Recent Discussions
DSC SecurityPolicyDsc: "Could not infer CimType from the provided .NET object"
Hello Everyone, I'm encountering a persistent issue while applying security baseline settings using the SecurityPolicyDsc module on Windows Server 2022. Despite providing valid settings (like Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only = 'Enabled'), the DSC execution fails with the following error: Could not infer CimType from the provided .NET object. The PowerShell DSC resource '[SecurityOption]LimitBlankPasswords' with SourceInfo '<file path>::SecurityOption' threw one or more non-terminating errors while running the Test-TargetResource functionality. What I've done so far: Verified the syntax and parameters using only one setting at a time Downgraded SecurityPolicyDsc to 2.9.0.0 (as 2.10.0.0 has known CimType issues) Confirmed MSFT_SecurityOption.schema.mof exists in the module directory Ensured no null or invalid values are passed Used explicit paths in Start-DscConfiguration Ran under PowerShell 5.1 on Windows Server 2022 (Azure VM, domain-joined) Despite all this, the error persists — even for a minimal configuration like: Configuration SecurityTest { Import-DscResource -ModuleName 'SecurityPolicyDsc' Node 'localhost' { SecurityOption LimitBlankPasswords { Name = 'LimitBlankPasswords' Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only = 'Enabled' } } } SecurityTest -OutputPath "C:\Temp\SecurityTest" Start-DscConfiguration -Path "C:\Temp\SecurityTest" -Wait -Verbose -Force Any guidance or workarounds would be greatly appreciated. If there’s a known fix or update planned for SecurityPolicyDsc, I’d be happy to test that as well. Thanks in advance!
Edge Security Baseline v128 - Dynamic Code Setting
Cross-posted this in the annoucement for v128 and the review of v134... Enabling the Dynamic Code Settings "Enabled:Prevent the browser process from creating dynamic code" breaks printing to network printers in Active Directory. Edge tries to generate the print preview page, and hangs.
DSC Error for 2022 Security Baseline
Hello Everyone, I am trying to find out more about this error but no luck....... I have converted the GPOs to DSC for Windows Server 2022 - Member Server using Windows Server-2022-Security-Baseline-FINAL and have applied it to a test VM which is currently domain joined, initially I was getting too many dsc errors so I tried to narrow down and do a small batch of configurations and I still get the same error with the following message DSC Error : Could not infer CimType from the provided .NET object. The PowerShell DSC resource '[SecurityOption]SecuritySetting(INF): LSAAnonymousNameLookup' with SourceInfo 'C:\onedsc\PasswordComplexityConfig.ps1::33::9::SecurityOption' threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details. Could not infer CimType from the provided .NET object. Does anyone have any insight what could be wrong here?and how do I go about correcting it Thanks
Security Baseline for M365 Apps for enterprise May 2023 version
Is there any known issue with the Security Baseline for M365 Apps not applying? I have a customer who said it worked for a while and then stopped working. They had to do everything via configuration profiles. Apparently they also heard from other companies that this baseline stopped working suddenly.
Exploit Prevention Blocking EXE files
My environment is having an issue where exe files are being blocked when executed via a remote share. It appears Exploit Prevention is blocking but it does not happen for every user. I have placed an exclusion using Set-ProcessMitigation -Name filename.exe -Disable BlockRemoteImageLoads and the issues still persist. We do not use Defender for Endpoint as a solution and are not managing Exploit Guard policy via GPO, SCCM, or InTune. Also I have verified the process mitigation is disabled using PowerShell. ImageLoad: BlockRemoteImageLoads : OFF AuditRemoteImageLoads : NOTSET Override BlockRemoteImages : False BlockLowLabelImageLoads : OFF AuditLowLabelImageLoads : NOTSET Override BlockLowLabel : False PreferSystem32 : NOTSET AuditPreferSystem32 : NOTSET Override PreferSystem32 : False This randomly started a few days ago and I'm at a loss for how to move forward and why this occured all the sudden.
collecting activity logs via API for security
Hello Everyone! We are planning to collect MCAS activity event logs for security monitoring via API for applications we connected (O365, Azure, Workday, Salesforce, Service Now, Docusign). Can you please sare information about best practises, playbooks or guides regarding this scenario? Or if you have experience in similiar cases, I'll be thankful for information 🙂
MSCT script domain-joined doesnt create registry
I have a scenario where I run the NonDomainJoined script and it changes the records and creates the ones that are not there, and verifying it with a vulnerability tool, I see >95% compliance. When this same machine I add it to the domain and run the DomainJoined script and checking it again with the tool I have a 25%< compliance, using the PolicyAnalyzer I notice that the records are not being generated, only the ones that are already there are being modified. Do you know how I could verify if any security policy is affecting me? I am not the domain administrator and I would like to understand how a security policy could affect me and identify which one it could be. I did the test of creating a domain and putting a computer in it, to verify that some of the default policies could affect the operation, but not. Regards
Secure Environment (PAW) for IaC Coders or Azure Management with minimum compromise on security
Hi All, I followed the Guidelines from Microsoft on how to create a PAW with Intune for extremely exposed Accounts e.g., working on Tier 0 etc. Talking Hybrid now. Issues we currently see are in the following Areas: PAW itself is very locked down, using the Privilege Scripts and Profiles for Intune provided by Microsoft on Github (2020) which is by design. No Admin rights mean even if you deploy for e.g., VS Code via Intune as System installer (could not deploy user installer successfully via Company Portal) no one using it can actually run Program Updates etc. Also installing add-ins e.g., Bicep will be an issue. Same goes for PowerShell if you need additional Modules to install. In addition, App Locker and Controlled Folder Access makes it near impossible to use PowerShell efficiently. Now my Questions: 1. What is a good Option for Admins that need to manage System and Services with PowerShell and IaC ? do we need to deploy Enterprise or Specialized hardenings and forget about delivering them Physical PAWs hardened like MS does? Is LAPS an option to overcome the no-admin gap for the Issues mentioned above? Would you suggest using the Locked Down PAW only as Jump host not working on it at all? if so, how can you secure the Jump Server as much to keep the End-to-end security high for T0? I think if somebody can change and update code for a whole Landing Zone in Azure this should be categorized as T0 don't you think? I verified a lot of Community Projects and MVP Blogs but the Topics above i feel lack a bit of explanation. Would be great if somebody could give me some Ideas about how to do this for the necessary Admin Profiles to have some form of productivity experience while keep a highest security baseline as possible. BR Ueli
Command prompt password showing and correct
The lock screen on my PC is showing your pin is no longer available due to a change to the security settings on this device click to set up your pin again and when I am clicking on set up your pin I am again redirected to the lock screen and nothing happens and when I tried using advance option to troubleshoot the problem the command prompt was asking for a password for which I entered passwords this word showing in correct and I had enter all password that I could recall so what to do now please help meDashboards for SCT
Hello and greetings from Portugal! I'm trying to find some kind of free tool that allows me to had MSFT Security Baseline files, run it against a machine and get some kind of dashboard about the differences between them. Does anyone knows something similar? Best regards, Diogo Sousa
Intent behind configuring Network Protection but not enabling it in Windows Server Baselines
What is the intent behind the following two settings in the Windows Server 2019/2022 Baseline: Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection Prevent users and apps from accessing dangerous websites Block Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. In Windows Server Network Protection is not enabled by default, so when the 2nd setting is left to unconfigured the first setting cannot and does not work. Why configure it then?Security Baselines in Intune - how to monitor?
Hello and greetings from Portugal! I'm starting to take a look at Security Baselines in MEM. I've already created a profile, and started testing configuration, but...what I wanted to know if there's anyway to create a profile, assign that profile and that, instead of changing settings, just get a report about what my machine has configured and what's the correct config for the security baseline. Is that possible? Best regards, Diogo SousaUnable to Create Import Configuration Data - SCCM DCM (.CAB) Files
Respected, Unable to Create "Import Configuration Data" - SCCM DCM (.CAB) File for SCCM. Like to import CIS baseline of Windows 2016 in SCCM under Configuration Baselines\Configuration Items using an option called "Import Configuration Data" Unable to find a matching tool like SCM, where I can import GPO and export as SCCM DCM (CAB) File. the same file can be imported in SCCM under Configuration Items/Configuration Baselines. Can use them for bulk deployment & Run compliance scans. My requirement is: CIS Baselines need to import into SCCM & Run detailed Baseline reports.
Why o365 can't sysprep in a wim?
I did all kinds of sysprep test about o365. (I see the mdt+sequence like image+o365 setup command can deploy it well, but I cannot sysprep in a image file). The result is that sysprep is success(capture is also well), but can not install or dism this wim file. Something wrong about o365 file can not rollback or restore. I see the setuperr log, it displayed an o365 dll named "AppvIsvSubsystems32.dll" can not amount like that. 2020-07-03 14:26:30, Error [0x0b0043] WDS SelectImage: No images matched the specified criteria.[gle=0x00000002] 2020-07-03 14:26:30, Error [0x0b0049] WDS CallBack_WdsClient_ConnectToImageStore: Error processing unattended image selection. Error [0x80070002][gle=0x00000002] 2020-07-03 14:49:25, Error [0x0600af] IBS ApplyWIMCallback: Error applying C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\AppvIsvSubsystems32.dll. GLE [4392][gle=0x00001128] 2020-07-03 14:49:26, Error [0x0606cc] IBS WIMApplyImage failed; hr = 0x80071128[gle=0x00001128] 2020-07-03 14:49:26, Error [0x0600a1] IBS DeployImage:Image application failed; hr = 0x80071128[gle=0x00000057] 2020-07-03 14:49:26, Error [0x060082] IBS Callback_ImageTransfer:Failed to lay down the OS image; hr = 0x80071128[gle=0x00000057]
Recent Blogs
- We have reviewed the new settings in Microsoft Edge version 140 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baselin...Sep 09, 2025
- We have reviewed the settings in Microsoft Edge version 139 and updated our guidance with the addition of one setting and the removal of one setting. A new Microsoft Edge security baseline package wa...Aug 07, 2025
