This is a very short post, just showing anyone who is vaguely interested on how to use Workspace One sensors to get additional information on your Windows 10 devices into your WS1 environment.
Workspace One has a feature known as sensors, which are essentially small scripts that can be deployed to your endpoints in order to pull information back about a particular device. The scripts that can be written aren’t groundbreaking as such, however, because these are deployed via Workspace One, these queries don’t require your user to have connectivity to your domain controller, they can be triggered on a schedule or as part of a device event such as logging on and logging off.
The VMware Docs pages give a really good explanation on this here.
Sensors have been around for a while, and over the coming months there will be a tab on your device details page dedicated to the outputs of sensors or if you have access to the pre-release consoles, it’ll be there. This is awesome, especially when you’re wanting to get some particular attributes on a certain machine or subset of machines in your estate that are a little ‘non-standard’.
I’ve put a screenshot in below of the new sensors tab that can be found in the individual device details tab
Let me give you an example. Windows 11 has recently been announced, which is pretty awesome. However if you look through the requirements, the device has to have a TPM 2.0 chip, a compatible processor amongst other things.
Thankfully, the Internet is a wonderful thing, and Kevin Tegelaar on his blog has written a great powershell script which you can run against a machine to confirm compatibility against the requirements. It performs 4 checks against the device:
- Is the TPM chip present?
- Is the TPM chip 2.0 compatible?
- Is the processor comptible
- Is the operating system 64bit (required to upgrade)
In typical fashion, I’ve taken a majority of it, but simplified the output for Workspace One. In short, if you get an output of “True”, the device meets the requirements, if it gets “False” then it failed at least 1 of the 4 checks.
Link to Github for WS1 simplified output code
Its worth noting at this point that VMware provide you with a plethora of very simple powershell scripts in the official repository on Github. Some are very short and simple scripts whereas others are a bit more complex, but I’ve simplified the output of the above script to fall in line with these outputs when displayed in WS1.
You can see below that I’ve assigned that above sensor to a test machine (a VM running on VMware Fusion) and you can see that it has come back as false as the device fails the following checks:
- No TPM Present
- No TPM 2.0 Compatible
Sensors are a fantastic way of obtaining information about 1 or more devices and deploying that query to a central point – your UEM platform. WS1 Intelligence takes this up a gear and allows you to run reports and automation based on the sensor values.
Yet again, VMware are all over this, having not only supported Windows 11 from the day of launch (October 5th 2021), but also providing useful dashboards in WS1 Intelligence to help with the migration and planning. Here is the techzone article if you’ve got access to your company’s WS1 Intelligence portal.
Building on Sensors…..with Freestyle
The great thing about using Workspace One, is that sensors feed into Freestyle Orchestrator. I’ve spoken lots about how this is going to make an EUC team’s job a lot easier, and this is a perfect example of this. So now you have a true or false as to whether a device is compatible with Windows 11. Next, you want to upgrade those devices to Windows 11 right? You don’t want that to be a manual step.
So if you’re a WS1 user already, hopefully you’ll be familiar with the process of using WS1 profiles to define patch policies. Essentially you can use different policies to work to the Microsoft best practice of using patch rings. Which to the lay man, is essentially a waterfall method of applying patches to end user devices, start with a few, and should there be no issues, roll out to the wider estate.
For Windows 11, you need to have two keys on a device to ensure that the update will be available for the device, these are as follows
ProductVersion=Windows 11
TargetReleaseVersion=21H2In the world of Microsoft, certain keys override others, in this case ProductVersion overrides TargetReleaseVersion, although bizarrely, its recommended to have them both. And with WS1, all you need to do is copy the following into a new profile within Workspace One
Install:
<Replace>
<CmdID>262a5fdb-8d1a-4dd9-84c0-2ec2f3308b33</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>21H1</Data>
</Item>
</Replace>
<Replace>
<CmdID>8a4ef368-d18a-4781-8ff9-f8ca030c3250</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/ProductVersion</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Windows 11</Data>
</Item>
</Replace>Remove:
<Delete>
<CmdID>262a5fdb-8d1a-4dd9-84c0-2ec2f3308b33</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data></Data>
</Item>
</Delete>
<Delete>
<CmdID>8a4ef368-d18a-4781-8ff9-f8ca030c3250</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/ProductVersion</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data></Data>
</Item>
</Delete>So it should look something like this:
At this stage, you could apply this to any smart group and they would be able to upgrade to Windows 11, if and only if they met the minimum specs. Now to put some intelligence into this….
Using conditions and payloads in Freestyle Orchestrator, we can install different profiles based on the result of the sensor output. True means the Windows 11 patch, false means we keep on the W10 patch routine.
And that’s why combining Workspace One sensors and freestyle orchestrator gives you the option to create whichever intelligent workflow you wish!
Leave a Reply