Keep your Windows Desktop devices secure with Baselines. Workspace ONE UEM curates industry-recommended settings into one configuration to simplify securing your devices.

Keeping your devices configured to best practices is a time-consuming process. Workspace ONE UEM curates best practices and industry-recommended settings into configurations called Baselines. These configurations significantly reduce the time it takes to set up and configure Windows devices.

Cloud-Based Micro-Service

Baselines uses a cloud-based micro service that handles the policy catalog. If you are an on-premises customer, ensure that your environment can communicate with the micro-service.

Baselines Require Constant Connectivity to Device Services

All enrolled Windows Desktop devices that use Baselines require uninterrupted connectivity to the Workspace ONE UEM Device Services (DS) server. Devices need this constant connectivity for baseline statuses to remain current.

If you use a proxy setup or have certain firewall settings, these configurations can interrupt the connection between your Windows 10 devices and the DS server. For example, if devices use a VPN or a restricted network to access resources, this set up interrupts the connection to the DS server. Baselines on these devices are at risk of being out of date.

Types of Baselines

  • Custom - If you have an existing Group Policy Object (GPO) backup file, you can create a custom baseline with those policies. You add additional policies to your existing GPO when creating a custom baseline.
  • CIS Windows 10 Benchmarks - This baseline applies the configuration settings proposed by CIS Benchmarks. To ensure that Baselines use only the best settings and configurations, CIS (Center for Internet Security) certifies VMware to provide industry favorites such as CIS Benchmarks for Windows 10.
  • Windows 10 Security Baseline - This baseline applies the configuration settings proposed by Microsoft.

Baselines are based on the Windows OS version of your devices. You can change the OS version of any baseline later when editing. During configuration, you can choose which baseline to use and customize any of the baseline policies. You can also add any additional policies you need as part of the configuration process. These policies are the Microsoft ADMX policies.

What Happens After You Assign Baselines?

After enrolling a device into Workspace ONE UEM, you can add the device to a smart group and assign a baseline to the group. The device receives and applies all the settings and configurations in the baseline after a device restart. The device checks for the baseline configurations upon publishing the baseline and at the defined check-in intervals. When you push a baseline to a device, Workspace ONE UEM stores a snapshot of the device settings. You can limit the assignment of the baseline using the Exclusions tab of the Assignment dialog box. You can designate smart groups to exclude from assignment.

Baselines Management

You can manage your baselines from the Baselines list view. From here, you can edit and delete existing baselines. If you delete a baseline that was pushed to devices, the device settings revert to before the baseline was published based on the snapshot stored by Workspace ONE UEM.

You can see which baselines are applied to a device in the Device Details page.

Baselines Compliance Status

Ensure that your device follows the baselines with the baseline compliance status. Viewed from the Baseline Details page, the baseline compliance status shows when devices are compliant, intermediate, non-compliant, or not available. Baseline compliance status only applies to baselines created using the UI.

Note: You cannot see the compliance status for custom baselines created using ZIP packages.

Intermediate devices are 85% to 99% compliant. Use this value to see when your devices drop out of compliance. The Not Available status means that the Workspace ONE UEM console does not have a compliance sample for the device. You can force a sample by simply opening the baseline and publishing it again.

Create a Baseline

Create a baseline that configures your devices to industry-recommended settings and configurations. Workspace ONE UEM curates Baselines based on industry favorites including CIS Benchmarks and Microsoft's Windows 10 security baselines.


Baselines require that devices are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed.

If you are publishing a custom baseline, you must add the LGPO.exe to all devices that you want to assign a baseline to. You must install the EXE at C:\\ProgramData\\Airwatch\\LGPO\\LGPO.exe. If you are using the CIS Benchmark or Windows 10 Security baselines, you do not need to add this file.


  1. Navigate to Resources > Profiles & Baselines > Baselines and select New.
  2. Enter a Baseline Name, Description, and select the smart group the baseline is Managed By. Then select Next.
  3. Select a baseline.

    Setting Description
    CIS Windows 10 Benchmarks This baseline applies the configuration settings proposed by CIS Benchmarks. Select the OS version and benchmark level to apply.
    Windows 10 Security Baseline This baseline applies the configuration settings proposed by Microsoft. Select the OS version and benchmark level to apply.
    Custom Baseline Upload a ZIP file with a GPO backup. You must create this baseline outside of Workspace ONE UEM. The backup must be less than 5 MB with at least one GPO folder.
  4. Select Next.

  5. Customize the baseline as needed. You can change any of the existing ADMX policies configured in the baseline. When creating a custom baseline from a GPO baseline, you cannot customize the existing ADMX policies.

    Ensure you use SIDs when creating User Rights ADMX policies. For more information, see Well-known security identifiers in Windows operating systems.
  6. Select Next.
  7. Add any additional policies to the baseline. These policies come from Microsoft ADMX files. Search for any policy to add and configure the policy.
  8. Select Next.
  9. Review the summary and select Save & Assign. The summary includes any customized or added policies.
  10. During assignment, enter the smart group containing the Windows 10 devices you want to assign the baseline to. You can redefine which devices get the baseline using the Exclusions tab. Enter the smart groups you want to exclude from assignment.

    Exclusions override assignments. If a device is in an excluded smart group, that device does not receive the baseline. If that device already had the baseline from a previous assignment, the baseline is removed from the device.


Workspace ONE UEM assigns the baseline to all devices in the smart group (besides those devices in excluded smart groups).

What to Do Next

You must restart the device for the baseline to take effect.

check-circle-line exclamation-circle-line close-line
Scroll to top icon