diff --git a/debian/security-misc.config b/debian/security-misc.config
index 71726a4..95684bc 100644
--- a/debian/security-misc.config
+++ b/debian/security-misc.config
@@ -22,6 +22,8 @@ true "
 "
 
 check_migrate_permission_hardener_state() {
+   local modified_pkg_data_str custom_hardening_arr config_file
+
    ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
    if [ ! -d '/var/lib/permission-hardener' ]; then
       return 0
@@ -82,7 +84,10 @@ check_migrate_permission_hardener_state() {
       '/etc/permission-hardener.d/30_default.conf'
    )
 
-   readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+   ## This will exit non-zero if some of the packages don't exist, but we
+   ## don't care. The packages that *are* installed will still be scanned.
+   modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true
+   readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")
    ## If the above `dpkg -V` command doesn't return any permission-hardener
    ## related lines, the array will contain no meaningful info, just a single
    ## blank element at the start. Set the array to be explicitly empty in
diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index 0603717..d1f61d1 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -38,6 +38,7 @@ permission_hardening() {
 }
 
 migrate_permission_hardener_state() {
+   local existing_mode_dir new_mode_dir dpkg_statoverride_list
    ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
    if [ ! -d '/var/lib/permission-hardener' ]; then
       return 0
@@ -48,8 +49,27 @@ migrate_permission_hardener_state() {
    fi
    mkdir --parents '/var/lib/security-misc/do_once'
 
-   mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
-   cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
+   existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode'
+   new_mode_dir='/var/lib/permission-hardener-v2/new_mode'
+
+   mkdir --parents "${existing_mode_dir}";
+   mkdir --parents "${new_mode_dir}";
+
+   cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride"
+   cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride"
+
+   dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)"
+
+   if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then
+      if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then
+         dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo'
+      fi
+   fi
+   if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then
+      if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then
+         dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec'
+      fi
+   fi
 
    touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
 }
diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener
index b2991e0..c5527e3 100755
--- a/usr/bin/permission-hardener
+++ b/usr/bin/permission-hardener
@@ -612,6 +612,11 @@ commit_policy() {
         -- "${policy_file_item}"
     fi
   done
+
+  log notice "\
+To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
+    sudo apt install --no-install-recommends meld
+    meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride"
 }
 
 undo_policy_for_file() {
diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded
new file mode 100644
index 0000000..142686e
--- /dev/null
+++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded
@@ -0,0 +1,24 @@
+root root 700 /etc/cron.monthly
+root root 700 /etc/sudoers.d
+root shadow 744 /usr/bin/expiry
+root root 755 /usr/bin/umount
+root root 744 /usr/bin/gpasswd
+root root 700 /usr/lib/modules
+root root 744 /usr/bin/newgrp
+root root 700 /etc/cron.weekly
+root root 744 /usr/bin/su
+root root 700 /etc/cron.daily
+root root 755 /bin/ping
+root root 644 /etc/motd
+root _ssh 744 /usr/bin/ssh-agent
+root root 700 /boot
+root shadow 744 /usr/bin/chage
+root root 744 /usr/lib/openssh/ssh-keysign
+root root 744 /usr/bin/chsh
+root root 755 /usr/bin/passwd
+root root 744 /usr/bin/chfn
+root root 600 /etc/permission-hardener.d
+root root 700 /usr/src
+root root 755 /usr/bin/mount
+root root 644 /etc/issue
+root root 700 /etc/cron.d