Jump to content

Recommended Posts

Posted

I know that CN135 is a true UAT console and changes constantly, but there is a change in the windows(beta) profile that concerns me. There's a new tag within both user and device profiles that says "beta templates (deprecated)". Anyone know if they are dropping the windows(beta) profiles or just merging everything into the other windows profile section?image.thumb.png.46dc314dd693fd7bda7c00b3f403761b.png

  • Employee
Posted

Hi @ZombieKiller, yes we are getting ready to replace this profile type with a new version that will look similar and operate much "better". Details coming soon.

I know you were hoping to utilise this profile type for Windows Update control, but I'm interested to know what settings are missing from the current profile? As far as the reliability of the existing Windows Update profile when running on machines with a CIS L1 Baseline, this is nearly always because CIS L1 Baselines have a Windows Update control configured by default. If you are using the Baseline and profiles, then disable that part within the Baseline. You should never deploy conflicting configuration.

Posted

@Phillip Helmling, the main problem I have is that I'm about to start designing and deploying out an entirely new windows 11 autopilot enrollment. Probably around 5K devices. I understand that this new version of the profiles is targeted for early 2025. Do you think it would be beneficial to wait until this new console release to begin the project? I would hate to begin this project to find out that parts of what I have created are no longer valid. What do you suggest?

There are many payloads in the windows(beta) profiles that have expanded features that the stand windows profiles do not have or do not exist in the profiles. There is bitlocker, windows ai, WUfB, news and interests, LAPS, local policies, and windows 11 personalization and start menu. These are just a few of them.

I'm also having an issue right now with getting baselines to apply on windows 11 arm based endpoints. As in baselines won't apply at all.

My biggest issue with baselines is they require a reboot to apply. With windows 11 and oobe autopilot enrollment, microsoft has implemented this new feature called "quiet period", where on first sign-in to the desktop, notifications are suppressed. So, the user doesn't get the toast notification that the baseline has been installed and to reboot the machine to apply the policy. What good are baselines on windows 11 if you don't get a notification to reboot and apply them. With profiles, I can deploy every setting that is in a baseline and have every security setting applied without a reboot. I'm working on a freestyle workflow that uses baselines and to detect when the enrollment is complete so a reboot will happen, but it's a work in progress.

  • Employee
Posted
8 hours ago, ZombieKiller said:

Do you think it would be beneficial to wait until this new console release to begin the project? I would hate to begin this project to find out that parts of what I have created are no longer valid. What do you suggest?

Nope, just deploy with either the Windows Update profile or use a Custom Profile depending on your use case. Happy to connect to discuss further if you need.

8 hours ago, ZombieKiller said:

There is bitlocker, windows ai, WUfB, news and interests, LAPS, local policies, and windows 11 personalization and start menu. These are just a few of them.

8 hours ago, ZombieKiller said:

I'm also having an issue right now with getting baselines to apply on windows 11 arm based endpoints. As in baselines won't apply at all.

This probably needs an SR logged with Support. I've only seen one issue and it was actually related to the particular setting that wasn't applicable to ARM/or ARM handled it differently.

8 hours ago, ZombieKiller said:

My biggest issue with baselines is they require a reboot to apply. With windows 11 and oobe autopilot enrollment, microsoft has implemented this new feature called "quiet period", where on first sign-in to the desktop, notifications are suppressed. So, the user doesn't get the toast notification that the baseline has been installed and to reboot the machine to apply the policy. What good are baselines on windows 11 if you don't get a notification to reboot and apply them. With profiles, I can deploy every setting that is in a baseline and have every security setting applied without a reboot. I'm working on a freestyle workflow that uses baselines and to detect when the enrollment is complete so a reboot will happen, but it's a work in progress.

Please bear in mind that Baselines are a security and compliance tool. Whilst it sets configuration, it does so to be compliant and allow you to report on the compliance. Profiles just set and forget. Also the reason Baselines ask to reboot is they apply user context settings. Profiles do too, but don't ask to reboot so they may not actually be applied.

What I would do if you need compliance or you want to leverage the industry standard settings like MS Baseline or CIS L1 Benchmark, is to apply the Baseline, apply your profiles via a Workflow and have the Workflow test for the existence of a setting that Baseline applied. I'll also check on if there is a way to determine if Baselines have deployed successfully and then you can execute a reboot (via Script right now) via the Workflow. Hope that makes sense.

WindowsAI.xml

  • Like 1
  • 2 weeks later...
Posted
On 11/29/2024 at 2:44 AM, ZombieKiller said:

My biggest issue with baselines is they require a reboot to apply. 

That's partially correct. Think of baselines as Group Policy and similar behaviours apply. Even though Microsoft tries to cover everything under "reboot is required" it is not always the case.

So might be worth checking if a specific, potentially problematic, setting would fall under this.

 

 

On 11/29/2024 at 11:17 AM, Phillip Helmling said:

 I'll also check on if there is a way to determine if Baselines have deployed successfully and then you can execute a reboot (via Script right now) via the Workflow. Hope that makes sense.

 

You can see the baselines apply in the Security Eventlog, if you search for "uembaselines.exe" and look at the the messages around that time There might be something useful there. EventID 4688 is one of them. I had to reference an old call to refresh my memory and stupid me didn't give the other eventID's. Bad history Allan.

You can also look at c:\program files (x86)\Airwatch\AgentUI\Baselines for the backups of the baselines. UEM creates a master backup when the first baseline is applied, so that might be useful. The filenames should match the UUID of the baselines which you can get by hovering over the link in UEM and looking at the URL.

I had a quick look at the API doco and there didnt appear to be much of use there, but it was just a quick look.

 

Posted
11 hours ago, Allan said:

That's partially correct. Think of baselines as Group Policy and similar behaviours apply. Even though Microsoft tries to cover everything under "reboot is required" it is not always the case.

So might be worth checking if a specific, potentially problematic, setting would fall under this.

 

 

You can see the baselines apply in the Security Eventlog, if you search for "uembaselines.exe" and look at the the messages around that time There might be something useful there. EventID 4688 is one of them. I had to reference an old call to refresh my memory and stupid me didn't give the other eventID's. Bad history Allan.

You can also look at c:\program files (x86)\Airwatch\AgentUI\Baselines for the backups of the baselines. UEM creates a master backup when the first baseline is applied, so that might be useful. The filenames should match the UUID of the baselines which you can get by hovering over the link in UEM and looking at the URL.

I had a quick look at the API doco and there didnt appear to be much of use there, but it was just a quick look.

 

Every baseline I have ever created has triggered the Hub to notify the user to restart the computer to apply the security settings. They don't function like GPOs.

The biggest issue I am facing with baselines and the restart right now is with windows 11 oobe autopilot enrollment and this "quite period" on first login. It's not allowing for notifications so the user doesn't get notified that a restart is needed to apply the baseline settings.

Posted
7 hours ago, ZombieKiller said:

Every baseline I have ever created has triggered the Hub to notify the user to restart the computer to apply the security settings. They don't function like GPOs.

The biggest issue I am facing with baselines and the restart right now is with windows 11 oobe autopilot enrollment and this "quite period" on first login. It's not allowing for notifications so the user doesn't get notified that a restart is needed to apply the baseline settings.

Yes UEM does mention that, doesn't make it true for all settings. It's just safer.

When baselines came out a pre-req was to install microsoft's lgpo tool. You can also import export from GPO. 

Anyway the intricacies of Windows settings and how they are applied isnt your problem.... 

Phil's suggestion of a workflow is one way. The problem is still no API or anything to control baselines in freestyle so you will need to write some scripts to look to see if the baseline has applied. But... Controlling your entire enrolment flow means you can control app install order, reboots that are required, checks etc.. etc.. 

Maybe it's worthwhile you creating a feature request in AHA to have Baselines have a "Reboot" option on the assignment like Apps do.... Makes a lot of sense for things like your use case which would be quite common I'd imagine.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...