What are Workspace ONE UEM Baselines?
Workspace ONE UEM Baselines are predefined configurations that help maintain a consistent security posture across all managed devices, which give a wide range of security settings and configurations, including password policies, encryption settings, and application controls and many other Group Policy items. Typically, Windows 10 and Windows 11 are fully compatible with Baseline
Note: Deployment of LGPO is not needed if you use the pre-configured template that comes with WS1 UEM (industry-validated template by CIS or Microsoft), But the limitation is only security related settings can be configured and a lot of native group policy capability are missing with the pre-configured templates, as you can see in the below figures.
Here is a quick preview of the available policies we can achieve from custom baselines.
Creating Your Own Workspace ONE UEM Baselines
Deployment of LGPO is needed in order to create custom baseline in WS1 UEM. The concept is we need to put LGPO.exe to C:\ProgramData\Airwatch\LGPO\LGPO.exe on managed machines. For this, you can deploy LGPO in either of these two methods.
- Deploy LGPO through Product Provisioning
- Deploye LGPO with Apps and Book in WS1 UEM
You can see the above two methods in Brooks Peppin post. However, in this post, I’ll go into detail with the Apps method.
Note: Using Product Provisioning is more suited with scenarios where a one-time provisioning of the script or programs is needed or in cases you can trigger on an ad-hoc basis. However, since we need to ensure consistent deployment whenever a new device is enrolled, using the Apps method is a more suitable option.
Deploy LGPO as a Native Application
We need to extract the LGPO.exe from LGPO.zip, and create an application zip file which contains powershell script and LGPO.exe. This script file will copy the LGPO.exe to our required location.
So, add the following commands in the script file, which will copy the LGPO.exe from C:\ProgramData\Airwatch\AirwatchMDM\{YourApplicationID} to C:\ProgramData\Airwatch\LGPO.
New-Item -Path "$Env:ProgramData\Airwatch" -Type Directory -Name LGPO
Copy-Item -Path LGPO.exe -Destination "$Env:ProgramData\Airwatch\LGPO"(Note: C:\ProgramData\Airwatch\AirwatchMDM is the temporary location where WS1 keeps the downloaded software and it’s the location in which our script file will execute)
Create a new zip file using the above powershell script and LGPO.exe. Here is how your zip package will look like.
Now, we will deploy our application zip file in WS1. Go to Apps & Books >> Applications >> Native >> Internal, Add a new application and upload the zip file. Leave the default (‘No’) in dependency app question.
In the Details tab of Add Application Dialogue Page, configure the followings as required. Here is a few just of them.
| Name | Name of your software (eg: LGPO_30.zip) |
| App Version | You can leave it default |
| Supported Processor Architecture | Select 32-bit to cover for both 32-bit and 64-bit machines in our scenario |
| Minimum OS | Recommended to use the lowest build number to include all the enrolled machines |
In the Files tab, you need to define the App Unistall Process. Here, our concept is to delete the LGPO.exe and its parent folder (C:\ProgramData\Airwatch\LGPO) as soon as the App is unassigned from the device. So, we use the following command as the Uninstall Command.
cmd /c "del /f %programdata%\Airwatch\LGPO\LGPO.exe & rd /S /Q %programdata%\Airwatch\LGPO"
In the Deployment Options tab, you need to define the installation command and the criteria when or how the installation should start.
| When To Install | – Data Contingencies – Disk Space Required – Device Power Required – RAM Required | Configure as necessary. In our case, just leave it default |
| How To Install | Install Context | Use ‘Device’ in our case |
| Install Command | Use the following powershell command. powershell -executionpolicy bypass -nologo -NoProfile -WindowStyle Hidden -file copy_LGPO.ps1 | |
| Admin Privileges | Yes | |
| – Device Restart – Retry Count – Retry Interval – Install Timeout – Installer Reboot – Exit Code – Installer Success – Exit Code | Configure as necessary. In our case, just leave it default | |
| When To Call Install Complete | Identify Application By | Use the existence of file as follows. File exists – %programdata%\Airwatch\LGPO\LGPO.exe You can define the file version as well (See the Fig below) |
Once the settings are confirmed, we can save and assign our application zip file to the desired Smart Group. Make sure you select Auto on App Delivery Method to install the App as soon as possible.
Once the App is published, you can check the installation status of each device in the Detail View of Applications in APPS & BOOKS. It will also be showing as a managed App under the Apps tab of each device view, where you can uninstall the app selectively.
Configure WS1 Baselines
Once you deployed the LGPO, you can configure Group Policy related settings in baseline which is pretty straight forward, and so here’s a summary steps.
- Go to Devices >> Profiles & Resources >> Baselines >> New
- Select Create your own.
- In General tab, Define Baseline Name and Description
- In Select Catalogue tab, Select Windows 10 or 11 based on your need
- In Add Policy tab, you can choose the windows build version to configure the policy. Choose version number as long as your desired settings complements. In the search field, use any keyword to search specific settings and click to add.
- In Summary tab, you will see SAVE & ASSIGN button which will bring to a dialogue to make the assignment to the relevant SmartGroups.
You can see the installation status and compliance status of baselines here: Devices >> Profiles & Resources >> Baselines >> YourBaselineName
And also, you can see the compliance under the Baselines tab of each device.
