Policy Enforcement using Baselines

Baselines are industry-recommended settings to simplify security on your devices using Workspace ONE UEM. These one stop configurations significantly reduce the time it takes to set up and secure Windows devices.

In this section you will:

  1. Create a Windows 10 Security baseline and add additional policies.
  2. Test on your Windows VM machine.  
  3. Clean up

Lets get started!

Part 1: Create a Baseline

  1. On the MainConsole Machine,
    1. Open Google Chrome browser
    2. Navigate to your Workspace ONE UEM console i.e. cn-livefire.awmdm.com
    3. Navigate to Devices > Profiles & Resources > Baselines.
  1. Under Baselines, click on NEW.
  1. Under General tab,
    • Enter a Baseline Name as LivefireTest
    • Enter a Description as Livefire Test Baseline.
    • In the bottom right corner, select NEXT
  1. Under Choose Baseline,
    • Select Windows 10 Security Baseline
    • From the Version Drop down, select the latest version 2004.
    • Select NEXT.

NOTE:  you have 3 options to select from. We are selecting Windows 10 Security Baseline for this demo. Below is a description of the different options you can choose from, 

Setting Description
CIS Windows 10 Benchmarks
This baseline applies the configuration settings recommended by CIS Benchmarks.

L1 & L2 are two levels of CIS benchmarks. L2 being the most restrictive. Selecting L2 will block Workspace ONE Intelligence HUB from the device by default. Exclusion needs to be made to whitelist WS1 Intelligent HUB if L2 is selected.

Windows 10 Security Baseline
This baseline applies the configuration settings recommended by Microsoft.

Select the OS version and benchmark level to apply.

Custom Baseline
Allows you to upload your local policies which cannot be configured using microsoft CSPs. 
  1. Under Customize,
    1. In the Filter, search for Password.
    2. Click on Minimum Password Length in the results below.
    3. Change the Password must be at least to 10

NOTE: Password Complexity is enabled by default. You can customize the Baselines to further meet your organizations security policies.

  1. Under Customize,
    • In the Filter type REMOTE
    • Select on 'Deny log on through remote desktop services'
    • From the drop down on the right, Change from Enabled to Not Configured.
  1. Under Customize,
    • In the Filter type Defender
    • Select on 'Windows Defender Firewall with Advanced Security - Local Group Policy Object'
    • From the drop down on the right, Change from Enabled to Not Configured.
  1. Under Customize,
    • In the Filter type Network
    • Click on Access this computer from the network
      • From the drop down on the right, ensure its Enabled
  1. Under the same Network filter,
    • Select  Deny access to this computer from the network
      • To the right, from the drop down on the right, change from Enabled to Not Configured.
    • In the bottom right corner, select NEXT.
  1. In the Add Policy area ,
    • (This section allows you to include any additional policies you need as part of the configuration )
      • To the right, In the search field, type registry
        • Select ENTER.
      • From the list of results,
        • Scroll down and select Prevent access to registry editing tools.
  1. In the Add Policy area, und
    • Change the Policy from Not Configured to Enabled using the drop down.
    • Confirm the Disable regedit from running silently is set to YES.
      • Select the more information icon.
      • Confirm the policy action for the additional policy created.
  1. Under ADD Policy area,
    • In the Search area , type Allow log on through Remote Desktop Services
    • Select Allow log on through Remote Desktop Services
  1. Under the ADD Policy area,
    • Change the field under Allow log on through Remote Desktop Services from Not configured to Enabled.
  1. Next, under ADD Policy area
    • In the Search, type Allow remote server management through WinRM
    • Select Allow remote server management through WinRM
  1. Under Allow remote server management through WinRM,
    • From the drop down, change from Not Configured to Enabled.
    • Under IPv4 & IPv6 filter, enter * (see the screenshot for reference)
    • Select NEXT.
  1. Under Summary,
    • Verify the customization & added policies to your baseline.
    • Select SAVE & ASSIGN
  1. In Assign Baseline,
    • In the search area,  type W
    • Select W10Client01a .
    • Select PUBLISH.

Part 2: Test on your Windows VM machine

  1. In the Baselines area
    • Confirm the Baseline is created.
    • Under Install Status select VIEW  
      • Select the Count (in this case 1) for your baseline Livefire Test.
  1. In the View Devices - Baselines area
    • If the baseline is installed, you can verify this under status.

NOTE: In either case, you must restart the device for the baseline to take effect.

  1. On your W10Client01 Machine,
    • Select the Start Menu > Power > Restart. (NOTE: This will kill the RDP session)
  1. On your ControlCenter server
    • Open your Remote Desktops Folder
      • Select the W10Client01.RDP client.  
      • In the Password area enter: VMware1!
      • Select OK

NOTE: This is the same Virtual Machine you enrolled in to Workspace ONE UEM SaaS tenant.  

  1. In the Workspace ONE UEM admin console
    • NOTE: This might take a few minutes. You can refresh the baseline page on Workspace ONE UEM to confirm the status has changed to installed to see this notification. 
    • However, once your desktop has restarted and you have logged in, you should proceed with the test in step 5
  1. On your W10Client01 computer
    • To test if the baseline policy is successfully applied,
      • Navigate to Search bar. Type Regedit.exe.
      • Right Click on the Regedit.exe result and Click Run as administrator.

Notice you will see this error message: Registry editing has been disabled by your administrator.

  1. On your W10Client01 computer
    • In order to test the Minimum Password Length policy applied by your Baseline, we will add a user account on this machine with password less than 10 characters. To add a user account,
      • Search Accounts in search bar from your Windows win10Client01 machine.
      • Select on Add, edit or remove other users.
  1. Under Other Users,
    • Select on Add someone else to this PC.
  1. On the How will this person sign in? window
    • Select I don't have this person's sign in information
  1. On the Create account window
    • Select Add a user without a Microsoft account.
    • Select Next
  1. In the Microsoft account window
    • Fill in the information with dummy values.

NOTE: For this test, use a password less than 10 characters in length.

Notice as per our Windows 10 security baseline, password should be greater than 10 characters and must meet the below complexity requirements:

  • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %)
  1. In the Other users window
    • Change the password to meet your requirement of 10 characters and save.
      • Notice the account is successfully created once you meet the password requirements.

You have completed this lab. This brings us to the end of labs for this week. Thank you again for the participation and hard work.


Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.