Keep your Windows Desktop devices configured to best practices with Baselines. Workspace ONE UEM curates industry-recommended settings into one Baseline configuration to simplify securing your devices. Baselines reduce the time it takes to set up and configure Windows devices.
Baselines use a cloud-based micro service to handle the policy catalog. If you are an on-premises customer, ensure that your environment can communicate with the micro-service.
All enrolled Windows devices that use Baselines require uninterrupted connectivity to the Workspace ONE UEM Device Services (DS) server. Devices need this constant connectivity for Baseline statuses to remain current.
If you use a proxy setup or have certain firewall settings, these configurations can interrupt the connection between your Windows devices and the DS server. For example, if devices use a VPN or a restricted network to access resources, this set up interrupts the connection to the DS server. Baselines on these devices are at risk of being out of date.
Baselines are based on the Windows OS version of your devices. You can change the OS version of any Baseline later when editing. During configuration, you can choose which Baseline to use and customize any of the Baseline policies. You can also add additional Microsoft ADMX-backed policies as part of the configuration process.
CIS reports the listed benchmarks to establish a more secure connection between your server and your devices. However, these benchmarks are not currently supported by the CIS Windows Benchmarks Baseline template. Admins must configure these benchmarks. See the applicable Windows Server CIS Benchmark report for details.
After enrolling a device into Workspace ONE UEM, you can add the device to a smart group and assign a Baseline to the group. The device receives and applies all the settings and configurations in the Baseline after a device restart. The device checks for the Baseline configurations upon publishing the Baseline and at the defined check-in intervals. When you push a Baseline to a device, Workspace ONE UEM stores a snapshot of the device settings.
You can limit the assignment of the Baseline using the Exclusions tab of the Assignment dialog box. You can designate smart groups to exclude from the assignment.
You can manage your Baselines from the Baselines list view, found in the console at Resources > Profiles & Baselines > Baselines. From here, you can edit, copy, and delete existing Baselines.
Copy of <Baseline Name>
, but you can change the name.You can see which Baselines are applied to a device in the Device Details page.
Here is a general example of how you can copy an existing Baseline and update the Managed By field to move the Baseline to a child organization group.
Ensure that your device follows the Baselines with the Baseline compliance status. Find the Compliance Status in the console at Resources > Profiles & Baselines > Baselines, select the Baseline, and see the Compliance Status card. The Baseline Compliance Status card shows when devices are compliant, intermediate, non-compliant, or not available.
Note: Baseline compliance status only applies to Baselines created using the UI. You cannot see the compliance status for custom Baselines created using GPO backup files.
You can query devices for Baseline samples to refresh the compliance status. To query a Baseline, begin in the Device Details view.
Note: You can query the compliance status of a specific device but not multiple devices at once.
In the event a setting on the device does not match the Baseline, use the troubleshooting tab in Device Details to verify that Workspace ONE UEM received the device sample.
Create a Baseline with templates or without them to configure your devices to industry-recommended settings and configurations. Workspace ONE UEM curates Baselines based on industry favorites including CIS Benchmarks and Microsoft's Windows security Baselines.
Your devices must be enrolled in Workspace ONE UEM and they must have the Workspace ONE Intelligent Hub installed.
If you are publishing a custom Baseline using a GPO backup file, you must add the LGPO.exe to all devices that you want to assign a Baseline to. You must install the EXE at C:\ProgramData\Airwatch\LGPO\LGPO.exe
. If you are using the CIS Benchmark template, Windows Security template, or Create-your-own wizard, you do not need to add this file.
If you want to use a GPO backup file to create your Baselines, use the template process.
Navigate to Resources > Profiles & Baselines > Baselines and select New.
Select Use template.
Enter a Baseline Name, Description, and select the smart group the Baseline is Managed By. Then select Next.
Select a Baseline.
Setting | Description |
---|---|
CIS Windows Benchmarks | This Baseline applies the configuration settings proposed by CIS Benchmarks. Select the OS version and benchmark level to apply. |
Windows Security Baseline | This Baseline applies the configuration settings proposed by Microsoft. Select the OS version and benchmark level to apply. |
Custom Baseline | Upload a ZIP file with a GPO backup. You must create this Baseline outside of Workspace ONE UEM. The backup must be less than 5 MB with at least one GPO folder. |
Select Next.
Customize the Baseline as needed. You can change any of the existing ADMX policies configured in the Baseline. When creating a custom Baseline from a GPO Baseline, you cannot customize the existing ADMX-backed policies.
Ensure you use SIDs when creating User Rights ADMX policies. For more information, see Well-known security identifiers in Windows operating systems.
Select Next.
Add additional policies to the Baseline. These policies come from Microsoft ADMX files. Search for any policy to add and configure it.
Select Next.
Review the summary and select Save & Assign. The summary includes any customized or added policies.
During assignment, enter the smart group containing the Windows devices you want to assign the Baseline to. You can redefine which devices get the Baseline using the Exclusions tab. Enter the smart groups you want to exclude from assignment.
Exclusions override assignments. If a device is in an excluded smart group, that device does not receive the Baseline. If that device already had the Baseline from a previous assignment, the Baseline is removed from the device.
Restart devices to deploy Baselines.
If you do not want to use a template, create your own Baselines without a template.
User
or Computer Configuration
and then select the desired policy from the list.