Keep your Windows Desktop devices secure with Baselines. Workspace ONE UEM curates industry-recommended settings into one configuration to simplify securing your devices.

Keeping your devices configured to best practices is a time-consuming process. With Baselines, you can keep all your devices secure with industry-recommended settings and configurations. Workspace ONE UEM curates these best practices into configurations called Baselines. These configurations significantly reduce the time it takes to set up and configure Windows devices.

Baselines uses a cloud-based micro service that handles the policy catalog. If you are an on-premises customer, ensure that your environment can communicate with the micro-service. For more information, see the Workspace ONE UEM Recommended Architecture documentation.

To ensure that Baselines use only the best settings and configurations, CIS certifies VMware to provide industry favorites such as CIS Benchmarks for Windows 10. Baselines are based on the Windows OS version of your devices. You can change the OS version of the baseline later when editing. During configuration, you can choose which baseline to use and customize any of the baseline policies. You can also add any additional policies you need as part of the configuration process. These policies are the Microsoft ADMX policies.

If you have an existing Group Policy Object (GPO) backup file, you can create a custom baseline with those policies. You add additional policies to your existing GPO when creating a custom baseline.

After enrolling a device into Workspace ONE UEM, you can add the device to a Smart Group and assign a baseline to the group. The device receives and applies all the settings and configurations in the baseline after a device restart. The device checks for the baseline configurations upon publishing the baseline and at the defined check-in intervals. When you push a baseline to a device, Workspace ONE UEM stores a snapshot of the device settings. You can limit the assignment of the baseline using the Exclusions tab of the Assignment dialog. You can designate smart groups to exclude from assignment.

You can manage your baselines from the Baselines list view. From here, you can edit and delete existing baselines. If you delete a baseline that was pushed to devices, the device settings revert to before the baseline was published based on the snapshot stored by Workspace ONE UEM.

You can see which baselines are applied to a device in the Device Details page.

Ensure that your device follow the baselines with the baseline compliance status. Viewed from the Baseline Details page, the baseline compliance status shows when devices are compliant, intermediate, non-compliant, or not available. Baseline compliance status only applies to baselines created using the UI. You cannot see the compliance status for custom baselines created using ZIP packages. Intermediate devices are 85% to 99% compliant. Use this information to see when your devices drop out of compliance. The not available status means that the Workspace ONE UEM console does not have a compliance sample for the device. You can force a sample by simply opening the baseline and publishing it again.