Guidance on multiple window 10 builds and baselines

%3CLINGO-SUB%20id%3D%22lingo-sub-1296526%22%20slang%3D%22en-US%22%3EGuidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1296526%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20Afternoon%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20wondering%20if%20anyone%20out%20there%20has%20some%20guidance%20on%20managing%20multiple%20baselines.%26nbsp%3B%20Meaning%2C%20I%20have%20Windows%2010%201803%2C%201809%2C%201903%20and%201909%20versions.%26nbsp%3B%20What%20is%20the%20best%20way%20to%20manage%20baselines%20with%20multiple%20version%20of%20Windows%2010%3F%20Same%20question%20might%20apply%20to%20Microsoft%20365%20suite%20as%20well%20as%20Edge%20Browser%20(80%2C%2081).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA.%20Do%20I%20have%20a%20baseline%20for%20each%20OS%3F%20(WMI%20filtering%3F)%3C%2FP%3E%3CP%3EB.%20Do%20I%20have%20a%20baseline%20for%20each%20with%20delta%20changes%20only%3F%3C%2FP%3E%3CP%3EC.%20Do%20I%20have%20a%20single%20baseline%20with%20deltas%20added%20for%20each%20version%20of%20Windows%2010%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20enterprises%20doing%20to%20manage%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1297234%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1297234%22%20slang%3D%22en-US%22%3EGreat%20question!%20I%20asked%20a%20similiar%20question%20quite%20a%20while%20ago%20and%20if%20memory%20serves%2C%20the%20newest%2Fmost%20recent%20baseline%20superseeds%20all%20previous%20baseline%20versions.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1302434%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302434%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53815%22%20target%3D%22_blank%22%3E%40Chad%20Brower%3C%2FA%3E%26nbsp%3Band%20thanks%20for%20the%20post!%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104158%22%20target%3D%22_blank%22%3E%40Brian%20Steingraber%3C%2FA%3E%26nbsp%3Bis%20pretty%20much%20spot%20on%20but%20please%20let%20me%20expand%20just%20a%20little.%26nbsp%3B%20If%20we%20had%20the%20time%20we%20would%20absolutely%20go%20back%20and%20adjust%20the%20previous%20baselines%20but%20we%20have%20to%20continue%20to%20move%20forward%20and%20handle%20other%20new%20baselines%20from%20Office%2C%20Edge%20and%20soon%20some%20additional%20products%20on%20top%20of%20that.%26nbsp%3B%20With%20that%20being%20said%20part%20of%20the%20reason%20we%20release%20the%20blog%20post%20on%20what%20we%20are%20changing%20is%20so%20consumers%20of%20the%20baseline%20can%20make%20informed%20decisions%20if%20they%20decide%20to%20run%20multiple%20baselines%20(per%20OS%20version).%26nbsp%3B%20We%20of%20course%20encourage%20baseline%20consumer%20to%20always%20test%20the%20latest%20baseline%20before%20applying%20them%20to%20an%20older%20OS%20version%20but%20generally%20speaking%20the%20latest%20is%20always%20the%20greatest.%26nbsp%3B%20However%20with%20that%20being%20said%20we%20do%20have%20a%20few%20customers%20that%20will%20WMI%20filter%20the%20baselines%20to%20the%20OS%20version%20(lot%20of%20work).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1302437%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104158%22%20target%3D%22_blank%22%3E%40Brian%20Steingraber%3C%2FA%3E%26nbsp%3BI%20am%20trying%20to%20remember%20where%20I%20might%20have%20read%20that%20before%3F%26nbsp%3B%20I%20seem%20to%20remember%20maybe%20reading%20that%20before.%20Any%20doco%20out%20there%20for%20this%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3BSame%20question%20then%3F%26nbsp%3B%20Or%20perhaps%20a%20future%20blog%20post%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply's%20guys!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1302449%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302449%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53815%22%20target%3D%22_blank%22%3E%40Chad%20Brower%3C%2FA%3E%26nbsp%3Bsure%20we%20can%20do%20a%20blog%20post%20on%20it.%26nbsp%3B%20Will%20add%20it%20to%20the%20list%20but%20it%20probably%20wont%20go%20out%20until%20after%20the%20next%20Windows%20and%20Edge%20releases%20as%20we%20are%20in%20the%20middle%20of%20those%20right%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1302472%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302472%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3BGreat!%26nbsp%3B%20Thanks%2C%20we%20will%20look%20out%20for%20the%20blog%20post.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20am%20working%20with%20my%20sec%20team%20right%20now%20about%20what%20we%20want%20to%20do%20about%20this.%26nbsp%3B%20We%20currently%20maintain%204%20versions%20of%20Windows%2010.%26nbsp%3B%20A%20lot%20less%20work%20with%20maintaining%201%20(Current)%20%2B%201%20(Future)%20baselines.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20setup%20WMI%20filters%20already%20and%20that%20was%20easy.%26nbsp%3B%20What%20seemly%20won't%20be%20easy%20is%204-5%20baselines%20being%20in%20our%20environment.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1302498%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53815%22%20target%3D%22_blank%22%3E%40Chad%20Brower%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20wasn't%20in%20the%20specific%20posting%2C%20rather%20in%20the%20comments%20as%20I%20had%20ask%20a%20followup%20question%20in%20the%20comments%20of%20the%20original%20posting.%3C%2FP%3E%3CP%3EI%20think%20Aaron%20M%20w%2FMicrosoft%20was%20the%20one%20that%20replied%20(also%20the%20original%20poster)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359269%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359269%22%20slang%3D%22en-US%22%3E%3CP%3EA%20design%20focused%20on%20functionality%2C%20not%20so%20much%20organization.%3C%2FP%3E%3CP%3ENeed%20to%20decide%20how%20many%20builds%20%2F%20versions%20to%20support%2C%20but%20it's%20managable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELoopback%20policy%20processing%20replace%20--%26nbsp%3BUsersGPO's%20doesn't%20matter%20this%20way%3C%2FP%3E%3CP%3E(Can%20still%20be%20managed%20with%20group%20filtering)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGPO's%20are%20merged%20(user%2Fcomputer)%2C%20so%20one%20GPO%20per%20function.%3C%2FP%3E%3CP%3E%3CSTRONG%3EMSFT%3C%2FSTRONG%3E%20-%20Clean%20import%20from%20MSSec%3C%2FP%3E%3CP%3E%3CSTRONG%3ECustomSecurity%3C%2FSTRONG%3E%20-%20Security%20related%20settings%20for%20that%20specific%20component%3C%2FP%3E%3CP%3E%3CSTRONG%3ECustomSettings%3C%2FSTRONG%3E%20-%20NonSecuritySettings%20related%20to%20that%20specific%20component%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EOU%20Structure%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EComputers%5CStandard%5CPortable%3C%2FP%3E%3CP%3EComputers%5CStandard%5CStationary%3C%2FP%3E%3CP%3EComputers%5COtherFunction%5CPortable%3C%2FP%3E%3CP%3EComputers%5COtherFunction%5CStationary%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EGPOs%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAbove%20the%20below%2C%20comes%20group%20filtered%20GPO's%20for%20exceptions%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(WMI%20Appver%2C%20Authenticated%20users)%3C%2FP%3E%3CP%3EClient-Edge%2080-CustomSettings%3C%2FP%3E%3CP%3EClient-Edge%2080-CustomSecurity%3C%2FP%3E%3CP%3EClient-Edge%2080-MSFT%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(WMI%20Appver%2C%20Authenticated%20users)%3C%2FP%3E%3CP%3EClient-Office%201908-CustomSettings%3C%2FP%3E%3CP%3EClient-Office%201908-CustomSecurity%3C%2FP%3E%3CP%3EClient-Office%201908-ExcelDDE-MSFT%3C%2FP%3E%3CP%3EClient-Office%201908-LegacyFileBlock-MSFT%3C%2FP%3E%3CP%3EClient-Office%201908-RequireMacro%3C%2FP%3E%3CP%3EClient-Office%201908-MSFT%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(WMIOSVer%2C%20Authenticated%20users)%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-InternetExplorer11-CustomSettings%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-InternetExplorer11-CustomSecurity%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-InternetExplorer11-MSFT%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-DomainSecurityCustomSettings%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-DomainSecurityCustomSecurity%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-DomainSecurity-MSFT%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-Defender-CustomSettings%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-Defender-CustomSecurity%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-Defender-MSFT%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-%3CSPAN%3ECredentialGuard-CustomSettings%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-%3CSPAN%3ECredentialGuard-CustomSecurity%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-%3CSPAN%3ECredentialGuard-MSFT%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EClient-Windows%2010%201909-BitLocker-CustomSettings%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EClient-Windows%2010%201909-BitLocker-CustomSecurity%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-BitLocker-MSFT%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-CustomSettings%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-CustomSecurity%3C%2FP%3E%3CP%3EClient-Windows%2010%201909-MSFT%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1581069%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581069%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3BWere%20you%20able%20to%20do%20a%20blog%20post%20on%20this%3F%26nbsp%3B%20I%20am%20just%20wondering%20if%20I%20missed%20it.%26nbsp%3B%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1581102%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581102%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53815%22%20target%3D%22_blank%22%3E%40Chad%20Brower%3C%2FA%3E%26nbsp%3Bnot%20yet%2C%20we%20actually%20plan%20to%20start%20writing%20the%20blog%20later%20this%20week.%20Not%20sure%20how%20long%20it%20will%20take%20us%20but%20we%20are%20closer%20than%20before%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1581809%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581809%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3BLooking%20forward%20to%20it.%26nbsp%3B%20Our%20company%20is%20writing%20a%20standards%20doco%20on%20baselines%20right%20now.%26nbsp%3B%20Plus%20we%20are%20also%20working%20on%20a%20deployment%20of%20these%20policies%20in%20a%20POC%20environment.%26nbsp%3B%20Guidance%20would%20be%20helpful.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1714009%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1714009%22%20slang%3D%22en-US%22%3E%3CP%3E%40rick_Mucker%3C%2FP%3E%3CP%3EAny%20Update%20on%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1714013%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1714013%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20Update%20to%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1714198%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1714198%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53815%22%20target%3D%22_blank%22%3E%40Chad%20Brower%3C%2FA%3E%2C%20we%20have%20the%20draft%20ready%20and%20it's%20waiting%20to%20be%20reviewed.%26nbsp%3B%20Don't%20have%20an%20ETA%20but%20once%20the%20GP%20teams%20gives%20us%20a%20thumbs%20up%20we%20will%20get%20it%20published%20%3A)%3C%2Fimg%3E%26nbsp%3B%20In%20the%20interim%20please%20DM%20me%20and%20let's%20see%20what%20we%20can%20do%20for%20you!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1832520%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1832520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello.%20Please%20i%20will%20like%20to%20know%20what's%20the%20update%20regarding%20the%20documentation%20for%20managing%20multiple%20windows%2010%20builds.%20It'll%20be%20very%20helpful%20to%20me.%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1838467%22%20slang%3D%22en-US%22%3E%40Re%3A%20Guidance%20on%20multiple%20window%2010%20builds%20and%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1838467%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F850366%22%20target%3D%22_blank%22%3E%40fresh23434%3C%2FA%3E%26nbsp%3BI%20sent%20the%20draft%20blog%20off%20for%20review%20and%20the%20suggestion%20was%20made%20to%20not%20only%20discuss%20WMI%20filtering%20for%20the%20GPOs%20but%20also%20Security%20Group%20filtering.%26nbsp%3B%20Once%20we%20write%20that%20section%20we%20should%20be%20good%20to%20go%20as%20everything%20else%20has%20already%20been%20gone%20through.%26nbsp%3B%20The%2020H2%20release%20took%20priority%20but%20I%20imagine%20we%20will%20have%20it%20ready%20before%20the%20end%20of%20November.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Good Afternoon,

 

I am wondering if anyone out there has some guidance on managing multiple baselines.  Meaning, I have Windows 10 1803, 1809, 1903 and 1909 versions.  What is the best way to manage baselines with multiple version of Windows 10? Same question might apply to Microsoft 365 suite as well as Edge Browser (80, 81).

 

A. Do I have a baseline for each OS? (WMI filtering?)

B. Do I have a baseline for each with delta changes only?

C. Do I have a single baseline with deltas added for each version of Windows 10

 

What are enterprises doing to manage this?

 

Thanks

14 Replies
Highlighted
Great question! I asked a similiar question quite a while ago and if memory serves, the newest/most recent baseline superseeds all previous baseline versions.
Highlighted

Hi @Chad Brower and thanks for the post!  @Brian Steingraber is pretty much spot on but please let me expand just a little.  If we had the time we would absolutely go back and adjust the previous baselines but we have to continue to move forward and handle other new baselines from Office, Edge and soon some additional products on top of that.  With that being said part of the reason we release the blog post on what we are changing is so consumers of the baseline can make informed decisions if they decide to run multiple baselines (per OS version).  We of course encourage baseline consumer to always test the latest baseline before applying them to an older OS version but generally speaking the latest is always the greatest.  However with that being said we do have a few customers that will WMI filter the baselines to the OS version (lot of work).

Highlighted

@Brian Steingraber I am trying to remember where I might have read that before?  I seem to remember maybe reading that before. Any doco out there for this?  

 

@Rick_Munck Same question then?  Or perhaps a future blog post?  

 

Thanks for the reply's guys!

Highlighted

@Chad Brower sure we can do a blog post on it.  Will add it to the list but it probably wont go out until after the next Windows and Edge releases as we are in the middle of those right now.

Highlighted

@Rick_Munck Great!  Thanks, we will look out for the blog post.

I am working with my sec team right now about what we want to do about this.  We currently maintain 4 versions of Windows 10.  A lot less work with maintaining 1 (Current) + 1 (Future) baselines.  

 

We setup WMI filters already and that was easy.  What seemly won't be easy is 4-5 baselines being in our environment.  

Highlighted

@Chad Brower 

It wasn't in the specific posting, rather in the comments as I had ask a followup question in the comments of the original posting.

I think Aaron M w/Microsoft was the one that replied (also the original poster)

Highlighted

A design focused on functionality, not so much organization.

Need to decide how many builds / versions to support, but it's managable.

 

Loopback policy processing replace -- UsersGPO's doesn't matter this way

(Can still be managed with group filtering)

 

GPO's are merged (user/computer), so one GPO per function.

MSFT - Clean import from MSSec

CustomSecurity - Security related settings for that specific component

CustomSettings - NonSecuritySettings related to that specific component

 

OU Structure:

Computers\Standard\Portable

Computers\Standard\Stationary

Computers\OtherFunction\Portable

Computers\OtherFunction\Stationary

 

GPOs

Above the below, comes group filtered GPO's for exceptions etc.

 

(WMI Appver, Authenticated users)

Client-Edge 80-CustomSettings

Client-Edge 80-CustomSecurity

Client-Edge 80-MSFT

 

(WMI Appver, Authenticated users)

Client-Office 1908-CustomSettings

Client-Office 1908-CustomSecurity

Client-Office 1908-ExcelDDE-MSFT

Client-Office 1908-LegacyFileBlock-MSFT

Client-Office 1908-RequireMacro

Client-Office 1908-MSFT

 

(WMIOSVer, Authenticated users)

Client-Windows 10 1909-InternetExplorer11-CustomSettings

Client-Windows 10 1909-InternetExplorer11-CustomSecurity

Client-Windows 10 1909-InternetExplorer11-MSFT

Client-Windows 10 1909-DomainSecurityCustomSettings

Client-Windows 10 1909-DomainSecurityCustomSecurity

Client-Windows 10 1909-DomainSecurity-MSFT

Client-Windows 10 1909-Defender-CustomSettings

Client-Windows 10 1909-Defender-CustomSecurity

Client-Windows 10 1909-Defender-MSFT

Client-Windows 10 1909-CredentialGuard-CustomSettings

Client-Windows 10 1909-CredentialGuard-CustomSecurity

Client-Windows 10 1909-CredentialGuard-MSFT

Client-Windows 10 1909-BitLocker-CustomSettings

Client-Windows 10 1909-BitLocker-CustomSecurity

Client-Windows 10 1909-BitLocker-MSFT

Client-Windows 10 1909-CustomSettings

Client-Windows 10 1909-CustomSecurity

Client-Windows 10 1909-MSFT

Highlighted

@Rick_Munck Were you able to do a blog post on this?  I am just wondering if I missed it.  Thanks

Highlighted

@Chad Brower not yet, we actually plan to start writing the blog later this week. Not sure how long it will take us but we are closer than before :)

Highlighted

@Rick_Munck Looking forward to it.  Our company is writing a standards doco on baselines right now.  Plus we are also working on a deployment of these policies in a POC environment.  Guidance would be helpful. 

Highlighted

@Rick_Munck 

 

Any Update to this?

Highlighted

Hi @Chad Brower, we have the draft ready and it's waiting to be reviewed.  Don't have an ETA but once the GP teams gives us a thumbs up we will get it published :)  In the interim please DM me and let's see what we can do for you! 

Highlighted

@Rick_Munck 

Hello. Please i will like to know what's the update regarding the documentation for managing multiple windows 10 builds. It'll be very helpful to me. Thanks

Highlighted

@fresh23434 I sent the draft blog off for review and the suggestion was made to not only discuss WMI filtering for the GPOs but also Security Group filtering.  Once we write that section we should be good to go as everything else has already been gone through.  The 20H2 release took priority but I imagine we will have it ready before the end of November.