How to update Security Baselines to new versions?
- Import the Baselines into your AD by using the contained script.
- Open two Group Policy Management Consoles
- Open on the old version on the left
- Open the new version on the right
- Set the same WMI-filter, if used, to the new GPO (important to avoid wrong linkages)
- Link new GPOs to the same locations like the old
- Delete link to old GPOs
- Monitor your environment for changes / Read Security Baseline for changes in settings (they are documented)
Exceptions
- Do NOT in production environments:
- Change BLOCK for MS Edge in Application Control Policies – exception policy doesn’t work because WDAC applies deny first and allow will not help