Recent Discussions
Question regarding MSCT 1.0 baselines for Windows Server 2016, 2019, and 2022
Hi All, I have a mix of Windows Server 2016, 2019, and 2022 Domain Controllers. Given the above, what admx and adml files should I copy to the respective SYSVOL folders: C:\Windows\SYSVOL\domain\Policies C:\Windows\SYSVOL\domain\Policies\en-US E.G. If you look in the Templates folder for 2016, 2019, and 2022 they all have the same filenames and will overwrite each other. I'm assuming I should use Windows Server-2022-Security-Baseline-FINAL, but won't this have incompatibilities with 2016/2019 DCs? Windows-Server-2016-Security-Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 4k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 4k Windows Server 2019 Security Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 28k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 12k Windows Server-2022-Security-Baseline-FINAL Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 32k en-US AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 16k323Views0likes2CommentsSecurity Baseline Version 23H2, greenfield deployment
Hi, Is there a best practice to start rolling out the Microsoft security baseline. I am in a Greenfield situation where I would like to use this baseline as a starting point. This by first adjusting the baseline by removing what I think might be causing issues for the user. There are a lot of settings in this baseline so I am sure some of them will causes issues for users. Since you simply can't disable the policy and all settings will be reverted what is the best practice around this? Make a copy of the existing baseline adjust settings and re-apply the correct settings? I read that Intune is tattooing some settings an the only way to reverse is to wipe and re-deploy, or manually fix in registry. Any advice on this, maybe not use the baseline and built template gradually.623Views0likes1CommentWindows 11 22H2, Server 2022 Baselines - CIS Level 1
Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.4.6KViews1like3CommentsApplying the SCT to standalone hardened systems?
I'm experimenting with the use of the SCT to speed up the hardening process for "elevated risk" servers for my company, such as systems residing within an Internet DMZ. My tests are currently relegated to the use of Windows 2016. In my environment, the DMZ placed systems would likely be standalone and not members of any domain. The SCT for Win10/Win2016 includes three main processing scripts for the application of the relevant GPO content to the targeted system: -) Client_Install.cmd -) Domain_Controller_Install.cmd -) Member_Server_Install.cmd Is there any guidance as to which particular processing script I should use for my standalone application on the target system? None of the "names" for the processing scripts above exactly match my scenario. Thanks, Tariq3.8KViews1like5CommentsQuestion Regarding Server 2022 Domain & Controller MSCT baselines
I have a basic 'Newbie' question regarding the MSCT baselines. I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'. I just want to confirm that we should only apply the'MSFT Windows Server 2022 - Domain Controller' policies to our DC's, and not the Member Server policies as well. While this seems obvious, I just want to make sure.1.6KViews0likes6CommentsWindows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline (Windows 10, version 22H2 Security baseline - Microsoft Community Hub) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.Office security baseline breaks excel feature: "analysis toolpak"
Hi team, I have found that the Office security baseline (Intune v2306) breaks an excel feature: analysis toolpak add-in (the data analysis menu item does not load). There was a known issue note on the v2206 office baseline that stated the setting "Prevent Excel from running XLM macros" broke analysis toolpak and referred to a workaround: https://support.microsoft.com/office/06cd719c-1e9b-4624-815b-c377ad5ca236 But, I have tested removing/disabling the "Prevent Excel from running XLM macros" from the baseline and the issue persists. I also tested deploying/enabling only the "Prevent Excel from running XLM macros" and it doesn't cause the feature to stop working. I've come to the conclusion that "Prevent Excel from running XLM macros" is no longer a relevant setting (and the workaround is no longer accurate). I've tested a dozen settings from excel trust center without success in finding the offending setting. The "analysis toolpak" doesn't show in the trust center logging. 1. It looks like this needs to be a known issue for the office baseline again, 2. Any recommendations on how to troubleshoot the issue (short of working through each setting in the baseline)?1.1KViews0likes1CommentSecurity Baselines for Linux
Currently only Windows OS is in scope of the Security Baseline assessments. Are there any plans to expand it for Linux (RedHat) as well? I mean our organization has deployed Defender on Linux, so it might be possible Microsoft will support this on Linux OS'es as well. Thanks, Dragi2.7KViews2likes5CommentsYour connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge). The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page. The second issue is even more problematic. On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM" We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites. Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites. Some web sites that give this error allow us to move forwards, while others like google, won't even allow that. Would appreciate any help. Mike19KViews0likes7CommentsSecuring Group Policy Template and importing it to windows server 2016 Group Policy
Hi, I'm working on the Security Hardening of windows server 2016 according to [CIS Benchmark V 1.2.0][1], for this I found a Security Compliance project from Microsoft which is [Microsoft Security Compliance Toolkit 1.0][2]. This project works on a preconfigured Group Policy for Member Server or Domain Controller and that group policy has a Hardened configuration that complies with the CIS Benchmark. Microsoft Security Compliance Toolkit 1.0 has some tools and configurations that can be installed from [here][3]. the main problem with this toolkit and its group policy configuration is they are not implementing all the CIS Benchmark for windows server 2016 so I start working on my own Group Policy Template. For building my Hardening Group Policy Template I started by taking snapshot from my windows server 2016 so I can work on a system, like the production, then deploying the Hardened Group policy that comes with the Toolkit (as a starting point) then check every point from the CIS Benchmark document and reflect the Recommended configuration on that Template Group Policy. after finishing some of those Security recommendations I took another snapshot from the production server and used the LGPO.exe (included in the toolkit) tool to import the Hardened Group Policy Template that I was working on and apply it to the new server snapshot. after importing the Hardened Group Policy to the test server I start facing many problems when trying to log in to my administrator account, as seen in the photos : 1. After login, I receive this error, and if log in again it doesn't occur again : https://drive.google.com/file/d/1emPuoTKajuUmTifi8sSirb1vUJIhi9sI/view?usp=sharing 2. After login sometimes the server hangs on the following state : https://drive.google.com/file/d/1Vp48d7sxdCfabs93IfRW10_T9xHo44R3/view?usp=sharing 3. receive this error sometimes : https://drive.google.com/file/d/16BJEMn6OZAS8J5pTRFF4tGcFfGMAYRGN/view?usp=sharing Note that the previous errors occur sometimes and if you try to access the same thing again it works, 4.this occurs every time I log in to the account : https://drive.google.com/file/d/16W86tVTVgoo9amvhlsfCsmsMb-XMAFZl/view?usp=sharing All of these errors start happening after deploying the Hardened Group Policy to the test server, Also I had another snapshot from the production server where I tried to do the same Security Recommendations Manually, so I did the same Security Recommendations that I configured in the Group Policy and caused all the previous errors but this time manually and everything was working as expected with no errors !! So my Issue Is what goes wrong with having a tool such as LGPO.exe (official Microsoft tool) that imports Group Policy GPO to the current Group Policy, and why I had all the previous issues when doing that? but when doing manual works it worked well? what is the best way to Make Secure Group Policy as per CIS Benchmark and export it then import to each Server you have ? what is the best way for doing this? **Note:** 1. I have only one admin user that I'm using during the work 2. my win server 2016 is non-domain machine - stand alone Thanks in advance [1]: https://www.newnettechnologies.com/cis-benchmark.html?utm_campaign=Search+-+ROW+-+Quantity&utm_medium=ppc&utm_source=adwords&utm_term=&hsa_acc=2189148223&hsa_cam=134925607&hsa_grp=78721086889&hsa_src=g&hsa_tgt=dsa-688559004445&hsa_kw=&hsa_ad=361557470862&hsa_net=adwords&hsa_mt=b&hsa_ver=3&gclid=Cj0KCQjw3ZX4BRDmARIsAFYh7ZIAuQlReBpbGLHvKYCCQxq7QQrBYKgvrhxZu7tJne57NuBNQtT7gDIaAjDYEALw_wcB [2]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10 [3]: https://www.microsoft.com/en-us/download/details.aspx?id=553198.4KViews0likes1Comment- 16KViews4likes32Comments
Does Microsoft Defender for Endpoint baseline set windows 10 machine account password age
We have enrolled Windows 10 computers into Intune and configured Defender for Endpoint baseline version 6. All these computers we are getting trust relationship error after some days. So does Defender for Endpoint baseline version 6 or Intune change machine account password? Thanks874Views0likes3Comments[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.823Views0likes0CommentsSecurity Baseline for M365 Apps for enterprise May 2023 version
Is there any known issue with theSecurity Baseline for M365 Apps not applying? I have a customer who said it worked for a while and then stopped working. They had to do everything via configuration profiles. Apparently they also heard from other companies that this baseline stopped working suddenly.802Views0likes0CommentsUnsafe font block in windows
one of my windows admin say we should not use unsafe font like opensans by mentioning the following article https://www.tenforums.com/tutorials/139087-enable-disable-untrusted-font-blocking-windows-10-a.html but in MSForum it is says that setting is dropped https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068 which is correct ? ThanksSolved1.6KViews1like3CommentsCan we adjust security baseline in Automanage from Azure VM?
Hi ! We enabled the Automange -> Automanage Machine Configuration -> Enable security baseline After that we can see some guest assignment available Are we able to adjust / add/ remove those policies from AzureWindowsBaseline For example, if I can adjust the rule "Auto MPSSVC Rule-Level Policy Change" ? If it is possible, could you guide me how to change it? Thank you for the help.752Views0likes0CommentsSecurity Baselines not seeing devices in device groups
I'm trying to test security baseline assessments but the profiles I set will not recognise any device groups as having devices in them. Listing the devices separately, adding tags to the devices and creating new groups with the same devices doesn't work either.4.2KViews0likes3CommentsExploit Prevention Blocking EXE files
My environment is having an issue where exe files are being blocked when executed via a remote share. It appears Exploit Prevention is blocking but it does not happen for every user. I have placed an exclusion using Set-ProcessMitigation -Name filename.exe -Disable BlockRemoteImageLoads and the issues still persist. We do not use Defender for Endpoint as a solution and are not managing Exploit Guard policy via GPO, SCCM, or InTune. Also I have verified the process mitigation is disabled using PowerShell. ImageLoad: BlockRemoteImageLoads : OFF AuditRemoteImageLoads : NOTSET Override BlockRemoteImages : False BlockLowLabelImageLoads : OFF AuditLowLabelImageLoads : NOTSET Override BlockLowLabel : False PreferSystem32 : NOTSET AuditPreferSystem32 : NOTSET Override PreferSystem32 : False This randomly started a few days ago and I'm at a loss for how to move forward and why this occured all the sudden.939Views0likes0Comments
Events
Recent Blogs
- Microsoft is pleased to announce the release of the security baseline package for Windows 11, version 24H2!Nov 16, 202436KViews6likes49Comments