Keep your Windows Desktop devices secure with Baselines. Workspace ONE UEM curates industry-recommended settings into one configuration to simplify securing your devices.

Keeping your devices configured to best practices is a time-consuming process. Workspace ONE UEM curates best practices and industry-recommended settings into configurations called Baselines. These configurations significantly reduce the time it takes to set up and configure Windows devices.

Cloud-Based Micro-Service

Baselines uses a cloud-based micro service that handles the policy catalog. If you are an on-premises customer, ensure that your environment can communicate with the micro-service.

Baselines Require Constant Connectivity to Device Services

All enrolled Windows Desktop devices that use Baselines require uninterrupted connectivity to the Workspace ONE UEM Device Services (DS) server. Devices need this constant connectivity for baseline statuses to remain current.

If you use a proxy setup or have certain firewall settings, these configurations can interrupt the connection between your Windows 10 devices and the DS server. For example, if devices use a VPN or a restricted network to access resources, this set up interrupts the connection to the DS server. Baselines on these devices are at risk of being out of date.

Types of Baselines

  • Custom - If you have an existing Group Policy Object (GPO) backup file, you can create a custom baseline with those policies. You add additional policies to your existing GPO when creating a custom baseline.
  • CIS Windows 10 Benchmarks - This baseline applies the configuration settings proposed by CIS Benchmarks. To ensure that Baselines use only the best settings and configurations, CIS (Center for Internet Security) certifies VMware to provide industry favorites such as CIS Benchmarks for Windows 10.
  • Windows 10 Security Baseline - This baseline applies the configuration settings proposed by Microsoft.

Baselines are based on the Windows OS version of your devices. You can change the OS version of any baseline later when editing. During configuration, you can choose which baseline to use and customize any of the baseline policies. You can also add any additional policies you need as part of the configuration process. These policies are the Microsoft ADMX policies.

What Happens After You Assign Baselines?

After enrolling a device into Workspace ONE UEM, you can add the device to a smart group and assign a baseline to the group. The device receives and applies all the settings and configurations in the baseline after a device restart. The device checks for the baseline configurations upon publishing the baseline and at the defined check-in intervals. When you push a baseline to a device, Workspace ONE UEM stores a snapshot of the device settings. You can limit the assignment of the baseline using the Exclusions tab of the Assignment dialog box. You can designate smart groups to exclude from assignment.

Baselines Management

You can manage your baselines from the Baselines list view. From here, you can edit and delete existing baselines. If you delete a baseline that was pushed to devices, the device settings revert to before the baseline was published based on the snapshot stored by Workspace ONE UEM.

You can see which baselines are applied to a device in the Device Details page.

Baselines Compliance Status

Ensure that your device follows the baselines with the baseline compliance status. Viewed from the Baseline Details page, the baseline compliance status shows when devices are compliant, intermediate, non-compliant, or not available. Baseline compliance status only applies to baselines created using the UI.
Note: You cannot see the compliance status for custom baselines created using ZIP packages.

Intermediate devices are 85% to 99% compliant. Use this value to see when your devices drop out of compliance. The Not Available status means that the Workspace ONE UEM console does not have a compliance sample for the device. You can force a sample by simply opening the baseline and publishing it again.