Guidance on multiple window 10 builds and baselines

I plan to add 21h2 baselines to our env.   It is actually very simple, because there are very little amount of changes from 21h1 to 21h2.  

Basically my plan was to create a new policy for the new settings > Test > merge into production policy.  

A design focused on functionality, not so much organization.

Need to decide how many builds / versions to support, but it's managable.

Loopback policy processing replace -- UsersGPO's doesn't matter this way

(Can still be managed with group filtering)

GPO's are merged (user/computer), so one GPO per function.

MSFT - Clean import from MSSec

CustomSecurity - Security related settings for that specific component

CustomSettings - NonSecuritySettings related to that specific component

OU Structure:

Computers\Standard\Portable

Computers\Standard\Stationary

Computers\OtherFunction\Portable

Computers\OtherFunction\Stationary

GPOs

Above the below, comes group filtered GPO's for exceptions etc.

(WMI Appver, Authenticated users)

Client-Edge 80-CustomSettings

Client-Edge 80-CustomSecurity

Client-Edge 80-MSFT

(WMI Appver, Authenticated users)

Client-Office 1908-CustomSettings

Client-Office 1908-CustomSecurity

Client-Office 1908-ExcelDDE-MSFT

Client-Office 1908-LegacyFileBlock-MSFT

Client-Office 1908-RequireMacro

Client-Office 1908-MSFT

(WMIOSVer, Authenticated users)

Client-Windows 10 1909-InternetExplorer11-CustomSettings

Client-Windows 10 1909-InternetExplorer11-CustomSecurity

Client-Windows 10 1909-InternetExplorer11-MSFT

Client-Windows 10 1909-DomainSecurityCustomSettings

Client-Windows 10 1909-DomainSecurityCustomSecurity

Client-Windows 10 1909-DomainSecurity-MSFT

Client-Windows 10 1909-Defender-CustomSettings

Client-Windows 10 1909-Defender-CustomSecurity

Client-Windows 10 1909-Defender-MSFT

Client-Windows 10 1909-CredentialGuard-CustomSettings

Client-Windows 10 1909-CredentialGuard-CustomSecurity

Client-Windows 10 1909-CredentialGuard-MSFT

Client-Windows 10 1909-BitLocker-CustomSettings

Client-Windows 10 1909-BitLocker-CustomSecurity

Client-Windows 10 1909-BitLocker-MSFT

Client-Windows 10 1909-CustomSettings

Client-Windows 10 1909-CustomSecurity

Client-Windows 10 1909-MSFT

Hi Chad Brower and thanks for the post!  Brian Steingraber is pretty much spot on but please let me expand just a little.  If we had the time we would absolutely go back and adjust the previous baselines but we have to continue to move forward and handle other new baselines from Office, Edge and soon some additional products on top of that.  With that being said part of the reason we release the blog post on what we are changing is so consumers of the baseline can make informed decisions if they decide to run multiple baselines (per OS version).  We of course encourage baseline consumer to always test the latest baseline before applying them to an older OS version but generally speaking the latest is always the greatest.  However with that being said we do have a few customers that will WMI filter the baselines to the OS version (lot of work).