Recent Discussions
Edge - Bypass HTTPS Warning Page
In the latest security baselines for Microsoft Edge v81, the setting "Allow users to proceed from the HTTPS warning page" is recommended to set as Disabled. Setting to Disabled prevents users from clicking through warning pages about invalid SSL certificates. With this setting in place, users are prevented from accessing sites with expired SSL certificates, often due to an administrator forgetting to renew it. This happens fairly often to sites/services on the Internet, which of course is something my company cannot control. For example, earlier this year https://www.theverge.com/2020/2/3/21120248/microsoft-teams-down-outage-certificate-issue-status. I can imagine this recommended setting has potential to cause a significant problem for organizations if users are unable to access a critical site because they are unable to bypass the SSL warning. That leads me to a few questions: Given the risk of this setting blocking access to sites, why is this a recommended setting? Does Microsoft have this setting set to "Disabled" internally? Are any workarounds available for allowing bypass to specific sites, including when a certificate has expired? Some hotel Wi-Fi Internet access is only accessible after logging in via a captive portal page, which is sometimes hosted internally on RFC1918 private IP space and can not have a valid public certificate. How would users access the portal in order to connect to the Internet? Would they need to add the Certificate Authority to their Trusted Roots? I'm struggling to see how many companies could implement this setting without increasing the risk of an outage by being unable to access a critical site.Your connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge). The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page. The second issue is even more problematic. On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "http://www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM" We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites. Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites. Some web sites that give this error allow us to move forwards, while others like google, won't even allow that. Would appreciate any help. Mike
Security baseline with Hyper-V default switch
Continued from old TechNet blog discussion... Thanks Aaron Margosis. I've figured out what is preventing clipboard file copying. It is the GPO setting "Do not allow drive redirection" (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection). Haven't figured out why applying the security baseline disables guest VM network connectivity through the "Default Switch" (automatically created on Client Hyper-V), but a solution is to connect guest VMs directly to the external network adapter using the "External Switch". UPDATE: Network connectivity issues caused by GPO blocking local firewall rules (inbound allow rules are needed for Default Switch to work, see below discussion).
Securing Group Policy Template and importing it to windows server 2016 Group Policy
Hi, I'm working on the Security Hardening of windows server 2016 according to [CIS Benchmark V 1.2.0][1], for this I found a Security Compliance project from Microsoft which is [Microsoft Security Compliance Toolkit 1.0][2]. This project works on a preconfigured Group Policy for Member Server or Domain Controller and that group policy has a Hardened configuration that complies with the CIS Benchmark. Microsoft Security Compliance Toolkit 1.0 has some tools and configurations that can be installed from [here][3]. the main problem with this toolkit and its group policy configuration is they are not implementing all the CIS Benchmark for windows server 2016 so I start working on my own Group Policy Template. For building my Hardening Group Policy Template I started by taking snapshot from my windows server 2016 so I can work on a system, like the production, then deploying the Hardened Group policy that comes with the Toolkit (as a starting point) then check every point from the CIS Benchmark document and reflect the Recommended configuration on that Template Group Policy. after finishing some of those Security recommendations I took another snapshot from the production server and used the LGPO.exe (included in the toolkit) tool to import the Hardened Group Policy Template that I was working on and apply it to the new server snapshot. after importing the Hardened Group Policy to the test server I start facing many problems when trying to log in to my administrator account, as seen in the photos : 1. After login, I receive this error, and if log in again it doesn't occur again : https://drive.google.com/file/d/1emPuoTKajuUmTifi8sSirb1vUJIhi9sI/view?usp=sharing 2. After login sometimes the server hangs on the following state : https://drive.google.com/file/d/1Vp48d7sxdCfabs93IfRW10_T9xHo44R3/view?usp=sharing 3. receive this error sometimes : https://drive.google.com/file/d/16BJEMn6OZAS8J5pTRFF4tGcFfGMAYRGN/view?usp=sharing Note that the previous errors occur sometimes and if you try to access the same thing again it works, 4.this occurs every time I log in to the account : https://drive.google.com/file/d/16W86tVTVgoo9amvhlsfCsmsMb-XMAFZl/view?usp=sharing All of these errors start happening after deploying the Hardened Group Policy to the test server, Also I had another snapshot from the production server where I tried to do the same Security Recommendations Manually, so I did the same Security Recommendations that I configured in the Group Policy and caused all the previous errors but this time manually and everything was working as expected with no errors !! So my Issue Is what goes wrong with having a tool such as LGPO.exe (official Microsoft tool) that imports Group Policy GPO to the current Group Policy, and why I had all the previous issues when doing that? but when doing manual works it worked well? what is the best way to Make Secure Group Policy as per CIS Benchmark and export it then import to each Server you have ? what is the best way for doing this? **Note:** 1. I have only one admin user that I'm using during the work 2. my win server 2016 is non-domain machine - stand alone Thanks in advance [1]: https://www.newnettechnologies.com/cis-benchmark.html?utm_campaign=Search+-+ROW+-+Quantity&utm_medium=ppc&utm_source=adwords&utm_term=&hsa_acc=2189148223&hsa_cam=134925607&hsa_grp=78721086889&hsa_src=g&hsa_tgt=dsa-688559004445&hsa_kw=&hsa_ad=361557470862&hsa_net=adwords&hsa_mt=b&hsa_ver=3&gclid=Cj0KCQjw3ZX4BRDmARIsAFYh7ZIAuQlReBpbGLHvKYCCQxq7QQrBYKgvrhxZu7tJne57NuBNQtT7gDIaAjDYEALw_wcB [2]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10 [3]: https://www.microsoft.com/en-us/download/details.aspx?id=55319Guidance on multiple window 10 builds and baselines
Good Afternoon, I am wondering if anyone out there has some guidance on managing multiple baselines. Meaning, I have Windows 10 1803, 1809, 1903 and 1909 versions. What is the best way to manage baselines with multiple version of Windows 10? Same question might apply to Microsoft 365 suite as well as Edge Browser (80, 81). A. Do I have a baseline for each OS? (WMI filtering?) B. Do I have a baseline for each with delta changes only? C. Do I have a single baseline with deltas added for each version of Windows 10 What are enterprises doing to manage this? ThanksWindows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline ( Windows 10, version 22H2 Security baseline - Microsoft Community Hub ) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.Guidance on Domain Controller Virtualization Based Security and Defender Antivirus Baselines
Am I correct in assuming the 1909 - Domain Controller Virtualization Based Security should be targeting <only> my Domain Controllers running as Virtual Machines? Is the 1909 Defender Antivirus baseline only applicable for those companies using Windows/Microsoft Defender (and not a third party AV/Endpoint solution) or does it apply and play nicely with third party AV/Endpoint solutions?
MDM Security Baseline in "Conflict" (Tamper Protection blob)
Hi All, I am attempting to implement the security baseline via Endpoint Manager. I have configured a baseline profile and targeted a small group of 4 users. The dashboard shows that all 4 users have received the baseline, but are in conflict. When I check the profile settings, the setting in conflict is called "Tamper Protection Blob". I have done some searching and can't find what exactly that is or how to resolve. Any insight would be awesome!
Windows 11 22H2, Server 2022 Baselines - CIS Level 1
Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.
Recent Blogs
- We have reviewed the new settings in Microsoft Edge version 140 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baselin...Sep 09, 2025
- We have reviewed the settings in Microsoft Edge version 139 and updated our guidance with the addition of one setting and the removal of one setting. A new Microsoft Edge security baseline package wa...Aug 07, 2025
