MicrosoftAaronMargosis_Tanium Of course baselines can check for "insecure administration methods". Microsoft provides PowerShell scripts to apply the baselines, that's how they modify the scheduled tasks and services' startups, that allows for scripting, C# code, even Windows API calls.
Yes, group policies can be changed after applying policies, but like i said it's the default assumption that the computer requires this policy that is the main problem. Especially since it is modifying a secure default setting merely based on an assumption. All it has to do is to leave it alone as is.
The setting is applied by default when running the included PowerShell script, "Baseline-LocalInstall.ps1" with the "-Win11NonDomainJoined" parameter. There is no other parameter that tells the security baselines not to apply that insecure policy.
