1. Introduction
Workspace ONE Baselines enforces device security using the recommended industry configurations and settings in order to keep the devices safe and adhere to best practices. Leveraging Baselines can help customers reduce the Admin Overhead to configure and set up Windows devices.
a. For Baselines to work, there are 4 main pre-requirements
- Workspace ONE UEM 1907 or later
- Intelligent Hub 1907 or later
- Devices should have constant connectivity to a cloud based micro service to handle the policy catalog. For more information visit the On-Premises Network Requirements guide.
- Devices have constant connectivity to the Device Services Server to keep the current status of Baselines
Needless to say, if you have a proxy in between, you’ll have to make sure the devices reaching the proxy server are able to fulfill the above pre-requirements.
For more information visit the VMware Techzone article.
b. Types of Baselines
- CIS Windows 10 Benchmarks – This baseline applies the configuration settings proposed by CIS Benchmarks.
- Custom – Create a custom Baseline using a GPO backup file. This is basically used for non-ADMX GPOs
- Windows 10 Security Baseline – This baseline applies the configuration settings proposed by Microsoft.
2. Create a custom Baseline
A GPO back up file can be used to create a custom baseline. You can use LGPO.exe to create a back-up. In addition to the policies you can also enforce additional polices and the below process describes how to push a custom baseline. One thing to note: The Baseline lifecycle management becomes a challenge as editing it is not easy and every time there is a change, you will have to manually upload the latest GPO backup file.
Deploying LGPO.exe at C:\ProgramData\Airwatch\LGPO\LGPO.exe is also a requirement.
a. Use LGPO.exe to take a Policy backup
- Download LGPO.exe by navigating to Microsoft Security Compliance Toolkit 1.0
- Download the LGPO.zip file.
- Extract the contents and choose LGPO.exe
Next,
- Run Command Prompt as an admin and navigate to the executable path
- Execute LGPO and Provide a path to the backup file
- Now, you can use this back up file to create a Custom Baseline
3. Leverage Product Provisioning to create folders and push the LGPO executable
- You can use “Internal” tab under Apps and Books to upload the file. Here, I am using Product Provisioning to create the required folders and push the executable
- First, Under Files and Action, create and Action, upload the LGPO.exe and create a folder named LGPO under C:\ProgramData\Airwatch
Here, Step 1 is to create a folder under C:\ProgramData\Airwatch and Step 2 is to install LGPO.exe under C:\ProgramData\Airwatch\LGPO
Next, push it as a product
Navigate to Devices–>Provisioning–>Products List view
Choose the correct Files/Actions and push it to the correct smart group
4. Publish Custom Baseline
Give a suitable name to the Baseline
Next, choose the Custom Baseline and upload the GPO back up file. Refer the command Prompt screenshot above.
NOTE: Zip the backup file before you upload it on the console.
Additionally you can also enforce policies on top of the GPO file
Finally, push the baseline to the right smart group.
Once the Baseline gets pushed to the device, you will get a notification from WS1 to reboot the machine. Baselines will take effect post reboot.
Navjyot Chaney's Blog 