cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Any way to modify Security Baseline GPOs before we import them on target?

r0x0t
Copper Contributor

‎May 12 2020 08:39 AM - last edited on ‎Nov 29 2021 08:09 AM by

‎May 12 2020 08:39 AM - last edited on ‎Nov 29 2021 08:09 AM by

Any way to modify Security Baseline GPOs before we import them on target?

I am okay with 90% of the security baseline parameters to be applied on the system. However, the 10% I am not very comfortable with and would like to remove them from GPOs/Baseline before actually applying this baseline on the target system.

OS: Windows 10 IoT

 

Could anyone provide a way to achieve this?

Labels:
5,657 Views
1 Like
1 Reply
Reply
1 Reply
best response confirmed by Rick_Munck (Microsoft)
dretzer

‎May 13 2020 12:04 AM - edited ‎May 13 2020 12:09 AM

‎May 13 2020 12:04 AM - edited ‎May 13 2020 12:09 AM

Solution

Re: Any way to modify Security Baseline GPOs before we import them on target?

For managebility I recommend not editing the security baselines in any way. Instead apply them completely unchanged and create a new GPO that only contains the changes to the baseline. Then link this GPO above the baseline. This way the Changed-GPO will override the settings from the baseline. This way you can apply the next baseline on top of the previous one and still keep all your changes. Additionally you have kind of a documentation of the changes to the baseline and you can easily remove the changed settings if you ever decide to use the recommended defaults instead.

 

As you wrote Windows 10 IoT I guess you deploy the baseline directly on the target without any domain infrastructure. In this case do the same as above, just make sure to import the GPO with overrides after the baseline GPO.

You can create/edit/export GPOs easily in the group policy management console. If you really want to edit the original instead, just import it into the GPMC and edit it there, afterwards export it again and use the new GPO with your IoT deployment.

@r0x0t 

3 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Rick_Munck (Microsoft)
dretzer

‎May 13 2020 12:04 AM - edited ‎May 13 2020 12:09 AM

‎May 13 2020 12:04 AM - edited ‎May 13 2020 12:09 AM

Solution

Re: Any way to modify Security Baseline GPOs before we import them on target?

For managebility I recommend not editing the security baselines in any way. Instead apply them completely unchanged and create a new GPO that only contains the changes to the baseline. Then link this GPO above the baseline. This way the Changed-GPO will override the settings from the baseline. This way you can apply the next baseline on top of the previous one and still keep all your changes. Additionally you have kind of a documentation of the changes to the baseline and you can easily remove the changed settings if you ever decide to use the recommended defaults instead.

 

As you wrote Windows 10 IoT I guess you deploy the baseline directly on the target without any domain infrastructure. In this case do the same as above, just make sure to import the GPO with overrides after the baseline GPO.

You can create/edit/export GPOs easily in the group policy management console. If you really want to edit the original instead, just import it into the GPMC and edit it there, afterwards export it again and use the new GPO with your IoT deployment.

@r0x0t 

View solution in original post

3 Likes
Reply