Rollback scripts for the automated remediation using CIS Build Kits

Problem

Solution

Currently there isn't a cis-provided script to roll back applied GPOs. We suggest that you:

1. Join the CIS Microsoft Windows Benchmark WorkBench Community

2. Check the Announcements and Discussions in the CIS Microsoft Windows Benchmark WorkBench Community

3. Search for, or start, a discussion around this topic. Since our Benchmarks are community driven, it is possible someone has already started a similar discussion or found a solution using a script to roll back GPOs

Some suggestions on rolling back the GPOs include:

1. The better option is to unlink the applicable GPO profiles from the test OU you are using.

2. Then, using your GPMC, modify them so that they have the desired effect, then re-link them to test Test OU until you are satisfied that you have the desired level of security in place.

   1. reviewing the content within each Benchmark is imperative for an overall successful application of the Build Kit, as there may be some settings that your organization may need to exempt itself from, due to unique operational requirements.

   2. Applying the Build Kit to a system without proper testing and review may result in a negative impact within your environment. It is completely acceptable if 100% of the benchmark is not applied, as it is the responsibility and decision of each organization to determine which settings are applicable to your unique needs.

3. Once you are satisfied with your testing of the CIS Build Kits you can then start to apply the Production GPOs to the Test OU before releasing the image or linking the GPOs into any Production OUs.

4. However - even if a GPO is removed/ unlinked from an OU and gpedit /force is run on the unlinked/ target machine, some GPOs may still be applied at the local computer level and will need to be manually removed or removed through a pushed script or new GPO.

Keywords; Build Kits Windows OU GPO GPOs

Content by Label