Announcing Workspace ONE Support for Windows 11 23H2 Baselines
Workspace ONE administrators often use built-in template Baselines to manage Windows device settings. Using Baselines, administrators can configure settings such as account lockouts, device encryption, firewall settings, block registry access, and much more.
Workspace ONE offers two built-in templates for administrative configuration, namely:
- Windows Security Baseline
- CIS Windows Benchmarks
While these two template options are not new, the option to select Windows 11 version 23H2 is now available for both templates. Note that both Microsoft and CIS provided the updated setting recommendations embedded within these baselines, and these settings have not been modified by Omnissa.
Windows 10 did not include a version 23H2 release, so there is no similar release available for Windows 10. The latest template version support for Windows 10 is 22H2.
Figure 1: New Windows 11 23H2 Baseline Options
Transitioning to Windows 11 23H2 Template Baselines
For security reasons, the template used as the basis for a Baseline cannot be changed once designated. Only the options within an existing Baseline can be reconfigured. As a result, existing Windows 11 template-based Baselines cannot be upgraded to 23H2. As shown in the example below wherein the Windows 11 Version 22H2 CIS Benchmark had originally been selected, it is not possible to alter the template selection when editing. All options are grayed.
Figure 2: When adopting Windows 11 23H2, an existing Baseline cannot be modified.
Thus, to transition to either of the Windows 11 23H2 Baseline templates, it is necessary to create a new Baseline and then configure and apply it accordingly. The template used as the basis for a Baseline should align with the Windows version installed on Windows endpoints.
For a short hands-on view of Workspace ONE Windows Baselines, access the following click-through demo:
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Best Practices
Smart Groups that are based on specific Windows versions will simplify the application of Baselines. For example, create a Smart Group for each specific Windows version and then:
- Deploy Windows 10 22H2 Baselines to Windows 10 22H2 devices.
- Deploy Windows 11 23H2 Baselines to Windows 11 23H2 devices.
- Deploy Windows 11 22H2 Baselines to Windows 11 22H2 devices.
Setting up Smart Groups in this way will also be useful when upgrading Windows 10 endpoints to Windows 11 in preparation for Windows 10 end-of-life.
Of course, care should be taken to ensure that specific settings are not applied to the same device via distinct Baselines as this will create complexities and inconsistencies.
In addition, a review of both new template security options and settings should be undertaken. This review should include your Security team to ensure compliance with enterprise governance requirements.
Summary
Workspace ONE Baseline templates now offer new support for Windows 11 23H2. Whether you choose to adopt the latest Windows Security Baseline or the CIS Windows Benchmark, these new options help to maximize security and streamline management of Windows devices within your organization.