Forum Widgets
Latest Discussions
Question regarding MSCT 1.0 baselines for Windows Server 2016, 2019, and 2022
Hi All, I have a mix of Windows Server 2016, 2019, and 2022 Domain Controllers. Given the above, what admx and adml files should I copy to the respective SYSVOL folders: C:\Windows\SYSVOL\domain\Policies C:\Windows\SYSVOL\domain\Policies\en-US E.G. If you look in the Templates folder for 2016, 2019, and 2022 they all have the same filenames and will overwrite each other. I'm assuming I should use Windows Server-2022-Security-Baseline-FINAL, but won't this have incompatibilities with 2016/2019 DCs? Windows-Server-2016-Security-Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 4k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 4k Windows Server 2019 Security Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 28k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 12k Windows Server-2022-Security-Baseline-FINAL Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 32k en-US AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 16kDoJU70Aug 29, 2024Copper Contributor389Views0likes2CommentsSecurity Baseline Version 23H2, greenfield deployment
Hi, Is there a best practice to start rolling out the Microsoft security baseline. I am in a Greenfield situation where I would like to use this baseline as a starting point. This by first adjusting the baseline by removing what I think might be causing issues for the user. There are a lot of settings in this baseline so I am sure some of them will causes issues for users. Since you simply can't disable the policy and all settings will be reverted what is the best practice around this? Make a copy of the existing baseline adjust settings and re-apply the correct settings? I read that Intune is tattooing some settings an the only way to reverse is to wipe and re-deploy, or manually fix in registry. Any advice on this, maybe not use the baseline and built template gradually.GomezFDMJul 12, 2024Copper Contributor686Views0likes1CommentQuestion Regarding Server 2022 Domain & Controller MSCT baselines
I have a basic 'Newbie' question regarding the MSCT baselines. I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'. I just want to confirm that we should only apply the'MSFT Windows Server 2022 - Domain Controller' policies to our DC's, and not the Member Server policies as well. While this seems obvious, I just want to make sure.wbaumgardtJan 18, 2024Copper Contributor1.6KViews0likes6CommentsOffice security baseline breaks excel feature: "analysis toolpak"
Hi team, I have found that the Office security baseline (Intune v2306) breaks an excel feature: analysis toolpak add-in (the data analysis menu item does not load). There was a known issue note on the v2206 office baseline that stated the setting "Prevent Excel from running XLM macros" broke analysis toolpak and referred to a workaround: https://support.microsoft.com/office/06cd719c-1e9b-4624-815b-c377ad5ca236 But, I have tested removing/disabling the "Prevent Excel from running XLM macros" from the baseline and the issue persists. I also tested deploying/enabling only the "Prevent Excel from running XLM macros" and it doesn't cause the feature to stop working. I've come to the conclusion that "Prevent Excel from running XLM macros" is no longer a relevant setting (and the workaround is no longer accurate). I've tested a dozen settings from excel trust center without success in finding the offending setting. The "analysis toolpak" doesn't show in the trust center logging. 1. It looks like this needs to be a known issue for the office baseline again, 2. Any recommendations on how to troubleshoot the issue (short of working through each setting in the baseline)?JF9928Dec 05, 2023Copper Contributor1.2KViews0likes1CommentDoes Microsoft Defender for Endpoint baseline set windows 10 machine account password age
We have enrolled Windows 10 computers into Intune and configured Defender for Endpoint baseline version 6. All these computers we are getting trust relationship error after some days. So does Defender for Endpoint baseline version 6 or Intune change machine account password? ThanksSRAJAKUMARM365AZUREAug 28, 2023Copper Contributor877Views0likes3Comments[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.morningriseAug 28, 2023Copper Contributor841Views0likes0CommentsWindows 11 22H2, Server 2022 Baselines - CIS Level 1
Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.gregbJul 27, 2023Copper Contributor4.9KViews1like3CommentsSecurity Baseline for M365 Apps for enterprise May 2023 version
Is there any known issue with theSecurity Baseline for M365 Apps not applying? I have a customer who said it worked for a while and then stopped working. They had to do everything via configuration profiles. Apparently they also heard from other companies that this baseline stopped working suddenly.SLR_SJul 27, 2023Microsoft805Views0likes0CommentsCan we adjust security baseline in Automanage from Azure VM?
Hi ! We enabled the Automange -> Automanage Machine Configuration -> Enable security baseline After that we can see some guest assignment available Are we able to adjust / add/ remove those policies from AzureWindowsBaseline For example, if I can adjust the rule "Auto MPSSVC Rule-Level Policy Change" ? If it is possible, could you guide me how to change it? Thank you for the help.brusetaiJul 19, 2023Microsoft758Views0likes0Comments
Resources
Tags
- security baseline21 Topics
- windows11 Topics
- security11 Topics
- security compliance toolkit7 Topics
- compliance5 Topics
- microsoft 3653 Topics
- updates2 Topics
- guides2 Topics
- Microsoft Edge1 Topic
- final1 Topic