Using Baselines

Keep your Windows Desktop devices configured to best practices with Baselines. Workspace ONE UEM curates industry-recommended settings into one Baseline configuration to simplify securing your devices. Baselines reduce the time it takes to set up and configure Windows devices.

Cloud-Based Micro-Service

Baselines use a cloud-based micro service to handle the policy catalog. If you are an on-premises customer, ensure that your environment can communicate with the micro-service.

Baselines Require Constant Connectivity to Device Services

All enrolled Windows devices that use Baselines require uninterrupted connectivity to the Workspace ONE UEM Device Services (DS) server. Devices need this constant connectivity for Baseline statuses to remain current.

If you use a proxy setup or have certain firewall settings, these configurations can interrupt the connection between your Windows devices and the DS server. For example, if devices use a VPN or a restricted network to access resources, this set up interrupts the connection to the DS server. Baselines on these devices are at risk of being out of date.

Types of Baselines

  • Custom
    • If you have an existing Group Policy Object (GPO) backup file, you can create a custom Baseline with those policies. Use the template process to create this custom Baseline.
    • You can also create a custom Baseline without a template. Workspace ONE UEM offers policies in the Create your own process for Baselines.
  • CIS Windows Benchmarks - This Baseline applies the configuration settings proposed by CIS Benchmarks. To ensure that Baselines use only the best settings and configurations, CIS (Center for Internet Security) certifies VMware to provide industry favorites such as CIS Benchmarks for Windows.
  • Windows Security Baseline - This Baseline applies the configuration settings proposed by Microsoft.

Baselines are based on the Windows OS version of your devices. You can change the OS version of any Baseline later when editing. During configuration, you can choose which Baseline to use and customize any of the Baseline policies. You can also add additional Microsoft ADMX-backed policies as part of the configuration process.

CIS Benchmark Considerations

CIS reports the listed benchmarks to establish a more secure connection between your server and your devices. However, these benchmarks are not currently supported by the CIS Windows Benchmarks Baseline template. Admins must configure these benchmarks. See the applicable Windows Server CIS Benchmark report for details.

  • Configure an Interactive logon title and text for users attempting to login.
  • Install the LAPS (Local Administrator Password Solution) AdmPwd GPO Extension / CSE.

What Happens After You Assign Baselines?

After enrolling a device into Workspace ONE UEM, you can add the device to a smart group and assign a Baseline to the group. The device receives and applies all the settings and configurations in the Baseline after a device restart. The device checks for the Baseline configurations upon publishing the Baseline and at the defined check-in intervals. When you push a Baseline to a device, Workspace ONE UEM stores a snapshot of the device settings.

How Do I Control the Assignment of Baselines?

You can limit the assignment of the Baseline using the Exclusions tab of the Assignment dialog box. You can designate smart groups to exclude from the assignment.

Baselines Management

You can manage your Baselines from the Baselines list view, found in the console at Resources > Profiles & Baselines > Baselines. From here, you can edit, copy, and delete existing Baselines.

  • Copy: You can copy Baselines and edit a few policies on the Customize and Add Policies tabs to fit the Baseline to another deployment scenario. Select the desired Baseline to display the Copy menu item.
    • You cannot edit the Baseline template. If you need a different template, create a new Baseline.
    • Workspace ONE UEM saves the copied Baseline as Copy of <Baseline Name>, but you can change the name.
    • Save the copied Baseline but do not assign devices to it until you have edited the Managed By field (organization group). You cannot move copied Baselines that already have devices assigned.
    • Organization groups (Managed By) and copied Baselines have caveats.
      • To change the organization group, you edit the copied Baseline after you save it.
      • You can move the copied Baseline to child organization groups or leave it in the original organization group.
      • You cannot move the copied Baseline up the organization group hierarchy. This behavior mirrors the behavior for profiles.
  • Delete: If you delete a Baseline that was pushed to devices, the device settings revert to their previous configurations based on the snapshot stored by Workspace ONE UEM.

You can see which Baselines are applied to a device in the Device Details page.

Example of How To Copy a Baseline

Here is a general example of how you can copy an existing Baseline and update the Managed By field to move the Baseline to a child organization group.

  1. In the Workspace ONE UEM console, go to the applicable organization group.
  2. Go to Resources > Profiles & Baselines > Baselines.
  3. Select a Baseline from the list and select Copy.
  4. Update the name of the Baseline in the Baseline Name field. You cannot update the organization group at this time.
  5. Move through the Baselines wizard making updates as needed. You do not have to make changes, you can select Next for any tab.
  6. On the Summary tab, select Save & Assign.
  7. On the Assign Baseline page, select Cancel. This action cancels assigning devices to the copied Baseline.
    Important: Do not assign devices to your copied Baseline until you have edited the organization group.
  8. Select the copied Baseline in the list and select Edit.
  9. Update the organization group by selecting a child organization group in General > Managed By.
  10. Move through the wizard and select Save and Publish.
  11. Select the copied Baseline and select Assign when you are ready to add devices.

Baselines Compliance Status

Ensure that your device follows the Baselines with the Baseline compliance status. Find the Compliance Status in the console at Resources > Profiles & Baselines > Baselines, select the Baseline, and see the Compliance Status card. The Baseline Compliance Status card shows when devices are compliant, intermediate, non-compliant, or not available.

Note: Baseline compliance status only applies to Baselines created using the UI. You cannot see the compliance status for custom Baselines created using GPO backup files.

  • The Intermediate status identifies devices that are 85% to 99% compliant. This status is an indicator that your devices have decreased their compliance with assigned Baselines.
  • The Not Available status means that the Workspace ONE UEM console does not have a compliance sample for the device. You can force a sample by opening the Baseline and publishing it again.

Querying Baselines for Compliance Statuses

You can query devices for Baseline samples to refresh the compliance status. To query a Baseline, begin in the Device Details view.

Note: You can query the compliance status of a specific device but not multiple devices at once.

  1. In the Workspace ONE UEM console, go to Devices and select the specific Windows Desktop device from the Device List View.
  2. Select More Actions > Query > Baselines. This process initiates the query command.
  3. To see the updated Baseline compliance status, go to Resources > Profiles & Baselines > Baselines, select the Baseline, and see the Compliance Status card.

Verifying Compliance Status

In the event a setting on the device does not match the Baseline, use the troubleshooting tab in Device Details to verify that Workspace ONE UEM received the device sample.

  1. In the Workspace ONE UEM console, go to Devices and select the specific Windows Desktop device.
  2. Select the Troubleshooting tab in the Device Details view to see the Event Log and the Commands tab.
  3. On the Commands tab, see a list of Baseline query commands. You can see the listed statuses.
    • Queued: The system has entered the command into the server database.
    • Pending: The device has received the request, but has not responded.
    • Processed: The device has sent a sample or the device has the sample queued for the next user session.
  4. On the Event Log tab, see an Event that confirms that Baseline Sample Response Received.

Creating Baselines

Create a Baseline with templates or without them to configure your devices to industry-recommended settings and configurations. Workspace ONE UEM curates Baselines based on industry favorites including CIS Benchmarks and Microsoft's Windows security Baselines.

Prerequisites

Your devices must be enrolled in Workspace ONE UEM and they must have the Workspace ONE Intelligent Hub installed.

If you are publishing a custom Baseline using a GPO backup file, you must add the LGPO.exe to all devices that you want to assign a Baseline to. You must install the EXE at C:\ProgramData\Airwatch\LGPO\LGPO.exe. If you are using the CIS Benchmark template, Windows Security template, or Create-your-own wizard, you do not need to add this file.

Creating with Templates

If you want to use a GPO backup file to create your Baselines, use the template process.

  1. Navigate to Resources > Profiles & Baselines > Baselines and select New.

  2. Select Use template.

  3. Enter a Baseline Name, Description, and select the smart group the Baseline is Managed By. Then select Next.

  4. Select a Baseline.

    Setting Description
    CIS Windows Benchmarks This Baseline applies the configuration settings proposed by CIS Benchmarks. Select the OS version and benchmark level to apply.
    Windows Security Baseline This Baseline applies the configuration settings proposed by Microsoft. Select the OS version and benchmark level to apply.
    Custom Baseline Upload a ZIP file with a GPO backup. You must create this Baseline outside of Workspace ONE UEM. The backup must be less than 5 MB with at least one GPO folder.
  5. Select Next.

  6. Customize the Baseline as needed. You can change any of the existing ADMX policies configured in the Baseline. When creating a custom Baseline from a GPO Baseline, you cannot customize the existing ADMX-backed policies.

    Ensure you use SIDs when creating User Rights ADMX policies. For more information, see Well-known security identifiers in Windows operating systems.

  7. Select Next.

  8. Add additional policies to the Baseline. These policies come from Microsoft ADMX files. Search for any policy to add and configure it.

  9. Select Next.

  10. Review the summary and select Save & Assign. The summary includes any customized or added policies.

  11. During assignment, enter the smart group containing the Windows devices you want to assign the Baseline to. You can redefine which devices get the Baseline using the Exclusions tab. Enter the smart groups you want to exclude from assignment.
    Exclusions override assignments. If a device is in an excluded smart group, that device does not receive the Baseline. If that device already had the Baseline from a previous assignment, the Baseline is removed from the device.

  12. Restart devices to deploy Baselines.

Creating Your Own

If you do not want to use a template, create your own Baselines without a template.

  1. Navigate to Resources > Profiles & Baselines > Baselines and select New.
  2. Select Create your own.
  3. Enter a Baseline Name, Description, and select the smart group the Baseline is Managed By. Then select Next.
  4. In the Add Policy window, select the Windows OS version, then start to enter a policy name.
    For example, enter User or Computer Configuration and then select the desired policy from the list.
  5. Add additional policies to the Baseline.
    These policies come from Microsoft ADMX files. Search for a policy to add and configure it. These policies are the same ones available with templates, but they display as Not Configured. You must enable and configure the policy or you must disable the policy.
  6. Select the status of this policy on devices as Enabled, Disabled, or Not Configured.
  7. Review the summary and select Save & Assign. The summary includes all policies.
  8. During assignment, enter the smart group containing the Windows devices you want to assign the Baseline to. You can redefine which devices get the Baseline using the Exclusions tab. Enter the smart groups you want to exclude from assignment.
    Exclusions override assignments. If a device is in an excluded smart group, that device does not receive the Baseline. If that device already had the Baseline from a previous assignment, the Baseline is removed from the device.
  9. Restart devices to deploy Baselines.
check-circle-line exclamation-circle-line close-line
Scroll to top icon