Create a baseline that configures your devices to industry-recommended settings and configurations. Workspace ONE UEM curates Baselines based on industry favorites including CIS Benchmarks and Microsoft's Windows 10 security baselines.

Prerequisites

Baselines require that devices are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed.

If you are publishing a custom baseline, you must add the LGPO.exe to all devices that you want to assign a baseline to. You must install the EXE at C:\ProgramData\Airwatch\LGPO\LGPO.exe. If you are using the CIS Benchmark or Windows 10 Security baselines, you do not need to add this file.

Procedure

  1. Navigate to Devices > Profiles & Resources > Baselines and select New
  2. Enter a Baseline Name, Description, and select the smart group the baseline is Managed By. Then select Next.
  3. Select a baseline:
    Setting Description
    CIS Windows 10 Benchmarks This baseline applies the configuration settings recommended by CIS Benchmarks.

    Select the OS version and benchmark level to apply.

    Windows 10 Security Baseline This baseline applies the configuration settings recommended by Microsoft.

    Select the OS version and benchmark level to apply.

    Custom Baseline Upload a ZIP file with a GPO backup. You must create this baseline outside of Workspace ONE UEM. The backup must be less than 5 MB with at least one GPO folder.
  4. Select Next.
  5. Customize the baseline as needed. You can change any of the existing ADMX policies configured in the baseline.
    When creating a custom baseline from a GPO baseline, you cannot customize the existing ADMX policies.

    Ensure you use SIDs when creating User Rights ADMX policies. For more information, see https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems.

  6. Select Next.
  7. Add any additional policies to the baseline. These policies come from Microsoft ADMX files. Search for any policy to add and configure the policy.
  8. Select Next.
  9. Review the summary and select Save & Assign. The summary includes any customized or added policies.
  10. During assignment, enter the smart group containing the Windows 10 devices you want to assign the baseline to. You can redefine which devices get the baseline using the Exclusions tab. Enter the smart groups you want to exclude from assignment.
    Exclusions override assignment. If a device is in an excluded smart group, that device does not receive the baseline. If that device already had the baseline from a previous assignment, the baseline is removed from the device.

Results

Workspace ONE UEM assigns the baseline to all devices in the smart group (besides those devices in excluded smart groups).

What to do next

You must restart the device for the baseline to take effect.