best response confirmed by Rick_Munck (Microsoft)

For managebility I recommend not editing the security baselines in any way. Instead apply them completely unchanged and create a new GPO that only contains the changes to the baseline. Then link this GPO above the baseline. This way the Changed-GPO will override the settings from the baseline. This way you can apply the next baseline on top of the previous one and still keep all your changes. Additionally you have kind of a documentation of the changes to the baseline and you can easily remove the changed settings if you ever decide to use the recommended defaults instead.


As you wrote Windows 10 IoT I guess you deploy the baseline directly on the target without any domain infrastructure. In this case do the same as above, just make sure to import the GPO with overrides after the baseline GPO.

You can create/edit/export GPOs easily in the group policy management console. If you really want to edit the original instead, just import it into the GPMC and edit it there, afterwards export it again and use the new GPO with your IoT deployment.