ivan_531 Posted October 2 Posted October 2 (edited) Hi, Does anyone run into issue when creating new Baseline, for example "Disable Bitlocker for Removable device", you configure this baseline using Windows template, you assign group and it works as expected. But few days later, same problem again, the baseline from some reason stopped working, and then to make it works again, I have to unassign it from group, publish and then assign to group again (after that it works few days). I just wonder if someone else have the same issue like me. Also, I only have one baseline and all configuration inside it. Before I had several baseline, for each setting separate baseline, but now I put all settings in single baseline. Edited October 2 by ivan_531 Update
Employee Jason Misleh Posted October 2 Employee Posted October 2 Can you confirm that there are no GPOs or third party products that might also be setting this setting and overwriting the baseline?
ivan_531 Posted October 3 Author Posted October 3 Yes, I can confirm that, as all devices we switched to Workspace One were previously managed with AD group policy. We were copied our domain GPO into Workspace One baselines. Also, all devices that are enrolled in WS One are removed from the domain, so they are no longer managed by AD group policy.
Employee Jason Misleh Posted October 9 Employee Posted October 9 Sorry for the late reply here. Can you post the results of a GPRESULT? You can run gpresult / h <filename.html> and attach it here. This will ensure that there is no residual configuration even after the domain exit. Additionally, I would recommend opening a support ticket on this.
ivan_531 Posted October 17 Author Posted October 17 Hi Jason, I was able to fix that. The problem was that I have 2 baselines and some settings that were configured in one baseline were not configured in another one. I'm not completely sure how WS One handles this, but seems that if I have something configured in one baseline and I don't have that in another, it will not work as expected. Both baselines are assigned to the same group (All devices). If I correctly understand, the best practice is have only one baseline for one assigned group? But even that not works as expected, as some settings are not works as expected, and only for them I had to create additional baseline. Also, some of the policies as not work as expected. For example, default value for policy "Removable Disks: Deny write access" is not configured and it says "If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access", but in reality, I had configure this policy as Disabled in order to make write access.
Employee Solution Jason Misleh Posted October 17 Employee Solution Posted October 17 Hey Ivan, It sounds to me like you have some RACE conditions occurring where multiple settings are hitting a device and the one that takes precedence is unpredictable. Possibly adding to the confusion is multiple changes being queued. When a policy is configured as Not Configured, UEM will take no action on the setting, so if it was previously configured by GPO, UEM would just leave it as is in most cases, so if the setting was previously configured by another management tool, you'll need to configure it in the baseline to overwrite the previous settings. With that in mind, if two management tools or two baselines are writing different settings to the device, the one that actually lands on the device may be unpredictable. Best practice is to have one baseline per device and that can be achieved via a group, but if a device is a member of multiple groups, you could end up with multiple baselines being pushed to the device, and the "last one wins" ... but it's not possible to predict which order they will be consumed by Windows.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now