.05
    • UM-7449 Admin Groups not updating after Automatic or Manual Sync
    • FCA-202719    Unable to delete devices from console
    • CRSVC-29031  UEM Unenrollment Does Not Send Re-Authentication to User's Other Devices
    • CRSVC-28588  GSX Cert Save Failed Password Invalid
    • CMSVC-16129 Tags Update API fails when organization group id is not passed.
    • AMST-35971   Unable to update internal app assignments for some Windows applications
    • AMST-35916   Blobs being served by DS even when they are present in the CDN and StorageType set to 1
    • AMST-35879   Windows Application Deployment Commands are only cleared after a manual Query or App Sample Query from UEM Console
    • AMST-35867   Seed v2203.3 patch Hub to UEM
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2203/rn/vmware-workspace-one-uem-powered-by-airwatch-2203-release-notes/index.html#resolved-issues-22303-patch-resolved-issues
    • Last Update: CW19