Activating Cloud-Based GPOs with Workspace ONE UEM

July 24, 2020

What are Cloud-Based GPOs?

When taking advantage of Windows 10 modern management, you are likely to encounter challenges with policy management. Common challenges include: 

  • Increasing user mobility deconstructing the traditional workspace. 
  • Multiple management tools, creating policy conflicts.  
  • Figuring out how to push policies to domain-joined, Azure-joined, or even workgroup devices. 
  • Lack of feature parity between MDM profile configurations and traditional group policy objects (GPOs).  

Workspace ONE Baselines for Windows 10 allows you to keep your devices secure and aligned with industry standards, such as CIS Benchmarks and the Windows 10 Security Baselines. With Workspace ONE Baselines, you set your preferred configuration over-the-air, including adding any additional policies, and your devices maintain these settings.

Check out the VMware Workspace ONE UEM: Baselines - Feature Walk-through video.

Baselines Benefits

Keeping your devices configured to best practices is a time-consuming process. Workspace ONE Baselines enforce device security using industry-recommended configurations and settings. These configurations significantly reduce the time it takes to set up and configure Windows devices along with other configuration options within the VMware Workspace ONE® solution.

Traditional PC Lifecycle Management tools require Windows 10 devices to be joined to the domain located on-premises for these policies and security settings to apply. If users are working remotely, typically, device-based VPNs are used to gain line of sight to the domain controller to update these Group Policy Settings. With Workspace ONE Baselines, Windows 10 devices can be a member of a domain, Workgroup, or even pure Azure AD joined, removing the complex requirements for PCLM tools.

The benefits:

  • No “gpupdate /force”
  • No VPN required
  • Query results over the air

Maintaining Baselines Compliance

With thousands of policies that can be configured for Windows devices, it can be a challenge to ensure the device remains compliant. 

Check the Baselines details page to ensure that your device(s) follow the configured baselines with the baseline compliance status. The compliance status shows when devices are compliant, intermediate, non-compliant, or not available.  

Intermediate devices are 85% to 99% compliant. Use this information to see when your devices drop out of compliance.

How Do I Take Advantage of Baselines?

You can use Workspace ONE Baselines in the cloud-based or on-premises version of VMware Workspace ONE® UEM.

If you are using Workspace ONE UEM Cloud

In the Workspace ONE UEM console, navigate to Devices > Profiles and Resources > Baselines, click New, and start taking advantage!

If you are using Workspace ONE UEM On-Premises

You must meet the following prerequisites. 

  1. Use Workspace ONE UEM 1907 and higher.
  2. Open relevant network ports. Search for baselines in these links: 
    1. VMware Ports and Protocols 
    2. VMware Docs: On-Premises Architecture Network Requirements 
  3. After you open the networking ports, ensure you are logged into the Workspace ONE UEM console at the Global level. 
  4. Navigate to Groups and Settings > All Settings > System > Advanced > Site URLs and navigate to Baseline Service URL.
  5. Enter the Baselines Service URL:, scroll down to the bottom, and click Save.

Finally, in the Workspace ONE UEM console, navigate to Devices > Profiles and Resources > Baselines, click New, and start taking advantage! 

Additional Resources

For more information about Windows 10 Policies with Workspace ONE UEM, we encourage you to read:  

To learn more about Workspace ONE and Windows 10 With Workspace ONE, check out the following Activity Paths on Digital Workspace Tech Zone:

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Overview Win10 and Windows Desktop Manage