Versions Compared

Old Version 2

changes.mady.by.user Amanda McGown

Saved on

compared with

New Version 3

changes.mady.by.user Amanda McGown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

Windows Build Kits

Product Version

Windows Server and Workstation

Date

Problem

Info

We have successfully deployed all of the CIS L* GPOs to all computers running windows 10 20Hx.
Now we’re upgrading those computers to Windows 21Hx.
Is there any easy way to apply the updates on the current GPO.

Solution

The Window’s GPO updating process should be easily maintainable. There are a small number of Recommendations to update yearly.

The Server and Workstation Benchmark publications are always 2nd point releases**, and a typical year’s worth of Change Logs is about 15 entries.

We highly recommend making backups, using test OUs before placing anything in the Production Environments, and fully reading and understanding the Impact and Rational behind the recommendations before taking it to production.

Once you have applied a set of CIS Build Kit GPOs, per your Organizational needs, the best method to keep the GPOs up-to-date and in-accordance with new Benchmark publications is going to be to manually update, test, and apply anything from the Change Log into the existing GPOs.

At the end of all Benchmarks there is a Change Log. The Log shows if Recommendations have been removed, added or updated.

  1. You’ll look at the Change Log Appendix

  2. Go to that updated/ added/ removed Recommendation and remediate per the updated Recommendations.

  3. If the Recommendation is for Level 1 Member Server, adjust that within the L1 Member Server GPO

    1. or copy the existent GPO, edit it, test it, and then go into production with it. Whichever your SysAdmin prefers.

Examples of what you’d approximately need to change/ add/ update in a year

The Server and Workstation Benchmark publications are always 2nd point releases**, and a typical year’s worth of Change Logs is about 15 entries.
These 3 Benchmark publications account for roughly a year of Microsoft Windows 10 Enterprise Benchmark publications.

  • Between CIS_Microsoft_Windows_10_Enterprise_Release_20H2_Benchmark_v1.9.0 & v1.9.1 - there was 1 change.

    • 1 adjusted Recommendation

  • Between CIS_Microsoft_Windows_10_Enterprise_Release_20H2_Benchmark_v1.9.1 & v1.10.0 there were 6 changes:

    • 4 recommendations added & 2 updated.

    • Between Between CIS_Microsoft_Windows_10_Enterprise_Release_20H2_Benchmark_v1.10.0 & CIS_Microsoft_Windows_10_Enterprise_Release_21H1_Benchmark_v1.11.0 there were 9 changes:

  • 4 recommendations were removed

  • 3 recommendations were updated

    • 2 recommendations were added

    Note

    **Meaning that these specific Benchmarks don’t start from scratch, but build on each other until a completely new OS is released, such as Server 2022, which is its own unique BM from Server 2019.

    Keywords; GPO Update Upgrading

    Content by Label

    Filter by label (Content by label)
    showLabelsfalse
    showSpacefalse
    cqllabel in ( "sbp_fer" , "sbp_buildkit" )

    Copyright © 2022

    Center for Internet Security®

    Privacy Policy

    Page Properties
    hiddentrue

    Action

    Name(s)

    Date

    Linked ticket

    Created by

    Amanda McGown

    Reviewed by

    Approved by

    Remove by