MicrosoftMicrosoftOrin,
Could you point me (us?) to information regarding the best methods for deploying baselines to stand alone installations?
To clarify what I am looking for, I currently build out the settings based on reading the recommended settings from CIS and such and put them into a blank non-domain joined Windows 2016 VM. I have then been using LGPO.exe to export these settings so I can capture them. I can then use these as a portable method to apply these settings to VM or Physical servers.
There is, however, a small notable issue with Firewall Settings. While there is a section of the gpedit.msc that can be used to identify these settings when using LGPO.exe to backup the local GPO settings this information is missed in the LGPO backup. I noticed this when doing an import of the settings using the same tool that these settings are not present. I did find that I could Export manually the Firewall settings within the gpedit.msc snap-in and then import them to another machine and the enforcement would work. Using a manual GUI process this is less than ideal. While there is a command for importing with netsh, "netsh advfirewall import FWpolicy.wfw", this only adds settings to the current Firewall settings and does not add them as enforced Local Group Policy rules.
Do you know of a method to address this? Or is there a better way to have Local Group Policy configurations exported to a file that can be used to import into new builds. I'm looking to avoid Domain-based deployments as we have multi-domain and DMZ targets that will have this applied. I would like a command line approach so it can be scripted as a part of onboarding tasks so the deployment engineers have things as automated as possible.
-Marty
