Forum Widgets
Latest Discussions
[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.morningriseAug 28, 2023Copper Contributor841Views0likes0CommentsSecurity Baseline for M365 Apps for enterprise May 2023 version
Is there any known issue with theSecurity Baseline for M365 Apps not applying? I have a customer who said it worked for a while and then stopped working. They had to do everything via configuration profiles. Apparently they also heard from other companies that this baseline stopped working suddenly.SLR_SJul 27, 2023Microsoft805Views0likes0CommentsCan we adjust security baseline in Automanage from Azure VM?
Hi ! We enabled the Automange -> Automanage Machine Configuration -> Enable security baseline After that we can see some guest assignment available Are we able to adjust / add/ remove those policies from AzureWindowsBaseline For example, if I can adjust the rule "Auto MPSSVC Rule-Level Policy Change" ? If it is possible, could you guide me how to change it? Thank you for the help.brusetaiJul 19, 2023Microsoft758Views0likes0CommentsExploit Prevention Blocking EXE files
My environment is having an issue where exe files are being blocked when executed via a remote share. It appears Exploit Prevention is blocking but it does not happen for every user. I have placed an exclusion using Set-ProcessMitigation -Name filename.exe -Disable BlockRemoteImageLoads and the issues still persist. We do not use Defender for Endpoint as a solution and are not managing Exploit Guard policy via GPO, SCCM, or InTune. Also I have verified the process mitigation is disabled using PowerShell. ImageLoad: BlockRemoteImageLoads : OFF AuditRemoteImageLoads : NOTSET Override BlockRemoteImages : False BlockLowLabelImageLoads : OFF AuditLowLabelImageLoads : NOTSET Override BlockLowLabel : False PreferSystem32 : NOTSET AuditPreferSystem32 : NOTSET Override PreferSystem32 : False This randomly started a few days ago and I'm at a loss for how to move forward and why this occured all the sudden.BinTN42Jul 02, 2023Copper Contributor960Views0likes0CommentsRBI GUidelines
Does Microsoft providers any inbuilt initative like ASB or CIS for RBI (Reserver bank of India) GuidelineChandrasekhar_AryaMay 29, 2023Steel Contributor902Views0likes0Commentscollecting activity logs via API for security
Hello Everyone! We are planning to collect MCAS activity event logs for security monitoring via API for applications we connected (O365, Azure, Workday, Salesforce, Service Now, Docusign). Can you please sare information about best practises, playbooks or guides regarding this scenario? Or if you have experience in similiar cases, I'll be thankful for information 🙂FarhadGooseynovDec 15, 2022Copper Contributor1KViews0likes0CommentsMSCT script domain-joined doesnt create registry
I have a scenario where I run the NonDomainJoined script and it changes the records and creates the ones that are not there, and verifying it with a vulnerability tool, I see >95% compliance. When this same machine I add it to the domain and run the DomainJoined script and checking it again with the tool I have a 25%< compliance, using the PolicyAnalyzer I notice that the records are not being generated, only the ones that are already there are being modified. Do you know how I could verify if any security policy is affecting me? I am not the domain administrator and I would like to understand how a security policy could affect me and identify which one it could be. I did the test of creating a domain and putting a computer in it, to verify that some of the default policies could affect the operation, but not. RegardstrolluizOct 18, 2022Copper Contributor782Views0likes0CommentsSecure Environment (PAW) for IaC Coders or Azure Management with minimum compromise on security
Hi All, I followed the Guidelines from Microsoft on how to create a PAW with Intune for extremely exposed Accounts e.g., working on Tier 0 etc. Talking Hybrid now. Issues we currently see are in the following Areas: PAW itself is very locked down, using the Privilege Scripts and Profiles for Intune provided by Microsoft on Github (2020) which is by design. No Admin rights mean even if you deploy for e.g., VS Code via Intune as System installer (could not deploy user installer successfully via Company Portal) no one using it can actually run Program Updates etc. Also installing add-ins e.g., Bicep will be an issue. Same goes for PowerShell if you need additional Modules to install. In addition, App Locker and Controlled Folder Access makes it near impossible to use PowerShell efficiently. Now my Questions: 1. What is a good Option for Admins that need to manage System and Services with PowerShell and IaC ? do we need to deploy Enterprise or Specialized hardenings and forget about delivering them Physical PAWs hardened like MS does? Is LAPS an option to overcome the no-admin gap for the Issues mentioned above? Would you suggest using the Locked Down PAW only as Jump host not working on it at all? if so, how can you secure the Jump Server as much to keep the End-to-end security high for T0? I think if somebody can change and update code for a whole Landing Zone in Azure this should be categorized as T0 don't you think? I verified a lot of Community Projects and MVP Blogs but the Topics above i feel lack a bit of explanation. Would be great if somebody could give me some Ideas about how to do this for the necessary Admin Profiles to have some form of productivity experience while keep a highest security baseline as possible. BR UeliUeliZimmermannOct 12, 2022Copper Contributor1.3KViews0likes0Comments
Resources
Tags
- security baseline21 Topics
- security11 Topics
- windows11 Topics
- security compliance toolkit7 Topics
- compliance5 Topics
- microsoft 3653 Topics
- guides2 Topics
- updates2 Topics
- final1 Topic
- Microsoft Edge1 Topic