With a recent change, Baselines can now be updated independent from the Workspace ONE UEM releases. Let’s have a look at what’s changed.

What are Baselines?

Workspace ONE Baselines for Windows 10 allows you to keep your devices secure and aligned with industry standards, such as CIS Benchmarks and the Microsoft Windows Security Baselines. With Workspace ONE Baselines, you set your preferred configuration over-the-air, including adding any additional policies, and your devices maintain these settings.

Baselines are pre-configured groups of Windows settings that represent the recommended security posture from the relevant security teams. You can deploy a default (unmodified) baseline or create a customized profile to enforce the settings you require for your environment. So basically, Baselines are pre-configured sets of policies, based on the good-old ADMX templates that every IT admin is familiar with.

Why use Baselines?

Even though Windows is designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations often seek guidance on configuring various security features. Workspace ONE UEM provides this guidance in the form of Baselines.

Separate Baseline types can include the same settings and use different default values for those settings. It’s important to understand the defaults in the Baselines you choose to use, and to then modify each Baseline to fit your organizational needs.

In almost all scenarios, the default settings in the security Baselines are the most restrictive. You should confirm that these settings don’t conflict with other policy settings or features in your environment.

For example, the default settings for firewall configuration might not merge connection security rules and local policy rules with MDM rules. So, if you’re using delivery optimization, then you should validate these configurations before assigning the security baseline.

What is new with Baselines?

As you can see in the diagram below, Baselines use a cloud-based micro service to handle the policy catalog, which basically is a repository of ADMX templates. If you have installed Workspace ONE on-premises, ensure that your environment can communicate with the micro-service.

The benefit of this approach is that the Baselines can be updated independent from the Workspace ONE UEM releases, and that is exactly what has been done.

The updates that are available as per today are applying to Windows 10 and are the following:

The Baseline Cloud Service ADMX repository has been updated to include the latest Windows 10 ADMX templated for all versions up to Windows 10 21H2.
Effective immediately, this allows you to apply the latest versions of the security Baselines to all your Workspace ONE UEM managed Windows 10 devices.
The Baseline Cloud Service has been adjusted to allow easier and faster updates of ADMX templates. This will ensure updates to Baselines can be released faster from now on.

The future of Baselines

I can’t predict the future, but this update to the Baseline Cloud Service allows for more functionality to be added in the (near) future. I hope the following functionality to be available soon. Once any updates become available, I will update this blog.

CIS Benchmarks

The CIS Benchmark versions currently offered in Workspace ONE UEM Baselines are running behind. I expect updates to the CIS Benchmarks soon to support the latest Windows 10 releases.

Windows 11

Hopefully Baselines for Windows 11 versions 21H2, 22H2 and future versions will be added soon, as I see more customers adopting Windows 11.

Baselines for applications

A lot of enterprise applications provide their own set of ADMX templates. It would be really cool if those ADMX templates will be added to the Baseline Cloud Service ADMX repository, since this will allow customers to easily apply ADMX based policies to applications.
Some applications that provide ADMX templates are Microsoft Office, Microsoft Edge, Google Chrome, Mozilla Firefox and Zoom. If easy policy management for these applications will be added to Workspace ONE UEM, a lot of customers would be really happy.