SOLVED

Any way to modify Security Baseline GPOs before we import them on target?

%3CLINGO-SUB%20id%3D%22lingo-sub-1383065%22%20slang%3D%22en-US%22%3EAny%20way%20to%20modify%20Security%20Baseline%20GPOs%20before%20we%20import%20them%20on%20target%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383065%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20okay%20with%2090%25%20of%20the%20security%20baseline%20parameters%20to%20be%20applied%20on%20the%20system.%20However%2C%20the%2010%25%20I%20am%20not%20very%20comfortable%20with%20and%20would%20like%20to%20remove%20them%20from%20GPOs%2FBaseline%20before%20actually%20applying%20this%20baseline%20on%20the%20target%20system.%3C%2FP%3E%3CP%3EOS%3A%20Windows%2010%20IoT%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20anyone%20provide%20a%20way%20to%20achieve%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1383065%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ewindows%20iot%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1385227%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20way%20to%20modify%20Security%20Baseline%20GPOs%20before%20we%20import%20them%20on%20target%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1385227%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20managebility%20I%20recommend%20not%20editing%20the%20security%20baselines%20in%20any%20way.%20Instead%20apply%20them%20completely%20unchanged%20and%20create%20a%20new%20GPO%20that%20only%20contains%20the%20changes%20to%20the%20baseline.%20Then%20link%20this%20GPO%20above%20the%20baseline.%20This%20way%20the%20Changed-GPO%20will%20override%20the%20settings%20from%20the%20baseline.%20This%20way%20you%20can%20apply%20the%20next%20baseline%20on%20top%20of%20the%20previous%20one%20and%20still%20keep%20all%20your%20changes.%20Additionally%20you%20have%20kind%20of%20a%20documentation%20of%20the%20changes%20to%20the%20baseline%20and%20you%20can%20easily%20remove%20the%20changed%20settings%20if%20you%20ever%20decide%20to%20use%20the%20recommended%20defaults%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20wrote%20Windows%2010%20IoT%20I%20guess%20you%20deploy%20the%20baseline%20directly%20on%20the%20target%20without%20any%20domain%20infrastructure.%20In%20this%20case%20do%20the%20same%20as%20above%2C%20just%20make%20sure%20to%20import%20the%20GPO%20with%20overrides%20after%20the%20baseline%20GPO.%3C%2FP%3E%3CP%3EYou%20can%20create%2Fedit%2Fexport%20GPOs%20easily%20in%20the%20group%20policy%20management%20console.%20If%20you%20really%20want%20to%20edit%20the%20original%20instead%2C%20just%20import%20it%20into%20the%20GPMC%20and%20edit%20it%20there%2C%20afterwards%20export%20it%20again%20and%20use%20the%20new%20GPO%20with%20your%20IoT%20deployment.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F660361%22%20target%3D%22_blank%22%3E%40r0x0t%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

I am okay with 90% of the security baseline parameters to be applied on the system. However, the 10% I am not very comfortable with and would like to remove them from GPOs/Baseline before actually applying this baseline on the target system.

OS: Windows 10 IoT

 

Could anyone provide a way to achieve this?

1 Reply
Highlighted
Best Response confirmed by Rick_Munck (Microsoft)
Solution

For managebility I recommend not editing the security baselines in any way. Instead apply them completely unchanged and create a new GPO that only contains the changes to the baseline. Then link this GPO above the baseline. This way the Changed-GPO will override the settings from the baseline. This way you can apply the next baseline on top of the previous one and still keep all your changes. Additionally you have kind of a documentation of the changes to the baseline and you can easily remove the changed settings if you ever decide to use the recommended defaults instead.

 

As you wrote Windows 10 IoT I guess you deploy the baseline directly on the target without any domain infrastructure. In this case do the same as above, just make sure to import the GPO with overrides after the baseline GPO.

You can create/edit/export GPOs easily in the group policy management console. If you really want to edit the original instead, just import it into the GPMC and edit it there, afterwards export it again and use the new GPO with your IoT deployment.

@r0x0t