Workspace ONE UEM will deploy a certificate payload to the managed Win10 device. Workspace ONE Access will issue a certificate challenge to the device based on the root certificate uploaded in WS1 Access. Using the Device ID which is part of the SAN attributes on the certificate, WS1 Access will make an API call to UEM to retrieve the device compliance status.