Guidance on multiple window 10 builds and baselines

A design focused on functionality, not so much organization.

Need to decide how many builds / versions to support, but it's managable.

Loopback policy processing replace -- UsersGPO's doesn't matter this way

(Can still be managed with group filtering)

GPO's are merged (user/computer), so one GPO per function.

MSFT - Clean import from MSSec

CustomSecurity - Security related settings for that specific component

CustomSettings - NonSecuritySettings related to that specific component

OU Structure:

Computers\Standard\Portable

Computers\Standard\Stationary

Computers\OtherFunction\Portable

Computers\OtherFunction\Stationary

GPOs

Above the below, comes group filtered GPO's for exceptions etc.

(WMI Appver, Authenticated users)

Client-Edge 80-CustomSettings

Client-Edge 80-CustomSecurity

Client-Edge 80-MSFT

(WMI Appver, Authenticated users)

Client-Office 1908-CustomSettings

Client-Office 1908-CustomSecurity

Client-Office 1908-ExcelDDE-MSFT

Client-Office 1908-LegacyFileBlock-MSFT

Client-Office 1908-RequireMacro

Client-Office 1908-MSFT

(WMIOSVer, Authenticated users)

Client-Windows 10 1909-InternetExplorer11-CustomSettings

Client-Windows 10 1909-InternetExplorer11-CustomSecurity

Client-Windows 10 1909-InternetExplorer11-MSFT

Client-Windows 10 1909-DomainSecurityCustomSettings

Client-Windows 10 1909-DomainSecurityCustomSecurity

Client-Windows 10 1909-DomainSecurity-MSFT

Client-Windows 10 1909-Defender-CustomSettings

Client-Windows 10 1909-Defender-CustomSecurity

Client-Windows 10 1909-Defender-MSFT

Client-Windows 10 1909-CredentialGuard-CustomSettings

Client-Windows 10 1909-CredentialGuard-CustomSecurity

Client-Windows 10 1909-CredentialGuard-MSFT

Client-Windows 10 1909-BitLocker-CustomSettings

Client-Windows 10 1909-BitLocker-CustomSecurity

Client-Windows 10 1909-BitLocker-MSFT

Client-Windows 10 1909-CustomSettings

Client-Windows 10 1909-CustomSecurity

Client-Windows 10 1909-MSFT