Episode 18: Using Baselines to apply industry-recommended settings

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Hello and welcome back to The Ascent Future-Ready  Now with Workspace ONE UEM it's Adarsh and Brooks   again uh another episode bro I don't I don't even  know how many episodes we're at we're at a lot   okay so we're an episode way too many but  today we've actually got a special guest um and   it's nice to have other people on because they  just listen to us all the time um but this someone   that you've probably seen in the Workspace ONE  community far more than us to be perfectly honest   he's been doing Windows management for forever  he's been the subject matter expert for forever   I've known Josue since I started um  so Josue Negron hey everyone I'm Josue   um so Josue we obviously know you from the  community we know uh we've actually had a bit of a   virtual tour of your house um we'll put a link to  that blog that you did where you are drop shipping   devices for everyone got a little bit of a tour  around your house and your your office set up   um but what else is there like tell us a little  bit about Josue yeah so my name is Josue   Negron I was part of the AirWatch acquisition uh I  started at VMware about seven and a half years ago   straight out of college um started as a  support software consultant was the title um   moved into a subject matter expert role of  supporting the Sales Engineers and then our whole   team kind of migrated over into Tech Marketing so  now I primarily focus on the Windows platform at   VMware um and pretty much just create a bunch of  enablement material over at techzone.vmware.com   uh for the Windows 10 platform yeah awesome and  I've known Josue since I started and we were   both in Atlanta at the time and Josue's  now moved on to bigger better places and   you gotta you got a a a young girl correct so  you're gonna give Brooks a little advice about   having a baby girl yeah um in my opinion uh  I don't know I don't have a boy yet but girls   are far more calm less energy um I think we were  blessed very very perfect little girl right now 19   months old and she's just the happiest baby at the  park everyone's so jealous and I'm like hopefully   the next one is a clone hopefully the next one  does not go crazy so yeah it's it's awesome   that's that's cool that's cool so we're gonna take  uh you're gonna take us through baselines today   um and so for those of you who are not  familiar with baselines which you should be   um there's pretty good documentation out there  that Josue's authored it was I remember going   through the review stages and it was 113 pages  long so it's all the bed bedtime reading we told   you about before there's even more now uh to  go with but sort of give us the walkthrough of   baselines what it's there what what gap it fills  and sort of the what the concepts all around   yeah so baseline's really um I guess is a  solution for a lot of organizations um who   are trying to modernize their group policies  uh there are there wasn't really a great way   of you know managing non-domain and domain-joined  devices especially now in this remote ready   time um where you might have a device that's  not on the domain and you're trying to manage   the device using the traditional policies the  csps or the profiles that are in the console   but you wanted a good way of kind of pushing group  policies in the past we've seen folks kind of take   group policies from LGPO and push those out to the  devices and things like that and so there wasn't   really a nice streamlined way of modernizing group  policies when your devices one didn't have access   to the domain controller to get the updates or  two just weren't domain joined to start with and   were just really cloud-ready devices always out  in the field and so what baseline provides is an   industry standard way of configuring your devices  to security standards so today we support CIS   benchmarks and Microsoft security baselines and so  you can easily start from one of those standards   customize and add additional policies and then  push those out to all of your different devices   and we'll go into all the details but Adarsh did  mention some documentation and so on Tech Zone the   tutorial is called Understanding Windows 10  Group Policies and it kind of walks through   not only the technical how to deploy or how  baselines work but it provides history it   provides the planning and the preparation step  which is very very important I know Adarsh and   Brooks have helped many customers and this is  where I got most of my information for the whole   planning and the analyzing and rationalizing  phase which are probably the most important   steps because you're not going to want to move all  of your group policies just over into the cloud   I don't know if you guys have additional  commentary there but this is kind of the   structure of the operational tutorial be  sure to also check out the appendix section   if you want more of that nitty gritty how it works  on the back end I go into all the CSPs custom   settings profiles as well as the precedence of  traditional group policies and modern management   policies in the console and how to make one win  over the other and things like that so there's   a ton of information in here awesome yeah very  much so and and there's there's a lot of stuff   we're gonna have to get Josue back on over  and over to go through a lot of this because   you're right because traditionally you would do  things through group policy and then obviously   trying to move that to modern you don't want  to take I don't know the you guys use a a much   lighter term than we use back in Australia but  garbage in garbage out you don't really want to   take stuff that's in in your GPO and you want to  sort of move that across into modern policy and   and expect it to work any better so you've  got to obviously do a rationalization process   but then knowing full well that all of your  CSPs don't really cover all of the potential   policies that you may have in your environment  that are necessary and this is where sort of   baselines kicks in this is where sort of the  the rationalization process tells you well how   how often do I have to go reapply these settings  are they more static settings are they settings   that I need to go and apply at a specific  time interval and this document goes through   through that in in quite a lot of detail yeah and  I think for many organizations you know they try   to get to Windows 10 fairly quickly maybe didn't  have time to get rid of all their Windows XP and   Windows 7 group policies they just have carried  them all over no one's bothered to really look at   see if that one thing really is necessary anymore  so baselines also gives an opportunity to be like   hey let's just start clean let's start with what  Microsoft or the industry says is a good security   baseline and kind of start from there maybe you  can add in more uh additional things which Josue   will show um but it gives a nice clean way to kind  of start fresh in this modern world um with a yeah   a set of settings that you know are trustworthy I  would say so it's not a good use case yeah that's   that's a good one so that's what you may as well  start showing us in the console how this works   yeah absolutely so the first thing you're going  to want to do is have devices that are enrolled so   that you can actually test what's going to happen  I highly advise everyone to leverage a VM first to   do your testing take a snapshot before you start  playing around with baselines and again do not   use a physical device when you're first testing um  just from personal experience uh you'll definitely   want to have a VM with a snapshot because  you'll want to test how everything works before   kind of locking yourself out of a physical  device or have multiple admin accounts on   your device but the way to get to baselines  is we're going to go into devices and then profiles and resources and then baselines this  is going to reload the console and bring up the   baselines um I don't have any baselines in this  environment just yet but the way we're going to   go in is we're going to start fresh click new give  it a name description so on and so forth and then   you'll see the options of which baselines  and versions we can choose from there now we mentioned in the previous episode we  walked through profiles and the csps and kind of   you know they understand at least how those  work are these going to be applying csps are   they applying it a different node yeah so these  do not apply any csps any of the configuration   service providers it's actually going to leverage  a few things on the back end including some of the   native tools like sec edit and audit pull but it's  also going to leverage Dynamic Environment Manager   um kind of a fork of that to apply some of the  policies as well on the device and so it's it's   all going to be handled on the device and maybe  in a future episode we can talk about how to   validate the policies on the device how to do  some troubleshooting and things like that to   actually see if those policies are on the device  and if there's any conflicts and things like that   but so it's it's setting the same exact settings  that group policy would so this is really just   like a group policy from the cloud in a way right  absolutely nice so basically we're just going to   want to give it a name and description um you  can this the descriptions mainly just for you   to understand who you deployed this to  what is this for um and here i'm just   going to leave it blank uh but I'm just going  to name my baseline Microsoft security policy   the next thing is choosing your actual baseline so  like we said before we support the CIS benchmarks   the Windows security baselines and then maybe in  another episode we can talk about custom baselines   but let's focus on the first two which are going  to be those benchmarks there are tool tips here   that will provide additional information but  basically you can select your version and so   for Microsoft security based lines you'll see  the versions that we support there and then   for cis benchmarks you'll see that we support  these versions that are listed there as well   as two different levels so you have level one  um and level two let's see if this will load up and level two what's the difference there I think  level two is just more strict right more stringent   yeah so level one is going to be less strict and  then level two would be more strict um I believe   there's an other um level two focuses more on like  BitLocker more security type related features um   than level one does and so one other thing to  keep in mind is if you're going to be using   the Workspace ONE Intelligent Hub um with  some of these baselines you might have to go   in and I can show you guys on the  next step you might have to go in   and change one of the settings that allows uwp  applications or else the app catalog might not   load and that's going to be on the new interface  so I'm not sure where we are in The Ascent   or if we even talked about that yet  but it is covered in the tutorial and so here I'm just going to choose Windows  10 security baseline version 1909 I'm going to   select next and so this is going to provide you  with this the very familiar UI that we're used to   when we go into edit group policies this is  going to be the drop down where you can see   user configuration and computer configuration some  of the nice things here are this is a real-time   search filter so if you're trying to look for a  setting we can go in and look for it hone down   and change that setting all of the Microsoft  security baseline settings are preset in here   so you can see all of the defaults for example  account lockout duration is enabled by default   with a value of 15. if you don't know what any of  the settings are you can click on the tool tip and   it's going to tell you exactly all the information  that you're used to seeing when you're in   to edit group policies and so it will tell you all  the minimum values default values maximum values   and kind of what each of those values do so  you don't need to be like a group policy expert   to kind of get started with  a known good configuration   and then tweak those settings as you go one of  the things that always gets me and I'll go down   into password policy here is the minimum password  length and complexity I on all of my test devices   probably use like a eight character password  um and never use complex characters and so   this one if you are on a physical device  with just one account on it um you might   kind of lock yourself out so these are some  of the different policies to keep in mind   so like 14 is going to be the minimum password  length complexity is going to be required and so   these are some of the things that you can go in  and kind of edit like you would but like I said   if you wanted to find something along the lines  of like BitLocker you can quickly type that in   and see that everything regarding BitLocker will  pop up and you can click into it and say oh no   I do not want to deny write access so you can  either disable it or say not configured if   you don't know what that is again click the tool  tip to see exactly what each of disabled enabled   or not configured and what the default values  are so we can see if removable disk deny right   access policy is setting enabled this policy will  be ignored so there's a lot of information in here   some of the things is just you can quickly filter  in real time you can use your drop down you can   edit all of these policies like you would but  it starts with that known good security baseline   configuration to be deployed and that's the key  thing the key thing there is everything that   you're going through with the the customizing the  policies that you've got there they're actually   already in the security baseline as defined by  the settings that's in there so if you don't   know what's in the baseline you could literally  go in and google Microsoft security baseline 1909   and get a list of the settings and then you can  go well this is what the industry says is a good   set of settings how close does that apply to  my organization and then go well I want to turn   this on this off within that particular security  baseline from there absolutely and so the next   step once you make your modifications is you can  additionally add a few different policies here and   so again this is going to be real-time search  so if I search for let's say bitlocker again   I'm going to see all the different additional  policies that I can apply um there that   pertain to Bitlocker or whatever you searched and  so it it literally shows everything here and so   the key thing here is these policies are not in  the security baseline but they're in group policy   for example that's correct okay and so here you  can see it's coming from like the administrative   templates windows component windows bitlocker  and if you were to click onto here it literally   again shows you everything you you would want to  know um and if I were to enable this I can then   require uh BitLocker to back up to 8080 um and  select all of your different options here um do   you guys have anything that you would want me  to search for so that we can do some real-time policy configurations it's always a good one I  know Internet Explorer has a bunch and Edge are   those in there yeah so let's restore Edge so we  can see that there are a lot of Edge policies and   so if we wanted to always show the book's library  and Edge or allow Microsoft Edge to pre-launch   at Windows startup so if you don't want edge to  pre-launch you can disable that policy for example   um anything here that you guys see you  would want to configure on the device um yeah just pick one pick any of those would be  good just add one to see show it all right so for   example I can come in here and either disable  it enable it or configure pre-launch to prevent   pre-launching or allow pre-launching so I'm just  going to say prevent pre-launching just for the   sake of showing something keep in mind you can  add as many different policies here as you want so   if I search for something else you'll see that I  can literally add as many policies as I wanted to   but the main thing here is when you go to the  summary page it gives you a nice good summary   of everything that you've done in this baseline  so any customizations that you've done from the   Windows 10 security baseline 1909 version  is going to show up under customizations   and then any additional policies that you've  pushed out on top of that baseline will show under   here and so basically what i'm going to do  is save and assign this out to the device   and then quickly flip over to the  device to see what that looks like   to the end user and so I'm going to lean on you  guys what do you normally assign this to well I   think I created a group for you I think you had an  enrolled device I think if you look up persuades   devices we oh we've got a nice little test group  that's fancy look at that all right so that brings   up a great point when you are testing these um  it's good to push it out to one test device that   you're using like a VM um before sending it out  to a group of devices or production uh so I'm   just gonna and one of the other things that was  recently added I say recently but it's been there   for a while is the ability to do exclusions so if  you have you know high profile um executives in   the organization and you don't want them receiving  the baseline you can do exclusions for whatever   reason but I'm just going to go ahead and publish  this we're going to see that it was assigned   and flipped over to my device and basically once  the device receives this policy it's going to give   us a toast notification that says Workspace  ONE applies some policies you need to restart   your device in order to have all of the policies  apply and so one of the things is I will show you   how we can do compliance compliance doesn't get  reported until after we restart our device so here   we see Workspace ONE policies have been updated  please restart your device to apply the updates   what's actually happening is there is a GPO backup  that happens on the device once the policies get   applied and then most of the policies are applied  at this time however there are some policies that   require a reboot and so that's why we won't report  compliance until after the device is rebooted   so now we're going to restart our device and try  to see if those policies actually made it and   then I'll switch over back to the console to show  you compliance and so I guess as we wait for that   to occur we can come into the policy and kind of  see what we can see as an administrator so install   status we can see that it was installed but again  compliance is not available and compliance won't   be available until the device comes back up from  the reboot if we look at devices it should give us   some more information around like pending reboot  um if you were to click on compliance you can   actually see every single policy that's pushed  out to the device 294 policies are pushed out   but again the status is not available until the  device comes back up this will give compliance on   each individual setting right so if it drifts or  if someone goes around and changes something it'll   report that yeah absolutely so compliance will  show you the compliance of every single setting   you can also even filter down to which ones are  compliant not compliant or not available so if   you wanted to see which ones were not compliant  which one's drifted you can also see that we also   support reapplying baselines so i'm not sure if we  want to go into those these those details just yet   but that is supported as well and so this is  going to be very interesting if I remember the   password that was set for this account there  we go all right look at you password first go   we can't do that so yeah all right so basically  what's going to happen is on the back end the   device has now applied all of the group policies  um the workspace one intelligent hub is going to   send that sample back up to the console and report  so that we can get the compliance on the device   if there are some nice policies that you know are  in the baseline you can kind of check your device   to see if they were set um if you want more  granularity just really quickly without going   into details I would use something like policy  analyzer and or I don't know if we want to go into   mdm diagnostics but that's that's a great tool to  kind of export the log and see all the configured   policies on the device but that's not going to  show you all of the group everything that's in the   baseline but it will show you some confirmation  of what's on the device um but won't gp edit also   do it yes it will certain policy that's even an  easier way so if we go into edit group policy um   I guess let's look at the password policy  to see if that was configured on this device so again edit group policy we're going to  see that very familiar um i don't know what   kind of menu this is called um the drop down  menu I don't know the technical term for it   but if we were to go into the the  settings to find the password policies I just want to go into local accounts nope account  policies password policies there it is we should   see that some of these things are configured and  the minimum password length was 14 characters and   it's going to require those complex characters so  we know that Windows does not do 14 characters by   default and so all of these settings should  match what was in that baseline now and this   is a quick way thanks Brooks I get really tied  down into like the nitty-gritty hardest way to   troubleshoot and so this is a very quick way of  going in and seeing exactly what was pushed out   and so now I'm going to come back in here just  going to sync my console and we should have a   compliance so now we see that it was installed  v1 was installed if I come over to compliance   we should have some compliance reported back if  not I'm just going to manually do a sync here so I'm just going to click on the hub do a sync  and come back into the console to see if I can   get some compliance reporting back uh there are  three levels of compliance um that we can see on   the summary screen and so intermedia compliant  is I think like 100% compliant or 99% compliant   um intermediate is like 85 to the 90-ish range and  then non-compliant is below that threshold um and   that's all documented in the tutorial so I don't  know off the top of my head uh but that is in   there and it might be there we go in the tool tip  devices that are 85 to 99 compliant are classified   as intermediate awesome cool and for you know orgs  that don't have like if their users aren't local   administrators by default which is always the  best a good practice then you know like setting   up base like this it's going to work it's going to  be fine you're not going to get much policy drift   unless you've got other tools in the mix kind of  changing things around or like conflicting with   group policy um but obviously if your users are  local admins then that's what Josue mentioned uh   there's a red I think it's still a registered  key is that correct to enforce the baseline   yeah that's correct to reapply it yeah is that  in your guide I'm assuming you can just you walk   through how to deploy that yes so I show various  different examples of how you can reapply uh so   here we can see um enforcing configured group  policies you can either do a custom profile but   the registry key is here so this is the path  reapply enterprise in the AirWatch key okay yep well so that'll that'll ensure  everything is constantly reapplied   so that you you get that known state and  that desired state correct config cool now we're just playing the sinking  game come on console you can do it so yeah we haven't gotten the report back but basically once and now it's gone back  to pending install for some reason so I'm just going to quickly see if  another restart gets us that compliance   if not basically what happens is once all the  policies are pushed out once you reboot your   device and the hub has the sample to send back up  to the console you then see that compliance status   in the console and you have the ability to look  at it from a per policy basis and like Brooks said   you can then monitor the policy drift and it's  gone back to pending install so we'll see if   another reboot kicks it off and to see if we  can get that compliance status reported for us and and show go to the device as well the  device details page and show you can see it   there's a baselines tab as well so yeah you can  either click on the friendly name but now that   I clicked off I can't you can either click on  the device friendly name to get to the device   or again go to device list view select  the device that you're working with and   under the device details list view page you can  select baselines and see if multiple baselines   are applied on the device or if that  bass line installed but that brings   up another great point where it's not really  the best practice to have multiple baselines   on the device in more details on the explanation  of why and the rationale behind what happens   if you do assign multiple baselines are  covered in the operational tutorial as well so now I can click on baselines here and it will  show me the baseline that I have it's version one   again you can see the compliance details  there and the install status as well were there any other questions you guys can  think that maybe the audience would have one so you have a 2004 Windows VM is that right  but you deployed the 1909 baseline are there   any issues with that yeah so basically the way  Workspace ONE baseline views it so I'm going to   be talking um in the perspective of Workspace ONE  baselines it doesn't care right it doesn't have   the knowledge of this is a 2004 device all it  cares about is i know what the Microsoft 1909   baseline is or whatever the baseline policies  are I'm going to attempt to push those out to any   device that the administrator assigns it to and  if the policies one not available it's just going   to report as not available she's going to try to  apply it it's not available it fails and so it's   just not going to be able to apply that but if  it is available it's going to apply all of those   the one thing to look out for is if you're pushing  out a 1909 to a 2004 or even worse a 1909 to a   1903 device just know that compliance is never it  has the opportunity of not being 100% because there   might be policies that don't exist anymore or new  policies that are in 1909 that don't exist in 1903   but from VMware's perspective we don't care we  give that opportunity to the administrators to   then create like a smart group that will only  apply it to 1909 devices or you might have 1909   on 2004 and then the upgrade process you know you  can then assign the 2004 policy on top of that yeah so is that a best practice would you  say or do you see people doing that where you   you should create a new baseline or at  least copy the one previous one you had   or one select for 2004 once the new one's in there  like make one for 2004 or is it generally most of   the settings carry over for the most part  and you don't really have to worry too much   yeah so most of the settings do carry over  Microsoft does publish um a diff so if you   go into the security toolkit you can see  like the differences between 1909 and 2004   but basically yes the best practice in my opinion  would be scoping them out to smart groups but when   you create that smart group do something like 1909  plus like 1909 or greater for the operating system   so that when the devices do upgrade to 2004  they're not just automatically like pushed off   of the baseline and the baseline's not ripped off  of the device and then creating the 2004 baseline   when you're ready to create that  and then apply that onto the device   so really quickly just like traditional  group policies last right wins so if you   do have multiple group policies on the device  the last one that was pushed to the device or   if you go in and edit a group a baseline that's  going to be the one that gets overlaid on top of   the other baselines so the newest or the latest  modified baseline is going to be the one that   overwrites any previous baseline that's on the device awesome all right so it doesn't look like we're going  to be able to get the compliance status in time   but basically what happens is you would then  get uh the compliance reported and if I were to   locally make a change you would see that updated  um from non-available to compliant and then if I   make a change and we have policy drift it would go  into non-compliance status from there unless you   had the reapply logic enabled and you wouldn't  have to really worry about that because at that   intervals the baselines would reapply yep if you  want to reapply logic go look at the document   awesome yeah that's great man yeah this is  cool and we're gonna have to get you on to   do custom baselines and a bunch of other things  as well so uh but I think this is a really good   starting point uh certainly around if you want  to go start your policies from scratch and you   want to use an industry template this is a good  way to do it you've got a nice UI you can now   deploy your group policy like policy uh from the  cloud out of workspace one very similar to how   you would do your CSPs and the operational  tutorial that's there is very long and very   it's full of way too much detail let's put  it that's very thorough yes yeah it's over   all the bases like yeah you can uh you can enjoy  the bedtime reading that Brooks and I and have   have done after Josue wrote it all so that's  right cool uh any parting words Josue no again   like everything that I spent a long time testing  baselines to see how this logic actually works   and everything so if you do have any questions  at all please check out the tutorial if you   have any feedback whatsoever please send that  feedback over to me you can reach me directly   if you search for Josue Negron on  Tech Zone you can see all my social media   I'm available on any network or you can  just direct the feedback here within   the website if you want to see something  added if you see anything that's incorrect   please let us know and I can get that  added updated or whatever so yeah that's   just go to Tech Zone everything's on there reach  out to me if needed I'm more than happy to help   yeah awesome yeah that is that is a good plug  actually so uh we haven't really talked about   all that much but all of the Tech Zone articles  have got a feedback option at the top right so   make sure you do if you've got feedback you've got  comments you've got questions and stuff put them   in there um and the authors are phenomenal  they'll they'll be able to help you with   answering those questions or pointing you  with other resources that you need to look at   another thing is if you submit feedback you  need to be signed in so definitely sign in   signing in to Tech Zone allows you to do things  like pinning your favorites looking at maybe   some extra more content and kind of getting  updates when things become available as well awesome well thanks Josue much appreciated  yeah no worries thanks for having me yeah   you bet and you're you're now on the hook to do  a whole bunch more of these so you're welcome   um but thank you very much and we will see you on  another episode of The Ascent take care thanks bye
Info
Channel: VMware End-User Computing
Views: 977
Rating: undefined out of 5
Keywords: vmware, euc, end-user computing
Id: G-qrqKZvoDc
Channel Id: undefined
Length: 34min 59sec (2099 seconds)
Published: Wed Feb 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.