KB – Enterprise Reset prerequisites
The Enterprise Reset option is not always shown in the Workspace One console. The device must meet certain requirements. If one of the requirements is not met, the Enterprise Reset option will not shown in the console – even if you are able to trigger Enterprise Reset via API.
There is a new update of the prerequisites implemented with 21.01 Intelligent HUB. See the updated part in the bottom.
All those prerequisites need to be met:
- Windows 10 version on device should be greater than or equal to 1709.
- Device ownership should be Corporate owned (corporate shared or corporate dedicated).
- Publish Hub setting is enabled (on console -> All Settings -> Devices & Users -> Windows -> Windows Desktop -> Intelligent Hub Application -> Publish Workspace ONE Intelligent Hub check box enabled and also checkbox enabled for required ownership types).
- Hub version on Device should be greater than or equal to 18.11.0.0
- Privacy Setting should allow Device Wipe (on console -> All Settings -> Devices & Users -> General -> Privacy -> check for Device Wipe enabled for ownership type under Commands Section)
- Device Guard should be disabled on the Device
Especially the last point is interesting and needs more explanation.
Device Guard / Credential Guard
To get the current Device Guard configuration you need to run this PowerShell command:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuardAfter running the command, you will get the following output:
AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 0
InstanceIdentifier : 4ff40742-2649-41b8-bdd1-e80fad1cce80
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {0}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 2
PSComputerName :So, what does the properties and values mean?
| Properties | Description | Valid values |
| AvailableSecurityProperties | This field helps to enumerate and report state on the relevant security properties for Device Guard. | 0. If present, no relevant properties exist on the device. 1. If present, hypervisor support is available. 2. If present, Secure Boot is available. 3. If present, DMA protection is available. 4. If present, Secure Memory Overwrite is available. 5. If present, NX protections are available. 6. If present, SMM mitigations are available. Note: 4, 5, and 6 were added as of Windows 10, version 1607. |
| InstanceIdentifier | A string that is unique to a particular device. | Determined by WMI. |
| RequiredSecurityProperties | This field describes the required security properties to enable virtualization-based security. | 0. Nothing is required. 1. If present, hypervisor support is needed. 2. If present, Secure Boot is needed. 3. If present, DMA protection is needed. 4. If present, Secure Memory Overwrite is needed. 5. If present, NX protections are needed. 6. If present, SMM mitigations are needed. Note: 4, 5, and 6 were added as of Windows 10, version 1607. |
| SecurityServicesConfigured | This field indicates whether the Credential Guard or HVCI service has been configured. | 0. No services configured. 1. If present, Credential Guard is configured. 2. If present, HVCI is configured. |
| SecurityServicesRunning | This field indicates whether the Credential Guard or HVCI service is running. | 0. No services running. 1. If present, Credential Guard is running. 2. If present, HVCI is running. |
| Version | This field lists the version of this WMI class. | The only valid value now is 1.0. |
| VirtualizationBasedSecurityStatus | This field indicates whether VBS is enabled and running. | 0. VBS is not enabled. 1. VBS is enabled but not running. 2. VBS is enabled and running. |
| PSComputerName | This field lists the computer name. | All valid values for computer name. |
In addition Workspace One checks the following properties if Device Guard is active:
SecurityServicesConfigured is 1 or 2
and SecurityServicesRunning is 1 or 2
and VirtualizationBasedSecurityStatus equals 2
If all of the above values are given, Device Guard is activated and Workspace One will NOT show the Enterprise Reset option!
In conclusion, this also means that if you have Credential Guard and/or Device Guard enabled, the option will also not shown in the console.
Windows RE
If the option is shown in the console but the command failed, make sure Windows RE is enabled.
To get the current status, run the following command:
reagentc /info
Windows RE status as to be “Enabled”, otherwise the Enterprise Reset command will fail:
To enable Windows RE run:
reagentc /enableUPDATE
All those prerequisites need to be met:
- Windows 10 version on device should be greater than or equal to 1709.
- Device ownership should be Corporate owned (corporate shared or corporate dedicated).
- Publish Hub setting is enabled (on console -> All Settings -> Devices & Users -> Windows -> Windows Desktop -> Intelligent Hub Application -> Publish Workspace ONE Intelligent Hub check box enabled and also checkbox enabled for required ownership types).
- Hub version on Device should be greater than or equal to 18.11.0.0
- Privacy Setting should allow Device Wipe (on console -> All Settings -> Devices & Users -> General -> Privacy -> check for Device Wipe enabled for ownership type under Commands Section)
- Device Guard is allowed if running in kernel mode
- Device Guard in user mode is not supported
- Credential Guard is fully supported
Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.