Recent Discussions
Windows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline ( Windows 10, version 22H2 Security baseline - Microsoft Community Hub ) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.
Guidance on multiple window 10 builds and baselines
Good Afternoon, I am wondering if anyone out there has some guidance on managing multiple baselines. Meaning, I have Windows 10 1803, 1809, 1903 and 1909 versions. What is the best way to manage baselines with multiple version of Windows 10? Same question might apply to Microsoft 365 suite as well as Edge Browser (80, 81). A. Do I have a baseline for each OS? (WMI filtering?) B. Do I have a baseline for each with delta changes only? C. Do I have a single baseline with deltas added for each version of Windows 10 What are enterprises doing to manage this? Thanks
Microsoft Policy Analyzer 4.0 crashes after apply April updates
Good morning community !! After apply security/.NET patches corresponding to April, the policy analyzer is not working anymore... On details See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** Deleted because system do not permit to publish it ************** Loaded Assemblies ************** mscorlib Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll ---------------------------------------- PolicyAnalyzer Assembly Version: 4.0.2004.13001 Win32 Version: 4.0.2004.13001 CodeBase: file:///C:/Personal/PolicyAnalyzer/PolicyAnalyzer/PolicyAnalyzer_40/PolicyAnalyzer.exe ---------------------------------------- System.Windows.Forms Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll ---------------------------------------- System Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll ---------------------------------------- System.Drawing Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll ---------------------------------------- System.Configuration Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll ---------------------------------------- System.Xml Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll ---------------------------------------- Accessibility Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll ---------------------------------------- System.Core Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll ---------------------------------------- ************** JIT Debugging ************** To enable just-in-time (JIT) debugging, the .config file for this application or computer (machine.config) must have the jitDebugging value set in the system.windows.forms section. The application must also be compiled with debugging enabled. For example: <configuration> <system.windows.forms jitDebugging="true" /> </configuration> When JIT debugging is enabled, any unhandled exception will be sent to the JIT debugger registered on the computer rather than be handled by this dialog box. It was working fine since patching apply. I tried to uninstall patches, but the error still remains Any clue to fix this? Thank you !!
Microsoft Security Compliance Toolkit 1.0 - Script File for 2012 R2
My customer is looking for the local script files for Microsoft Security Compliance Toolkit 1.0, which are missing. These are available on Windows 2016 up but not on Windows 2012 R2. If you can tell me where I can get the local scripts that’s greatly appreciated.
Policy Analyzer showing incorrect values
Today I created a backup of my group policy objects and compared them to Microsoft's baselines. But, the GPO backup seems to be displaying the wrong values in Policy Analyzer. As seen in this picture on the left, the Policy Setting RestrictAnonymous and RestrictAnonymousSam are set to 0 according to my GPO backup. Both of these say the Default Domain Policy are setting them to 0. But when I open up the Default Domain Policy on the right, you can see that these values are both set to 1. I have tried three times now to backup and re import the GPO into the policy analyzer, but the values are still appearing incorrectly. These are not the only values that this is happening too. I noticed some of the values are grayed out, when they actually have been set.
UAC elevation prompt for standard users
MSFT Windows 10 21H2 - Computer have the following setting recommendation Policy: User Account Control: Behavior of the elevation prompt for standard users Setting: Automatically deny elevation requests How do I provide support if I need to install software that requires Run as Administrator permissions? Will I need to switch user to the Administrator, and install the software?Beginner Question - Why is there a baseline for every version and type?
Hi everyone, i am currently double checking my settings against the baseline (2012R2 DC) and i am just curious why there is not one "DC baseline". There may be new features incoming with each new server OS. But if i configure it on a Win2kR2 DC - it will just ignore it as there is no program that will read this reg key. Same with Win10 - if there is the newest security setting out but only affects 1909+ - the older OS will ignore it. So bottom-line i do not understand why it is separated by OS instead of just the roles (member server, dc, client,..) I would assign the newest baseline for the domain controller to the OU "Domain Controllers" without the WMI filter - in my understanding that cannot break anything because of the older OS in this OU? Best regards Stephan
i cant update microsoft security compliance manager after i installed it
Hi everyone. hope you can help. im trying to use microsoft security compliance manager but after i installed it, i cant update it. it says "please check your internet connection, the remote server return an error (404)". i have internet connection no problem, but this error keep on and on and i cant update. thanks.Baseline throws a silent error. Suggestion for a quick fix in BaselineLocalInstall.ps1
Hi, the BaselineLocalInstall.ps1 in SCT 1.0 for Server 2019 throws a silent error under certain circumstances that is added to the error variable. Responsible is line 147: if ($null -eq (Get-Command LGPO.exe -ErrorAction SilentlyContinue)) When the script runs successful, this is the only error in $Error. Since $Error is currently the only way to check whether the baseline script ran successful or not, this causes an issue. The fix is simple, however. Please replace the error action with Ignore. if ($null -eq (Get-Command LGPO.exe -ErrorAction Ignore)) This acts like SilentlyContinue but does not add the error to the $Error variable, and if the script ran successful $Error will be empty.
Guidance on Domain Controller Virtualization Based Security and Defender Antivirus Baselines
Am I correct in assuming the 1909 - Domain Controller Virtualization Based Security should be targeting <only> my Domain Controllers running as Virtual Machines? Is the 1909 Defender Antivirus baseline only applicable for those companies using Windows/Microsoft Defender (and not a third party AV/Endpoint solution) or does it apply and play nicely with third party AV/Endpoint solutions?Your connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge). The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page. The second issue is even more problematic. On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "http://www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM" We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites. Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites. Some web sites that give this error allow us to move forwards, while others like google, won't even allow that. Would appreciate any help. Mike
Question Regarding Server 2022 Domain & Controller MSCT baselines
I have a basic 'Newbie' question regarding the MSCT baselines. I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'. I just want to confirm that we should only apply the 'MSFT Windows Server 2022 - Domain Controller' policies to our DC's, and not the Member Server policies as well. While this seems obvious, I just want to make sure.How to integrate Security baselines settings in my Windows 10 laptop
Hi, I ran the policy analyzer with the GPO's imported. I can see grey and yellow cells highlighted. how to incorporate the baselines settings into my Laptop. I cannot find local group policy management in Windows 10 version 21H1 version laptop. Thank you!
Recent Blogs
- We have reviewed the new settings in Microsoft Edge version 140 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baselin...Sep 09, 2025
- We have reviewed the settings in Microsoft Edge version 139 and updated our guidance with the addition of one setting and the removal of one setting. A new Microsoft Edge security baseline package wa...Aug 07, 2025
