Share via

SCM: How Baseline Update functions in

  • Article

Overview

Whenever a custom (duplicated) baseline is created, all settings will initially be an exact copy of the source baseline. Each setting can be customized, but the baseline will always maintain a reference of what the setting from the source baseline is.  Whenever there is an update to the original source baseline, the changed settings will automatically be applied to any duplicates of that source.
 

Purpose of baseline update

Whilst not immediately obvious, the purpose of baseline update for custom baselines is twofold:

  • For settings which are not customised, the value applied in the baseline always follows what the latest version of the source baseline has defined
  • For settings which are customised, there will always be a reference to the most recent setting from the source baseline

Customised vs. non-customised settings

Whenever a setting is not customized, it is considered that the SCM administrator accepts that Microsoft may - at their discretion – change the setting value at any time. If the baseline is then exported as a GPO backup and applied to the domain again, the altered settings will immediately be in effect, without the administrator having had any personal involvement.  This constitutes some level of risk; Microsoft has performed testing to ensure that any baselines rated as “EC” should work in any environment, but your own testing is always recommended.

Whenever a baseline setting is customized, the source baseline may update but the actual baseline setting which would be enforced is not changed. In effect, the baseline update only updates the reference to what Microsoft’s settings are.

Baseline update and deployed baselines

Whilst baselines can be updated, the update process does not affect deployed baselines.  Any baseline already configured as a GPO will not change until the updated baseline is exported as a new GPO backup, and those updated settings are imported into the enabled and linked GPO.

Behaviour of merged baselines

When a custom baseline is merged with another baseline, it can no longer support Baseline Update.  This is because a merged baseline has a greatly altered underlying XML database which defines it, and it is no longer possible to maintain an automated update of the settings from the original source baseline.