So given I’m enjoying my work using Workspace One at the moment, I thought it be as well that I note down some of the processes that I’ve followed in preparation for factory provisioning of devices from Dell. This has been a pretty simple process, but its always good to write this stuff down – so here goes…

Workspace One is fantastic as a centralised management tool to put on all your end user devices, but do you want to manually install the Intelligent Hub app on each machine? And what about when a user recieves a new machine – you want it done automatically right? So one of the advantages of Dell owning VMware is that they are keen to provide an enhanced service over that of their competitors and this is one of those situations.

Workspace One UEM has a feature known as Factory Provisioning, essentially the term used for sending WS1 configurations to Dell, so they can provide you a fully-WS1-enrolled device with preinstalled applications.

How does it work?

Honestly, its pretty simple. Within WS1 UEM, go to:

Devices > Lifecycle > Staging > Windows

From there, click New, give the Provisioning package a name and a description if you wish

Next up, you have a choice, as to whether you wish to create a ‘standard’ package, or an encrypted one. You’ll see the terminology of PPKG and XML used here. Essentially, the PPKG is the provisioning package itself – that will contain your configuration and application packages, whereas the XML is a Windows standard which allows you to automate the Windows 10 startup experience. For the purposes of this guide, I’m just going to choose the standard package.

It then gets a bit juicy, as you get presented with a configuration page, which look daunting in comparison to previous steps in the wizard, but Workspace One does a great job of hand holding you along the way.

You get 3 options to automate the package deployment:

  1. On-Prem Domain Join
    • Essentially, this assumed that the machine will be deployed on your corporate network with access to your domain controllers. It doesn’t require you to have any additional server or cloud infrastructure to work.
  2. Workgroup
    • This is perfect for businesses who don’t use any central directory service, such as Active Directory or Azure. Probably the simplist of options to configure.
  3. Azure Active Directory – No Premium
    • If you’re a business that uses Azure AD but doesn’t own any of the Microsoft Premium subscriptions (at the time of writing there is Premium P1 & P2) then this is the option for you. Selecting this, means you don’t need to on your corporate network to enroll your device, so devices could be shipped to the users’ home.
  4. Azure Active Directory – Premium
    • This is for a business who owns one of the Microsoft Premium subscriptions, and will allow you to utelise options such as Autopilot to improve your user experience when receving the new device. Again, devices can be shipped directly to a users’ home with this option.

So that is your main decision to make. There isn’t much more complex as we go down the list. For the purposes of this guide, I’ve chosen On-prem AD join.

Decide whether you want to show the EULA, privacy settings and region settings. Set the OS language, region and keyboard settings.

Put in the credentials of a user with the authorisation to join machines to the domain and set an OU for the machine to land in.

Define the registered owner and organisation (this will form the device name).

If you’ve got a Windows 10 Enterprise or Education key, put this in, and you can then remove the Microsoft Bloatware (consumer apps – Xbox, etc).

It’ll then allow you to create local accounts, define the admin account passwords, whether to enabled the dreaded UAC (ew!) and then any scripts you want to run before the user logs in or after they’ve logged in.

Last but not least, you need to tell Dell the details for enrolling the device into the right Workspace One tenancy. Literally 4 fields is all you need to do, and the helpful information links spoon-feed you.

After you’ve clicked next, you’ll get the applications screen. This allows you to pre-package some of your applications to include on your factory image. The idea of this is to put some of your larger installs onto your image at the factory, so your users aren’t waiting forever on their lousy 10MB BT Internet to download Gbs of MSIs or EXEs. The only caveat is that the applications have to be offline installers, as the Dell factory doesn’t allow the images to talk out to the internet, but if you’re clever on the packaging of your apps (put all needed files into a zip with a script to install) then this shouldn’t be a problem.

Once you’ve done that, you’re done. Click through the summary page, and click Finish. Give WS1 a few mins to produce the two files you need and download them – you’ll be giving them to Dell when you’re happy your image works.

Time for Testing (yawn…)

Yep, even us bloggers do testing. Thankfully the WS1 guys and gals have us covered here too. Spin up a Windows 10 VM on your chosen desktop virtualisation software, (Virtualbox, VM Fusion, VMWorkstation) and boot it into audit mode (you’ll know, because the Windows sysprep windows will show up). Download (or copy from your host machine) a copy of the VMware WS1 Provisioning Tool. At the time of writing, this is version 2.3.2 and can be got from

Copy over your PPKG and XML files to your virtual W10 machine, open up the provisioning tool and STOP! Take a snapshot – it’ll save you time later – trust me 🙂

Then you can either just test your apps, or go through the whole process of joining it to your domain and WS1 enrollment too.

If you go through the full process, once it has finished, it will boot up into that admin account you set up within the WS1 console. You can check that it has enrolled within WS1 under your staging account (you defined that earlier too) and also load up the Intelligent Hub app to see whether it has enrolled successfully there too. Check that your machine has landed in the correct OU in your AD domain

If all is good, log out and get your user to log on using his or her domain credentials and WS1 will change the registration of the machine away from the staging account and assign it to your user.

You’re pretty much done at this point as your experience for this user will depend on which apps you’ve asked to automatically deploy (dependant on the Smart Groups) and which apps you allow your users to install on-demand. Any profiles will be applied to machine (such as patching policies, etc).