Workspace ONE UEM Custom Baselines and How to deploy LGPO

What are Workspace ONE UEM Baselines?

Workspace ONE UEM Baselines are predefined configurations that help maintain a consistent security posture across all managed devices, which give a wide range of security settings and configurations, including password policies, encryption settings, and application controls and many other Group Policy items. Typically, Windows 10 and Windows 11 are fully compatible with Baseline

Note: Deployment of LGPO is not needed if you use the pre-configured template that comes with WS1 UEM (industry-validated template by CIS or Microsoft), But the limitation is only security related settings can be configured and a lot of native group policy capability are missing with the pre-configured templates, as you can see in the below figures.

Pre-configured Baselines Templates in Workspace One
Settings available with Pre-configured Templates

Here is a quick preview of the available policies we can achieve from custom baselines.

Available Polices with Custom Baseline

Creating Your Own Workspace ONE UEM Baselines

Deployment of LGPO is needed in order to create custom baseline in WS1 UEM. The concept is we need to put LGPO.exe to C:\ProgramData\Airwatch\LGPO\LGPO.exe on managed machines. For this, you can deploy LGPO in either of these two methods.

  • Deploy LGPO through Product Provisioning
  • Deploye LGPO with Apps and Book in WS1 UEM

You can see the above two methods in Brooks Peppin post. However, in this post, I’ll go into detail with the Apps method.

Note: Using Product Provisioning is more suited with scenarios where a one-time provisioning of the script or programs is needed or in cases you can trigger on an ad-hoc basis. However, since we need to ensure consistent deployment whenever a new device is enrolled, using the Apps method is a more suitable option.

Deploy LGPO as a Native Application

We need to extract the LGPO.exe from LGPO.zip, and create an application zip file which contains powershell script and LGPO.exe. This script file will copy the LGPO.exe to our required location.

So, add the following commands in the script file, which will copy the LGPO.exe from C:\ProgramData\Airwatch\AirwatchMDM\{YourApplicationID} to C:\ProgramData\Airwatch\LGPO.

New-Item -Path "$Env:ProgramData\Airwatch" -Type Directory -Name LGPO
Copy-Item -Path LGPO.exe -Destination "$Env:ProgramData\Airwatch\LGPO"

(Note: C:\ProgramData\Airwatch\AirwatchMDM is the temporary location where WS1 keeps the downloaded software and it’s the location in which our script file will execute)

Create a new zip file using the above powershell script and LGPO.exe. Here is how your zip package will look like.

Now, we will deploy our application zip file in WS1. Go to Apps & Books >> Applications >> Native >> Internal, Add a new application and upload the zip file. Leave the default (‘No’) in dependency app question.

In the Details tab of Add Application Dialogue Page, configure the followings as required. Here is a few just of them.

NameName of your software (eg: LGPO_30.zip)
App VersionYou can leave it default
Supported Processor ArchitectureSelect 32-bit to cover for both 32-bit and 64-bit machines in our scenario
Minimum OSRecommended to use the lowest build number to include all the enrolled machines

In the Files tab, you need to define the App Unistall Process. Here, our concept is to delete the LGPO.exe and its parent folder (C:\ProgramData\Airwatch\LGPO) as soon as the App is unassigned from the device. So, we use the following command as the Uninstall Command.

cmd /c "del /f %programdata%\Airwatch\LGPO\LGPO.exe & rd /S /Q %programdata%\Airwatch\LGPO"

In the Deployment Options tab, you need to define the installation command and the criteria when or how the installation should start.

When To Install
– Data Contingencies
– Disk Space Required
– Device Power Required
– RAM Required
Configure as necessary. In our case, just leave it default
How To InstallInstall Context
Use ‘Device’ in our case
Install CommandUse the following powershell command.
powershell -executionpolicy bypass -nologo -NoProfile -WindowStyle Hidden -file copy_LGPO.ps1
Admin PrivilegesYes
– Device Restart
– Retry Count
– Retry Interval
– Install Timeout
– Installer Reboot
– Exit Code
– Installer Success – Exit Code
Configure as necessary. In our case, just leave it default
When To Call Install CompleteIdentify Application ByUse the existence of file as follows.
File exists – %programdata%\Airwatch\LGPO\LGPO.exe
Options in the Deployment Options Tab

Once the settings are confirmed, we can save and assign our application zip file to the desired Smart Group. Make sure you select Auto on App Delivery Method to install the App as soon as possible.

Assignment on the desired Application Assignment Group

Once the App is published, you can check the installation status of each device in the Detail View of Applications in APPS & BOOKS. It will also be showing as a managed App under the Apps tab of each device view, where you can uninstall the app selectively.

Configure WS1 Baselines

Once you deployed the LGPO, you can configure Group Policy related settings in baseline which is pretty straight forward, and so here’s a summary steps.

  • Go to Devices >> Profiles & Resources >> Baselines >> New
  • Select Create your own.
  • In General tab, Define Baseline Name and Description
  • In Select Catalogue tab, Select Windows 10 or 11 based on your need
  • In Add Policy tab, you can choose the windows build version to configure the policy. Choose version number as long as your desired settings complements. In the search field, use any keyword to search specific settings and click to add.
  • In Summary tab, you will see SAVE & ASSIGN button which will bring to a dialogue to make the assignment to the relevant SmartGroups.

You can see the installation status and compliance status of baselines here: Devices >> Profiles & Resources >> Baselines >> YourBaselineName

And also, you can see the compliance under the Baselines tab of each device.

Leave a Reply

Your email address will not be published. Required fields are marked *