Keep your Windows Desktop devices secure with Baselines. Workspace ONE UEM curates industry-recommended settings into one configuration to simplify securing your devices.
Keeping your devices configured to best practices is a time-consuming process. Workspace ONE UEM curates best practices and industry-recommended settings into configurations called Baselines. These configurations significantly reduce the time it takes to set up and configure Windows devices.
Baselines uses a cloud-based micro service that handles the policy catalog. If you are an on-premises customer, ensure that your environment can communicate with the micro-service.
All enrolled Windows Desktop devices that use Baselines require uninterrupted connectivity to the Workspace ONE UEM Device Services (DS) server. Devices need this constant connectivity for baseline statuses to remain current.
If you use a proxy setup or have certain firewall settings, these configurations can interrupt the connection between your Windows 10 devices and the DS server. For example, if devices use a VPN or a restricted network to access resources, this set up interrupts the connection to the DS server. Baselines on these devices are at risk of being out of date.
Baselines are based on the Windows OS version of your devices. You can change the OS version of any baseline later when editing. During configuration, you can choose which baseline to use and customize any of the baseline policies. You can also add any additional policies you need as part of the configuration process. These policies are the Microsoft ADMX policies.
After enrolling a device into Workspace ONE UEM, you can add the device to a smart group and assign a baseline to the group. The device receives and applies all the settings and configurations in the baseline after a device restart. The device checks for the baseline configurations upon publishing the baseline and at the defined check-in intervals. When you push a baseline to a device, Workspace ONE UEM stores a snapshot of the device settings. You can limit the assignment of the baseline using the Exclusions tab of the Assignment dialog box. You can designate smart groups to exclude from assignment.
You can manage your baselines from the Baselines list view. From here, you can edit and delete existing baselines. If you delete a baseline that was pushed to devices, the device settings revert to before the baseline was published based on the snapshot stored by Workspace ONE UEM.
You can see which baselines are applied to a device in the Device Details page.
Ensure that your device follows the baselines with the baseline compliance status. Viewed from the Baseline Details page, the baseline compliance status shows when devices are compliant, intermediate, non-compliant, or not available. Baseline compliance status only applies to baselines created using the UI.
Note: You cannot see the compliance status for custom baselines created using ZIP packages.
Intermediate devices are 85% to 99% compliant. Use this value to see when your devices drop out of compliance. The Not Available status means that the Workspace ONE UEM console does not have a compliance sample for the device. You can force a sample by simply opening the baseline and publishing it again.
Create a baseline that configures your devices to industry-recommended settings and configurations. Workspace ONE UEM curates Baselines based on industry favorites including CIS Benchmarks and Microsoft's Windows 10 security baselines.
Prequisites
Baselines require that devices are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed.
If you are publishing a custom baseline, you must add the LGPO.exe to all devices that you want to assign a baseline to. You must install the EXE at C:\\ProgramData\\Airwatch\\LGPO\\LGPO.exe
. If you are using the CIS Benchmark or Windows 10 Security baselines, you do not need to add this file.
Procedure
Select a baseline.
Setting | Description |
---|---|
CIS Windows 10 Benchmarks | This baseline applies the configuration settings proposed by CIS Benchmarks. Select the OS version and benchmark level to apply. |
Windows 10 Security Baseline | This baseline applies the configuration settings proposed by Microsoft. Select the OS version and benchmark level to apply. |
Custom Baseline | Upload a ZIP file with a GPO backup. You must create this baseline outside of Workspace ONE UEM. The backup must be less than 5 MB with at least one GPO folder. |
Select Next.
Results
Workspace ONE UEM assigns the baseline to all devices in the smart group (besides those devices in excluded smart groups).
What to Do Next
You must restart the device for the baseline to take effect.