If you are using traditional PC Lifecycle Management (PCLM) tools to manage your Windows Desktop devices, you might face some limitations and challenges. For example, you need to join your devices to a domain that is located on-premises and use device-based VPNs to update the Group Policy settings. This can be complex and inconvenient, especially for remote workers.
With Workspace ONE Baselines, you can simplify and streamline your policy management for Windows Desktop devices. You can use Workspace ONE Baselines to apply policies to devices that are domain-joined, Azure-joined, or workgroup devices. You don't need to use VPNs or run commands like
gpupdate /force to apply policies. You can also view and manage the policy compliance of your devices over the air in a single admin console with role-based access.
Workspace ONE Baselines also helps you overcome the lack of feature parity between MDM profile configurations and traditional Group Policy Objects (GPOs). You can use Workspace ONE Baselines to create and deploy custom policies that match your GPOs or create new ones based on your business needs.
In this blog post, we will show you how to use Workspace ONE Baselines to manage your Windows Desktop devices quickly and efficiently. We will cover the following topics:
- How to create a baseline and assign it to a device group.
- How to monitor and troubleshoot the policy compliance of your devices.
- How to update or remove a baseline from your devices.
1. How to create a baseline and assign it to a device group
So, you want to keep your devices secure and up-to-date, and you need to follow the best practices for device configuration? But this can be a tedious and complex task, especially if you have many devices to manage. That's where Workspace ONE Baselines can help you.
Workspace ONE Baselines are templates that automatically apply industry-recommended configurations and settings to your devices. You can use them to set up and configure Windows devices faster and easier, as well as other options within the Workspace ONE solution. Workspace ONE Baselines are a convenient and efficient way to ensure device security and compliance.
To create a baseline, in the Workspace ONE UEM console, navigate to Resources > Profiles and Baselines > Baselines.
Click NEW to create a new Baseline.
Select Use template to use industry-standard templates or select Create your own to start fresh and select your own baseline by choosing from our catalog of policies.
Give the Baseline a name and description and click Next. For this blog, we will select Use Template.
Now, you can review or customize the policies from the Windows Security Baseline to meet your organization’s needs. Each setting will have a useful tooltip to assist in understanding each configuration option. You can find settings using the search Filter option or by manually expanding each section to find the policies.
If you require policies that are not part of the standard template, then you can search the policy catalog in the next step and add them to your baseline template.
After you have completed the configuration, save and assign it to a Workspace ONE Smart Group.
2. How to monitor and troubleshoot the policy compliance of your devices
Workspace ONE allows admins to manage Windows devices in a compliant and secure manner without relying on third-party tools.
Managing Windows devices involves careful attention to the policy settings that are applied to them. However, with a large number of policies available, it can be difficult to verify that the devices are configured correctly. Sometimes, administrators may resort to using third-party tools to audit and validate the policy settings on the devices. This can introduce additional complexity and cost to the device management process.
Check the Baselines details page (by clicking the Baselines Name) to ensure that your device(s) follow the configured baselines with the baseline compliance status. The compliance status shows when devices are compliant, intermediate, non-compliant, or not available.
- Compliant = 100% compliance
- Intermediate Compliance = 99-85% compliance
- Non-Compliant = Less than 85% compliance
- Not Available = The Workspace ONE UEM console does not have a compliance sample for the device. The device may need a reboot.
3. How to update or remove a baseline from your device
Let’s say a Windows machine is updated from Windows 10 to Windows 11, or between Windows 10 versions or between Windows 11 versions. When baselines are deployed correctly, Workspace ONE will automatically apply the correct baseline configuration targeted to the device or device collection based on specified criteria.
One way of achieving this is by assigning the configured Baselines to the Windows OS version relevant to the baseline. This is done using Workspace ONE smart groups.
For example, create a smart group for each and
- Assign Windows 10 – 22H2 Baselines to Windows 10 – 22H2 Devices.
- Assign Windows 10 – 21H2 Baselines to Windows 10 – 21H2 Devices.
- Assign Windows 10 – 21H1 Baselines to Windows 10 – 21H1 Devices.
- Assign Windows 11 – 22H2 Baselines to Windows 11 - 22H2 Devices.
- Assign Windows 11 – 21H2 Baselines to Windows 11 - 21H2 Devices.
And so on.
This way, when a device updates its Windows version, Workspace ONE will automatically apply the correct version of Baselines to the machine.
To remove baselines from a device, ensure the device is either not part of a smart group where baselines have been assigned or add the device as part of an exclusion when assigning Baselines to devices.
You might want to remove baselines from a specific device for some testing for example.
This can be achieved by creating a smart group based on a tag, then adding this smart group to the exclusion rule in baselines.
This means baselines will automatically be removed when you add the tag to a device.
Create a tag in Workspace ONE UEM
In the Workspace ONE UEM console, navigate to Settings > Devices and Users > Advanced > Tags.
Create a tag – I called mine
Add the created tag to Workspace ONE smart groups
In the Workspace ONE UEM admin console, navigate to Groups and Settings > Groups > Assignment Groups.
Select Add Smart Group and give the Smart Group a name – I called mine
No Baselines again for consistency – and select the tag.
Add the Smart Group to Baselines exclusions
After you have created the Smart Group, edit the Baselines assignment if you have one already, and add the Smart Group to the Exclusions.
Add the tag to a specific device
Now, we can add the tag to a specific device, so that the baselines do not apply. This also means we can remove baselines on an individual device for testing purposes.
To add or remove the tag from the device, navigate to a Windows device in the Workspace ONE UEM admin console. Under More Actions, scroll down and you’ll see an option to add a tag.
Here you’ll see the tag I created previously called
No Baselines. Select this tag and save.
After the tag has been saved, you’ll see nothing (if nothing has been assigned) under the Baselines tab.
For baseline policies to remove completely, the device may need a reboot. This can also be initiated from the Workspace ONE UEM console.
Now, if you want the baselines to apply again to this device, remember to remove the tag, and voilà, baselines will now be reapplied!
Windows 11 Baselines are now available in the Workspace ONE Baselines Catalog
We are excited to announce that Workspace ONE 2306 now supports Windows 11 in the Baselines Catalog. This means you can easily apply security and compliance policies to your Windows 11 devices using Workspace ONE.
For more details on this exciting announcement, see the blog post:
Advantages of Workspace ONE Baselines
The many benefits of Workspace ONE Baselines are as follows:
- Workspace ONE Baselines apply policies to devices that are domain-joined, Azure-joined, or workgroup devices.
- Remove the complexity of managing policies from a domain controller and deliver them from the cloud!
- No need to force policies to apply with
- No VPN is required to apply policies to remote workers
- Deploy template or customize policies in seconds
- No need to force policies to apply with
- Manage MDM profile configurations and traditional Group Policy Objects (GPOs) in a single console.
- Customise and edit policies that match your AD GPOs or create new ones based on your business needs.
- Remove the need for third-party compliance tools. View and manage the policy compliance of your device fleet over the air in the Workspace ONE admin console.
- Support for Microsoft Security Baselines, CIS Benchmarks for Windows 10 and 11 devices.
This post showed you how easy it is to manage Windows Desktops using Workspace ONE Baselines. We walked through steps on how to
- Create and edit Workspace ONE baseline and assign it to a device group.
- Monitor and troubleshoot the policy compliance of your devices.
- Update or remove Workspace ONE baseline from your devices.
For more information about Windows Policy Management with Workspace ONE UEM, we encourage you to read: