Category: Security Baselines | Microsoft Community Hub

Recent Discussions

Microsoft Policy Analyzer 4.0 crashes after apply April updates
Good morning community !! After apply security/.NET patches corresponding to April, the policy analyzer is not working anymore... On details See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** Deleted because system do not permit to publish it ************** Loaded Assemblies ************** mscorlib Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll ---------------------------------------- PolicyAnalyzer Assembly Version: 4.0.2004.13001 Win32 Version: 4.0.2004.13001 CodeBase: file:///C:/Personal/PolicyAnalyzer/PolicyAnalyzer/PolicyAnalyzer_40/PolicyAnalyzer.exe ---------------------------------------- System.Windows.Forms Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll ---------------------------------------- System Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll ---------------------------------------- System.Drawing Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll ---------------------------------------- System.Configuration Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll ---------------------------------------- System.Xml Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll ---------------------------------------- Accessibility Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll ---------------------------------------- System.Core Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll ---------------------------------------- ************** JIT Debugging ************** To enable just-in-time (JIT) debugging, the .config file for this application or computer (machine.config) must have the jitDebugging value set in the system.windows.forms section. The application must also be compiled with debugging enabled. For example: <configuration> <system.windows.forms jitDebugging="true" /> </configuration> When JIT debugging is enabled, any unhandled exception will be sent to the JIT debugger registered on the computer rather than be handled by this dialog box. It was working fine since patching apply. I tried to uninstall patches, but the error still remains Any clue to fix this? Thank you !!
Solved
AngelParedero23
Copper Contributor
Apr 10, 2025 Place Microsoft Security Baselines
security compliance toolkit
1.9KViews
1like
18Comments
Security Baseline for Server 2025 is missing ADMX/ADML files?
I imported the new "Windows Server 2025 Security Baseline" into our AD using Baseline-ADImport.ps1. Not a problem. From the "Templates" folder, I copied the SecGuide.admx and MSS-Legacy.admx files, along with the en-US folder to our central store in SYSVOL, as normal (backed upp the files I replace first). When checking the GPOs in Group Policy Management though, I see a lot of "Extra Registry Settings" which would indicate that its missing a admx/adml file or similar. I've verified that neither of the included files i copied includes anything about the missing registry settings. For MSFT Windows Server 2025 - Member Server, there is a whole list of Extra Registry Settings. What am I missing here? Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITHashAlgorithmConfigurationEnabled 1 Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA1 1 Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA256 3 Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA384 3 Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA512 3 Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitHashAlgorithmConfigurationEnabled 1 Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA1 1 Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA256 3 Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA384 3 Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA512 3 Software\Policies\Microsoft\Windows NT\Printers\RPC\ForceKerberosForRpc 0 Software\Policies\Microsoft\Windows NT\Printers\RPC\RpcProtocols 5 Software\Policies\Microsoft\Windows\Bowser\EnableMailslots 0 Software\Policies\Microsoft\Windows\LanmanServer\AuditClientDoesNotSupportEncryption 1 Software\Policies\Microsoft\Windows\LanmanServer\AuditClientDoesNotSupportSigning 1 Software\Policies\Microsoft\Windows\LanmanServer\AuditInsecureGuestLogon 1 Software\Policies\Microsoft\Windows\LanmanServer\EnableAuthRateLimiter 1 Software\Policies\Microsoft\Windows\LanmanServer\InvalidAuthenticationDelayTimeInMs 2000 Software\Policies\Microsoft\Windows\LanmanServer\MinSmb2Dialect 768 Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditInsecureGuestLogon 1 Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditServerDoesNotSupportEncryption 1 Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditServerDoesNotSupportSigning 1 Software\Policies\Microsoft\Windows\LanmanWorkstation\MinSmb2Dialect 768 Software\Policies\Microsoft\Windows\NetworkProvider\EnableMailslots 0 Software\Policies\Microsoft\Windows\System\AllowCustomSSPsAPs 1 Software\Policies\Microsoft\Windows\System\RunAsPPL 1
Solved
Turranius
Copper Contributor
Feb 12, 2025 Place Microsoft Security Baselines
1.2KViews
0likes
5Comments
Confusing Naming of Intune M365 Apps Baseline
Hi, To which Office Apps does the exisiting ( and only)"Microsoft 365 Apps for Enterprise Security Baseline" apply to? Its says Version 2306When I create a profile I get this information within the baseline So this baseline only applies to Office 2016? If yes, how do I protect the M365 Office Apps?
Solved
heinzelrumpel
Brass Contributor
Feb 12, 2025 Place Microsoft Security Baselines
117Views
0likes
1Comment
Policy Analyzer - Compare all settings
Is there a way on the Policy Analyzer to include comparison for all 3000+ GPO settings?
Solved
jemfernandez
Copper Contributor
Jun 28, 2023 Place Microsoft Security Baselines
17KViews
0likes
9Comments
Hash
Hello, Where I can find the hash files (Policy Analyzer, LGPO...)? Thank you for your help. Have a good day VALADE Raumin
Solved
Raumin19
Copper Contributor
Apr 19, 2023 Place Microsoft Security Baselines
2.1KViews
0likes
2Comments
Explanation about redirection guard
Hello, I need some explanation about redirection guard. https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configureredirectionguardpolicy What is the additional protection if this setting is enabled ? What kind of attacks are prevented ? Regards.
Solved
Le_Michel
Brass Contributor
Mar 29, 2023 Place Microsoft Security Baselines
8KViews
0likes
1Comment
Microsoft Edge v100 InTune Policy's
Hi All, Really pleased to finally see the setting "Hide restore pages dialog after browser crash" included in the new v100 release. However, The setting isn't available in InTune Endpoint Device Manager policy's (Settings Catalogue). Do you know when to expect the updated settings options would be available in the InTune policies as a general rule of thumb? I.e. new policies are available after a few weeks after version release? Many thanks all.
Solved
MarkRobinson157
Copper Contributor
Apr 14, 2022 Place Microsoft Security Baselines
1.5KViews
0likes
3Comments
Misleading instructions in Baseline-LocalInstall
Requirements in Baseline-LocalInstall.ps1 say that: REQUIREMENTS: * PowerShell execution policy must be configured to allow script execution; for example, with a command such as the following: Set-ExecutionPolicy RemoteSigned However, it's not signed, so it is not possible to run it with such ExecutionPolicy. It is possible to run it with `Set-ExecutionPolicy -Scope Process Unrestricted`, but I was wondering if I downloaded it from the wrong place, and there is signed file somwhere.
Solved
ilmarsl
Copper Contributor
Dec 04, 2021 Place Microsoft Security Baselines
2.5KViews
1like
3Comments
More exhaustive list than "Top 10 ways to secure Microsoft 365"
Dear community, is there a more exhaustive and detailed checklist than Microsoft's security baseline? https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/secure-your-business-data
Solved
Kiril
Iron Contributor
Nov 29, 2021 Place Microsoft Security Baselines
security
security baseline
1.7KViews
1like
3Comments
Microsoft Baseline Security for windows 10 v2004
Hello, I have a group of PCs that are under a separate active directory OU, that are running windows 10 v2004. I would like to apply on these PCs the Microsoft baseline security, my question is that the baseline security for windows 10 v2004 comes with 11 policies (listed below): 1. MSFT Internet Explorer 11 - Computer 2. MSFT Internet Explorer 11 - User 3. MSFT Windows 10 2004 - BitLocker 4. MSFT Windows 10 2004 - Computer 5. MSFT Windows 10 2004 - User 6. MSFT Windows 10 2004 and Server 2004 - Defender Antivirus 7. MSFT Windows 10 2004 and Server 2004 - Domain Security 8. MSFT Windows 10 2004 and Server 2004 Member Server - Credential Guard 9. MSFT Windows Server 2004 - Domain Controller Virtualization Based Security 10. MSFT Windows Server 2004 - Domain Controller 11. MSFT Windows Server 2004 - Member Server Do I have to apply all the baseline security policies to the OU? or only the windows 10 ones, such as : 1. MSFT Internet Explorer 11 - Computer 2. MSFT Internet Explorer 11 - User 3. MSFT Windows 10 2004 - BitLocker 4. MSFT Windows 10 2004 - Computer 5. MSFT Windows 10 2004 - User 6. MSFT Windows 10 2004 and Server 2004 - Defender Antivirus 7. MSFT Windows 10 2004 and Server 2004 - Domain Security 8. MSFT Windows 10 2004 and Server 2004 Member Server - Credential Guard Also, what should be the lining order of the policies? Thanking you
Solved
sharkee
Copper Contributor
Nov 29, 2021 Place Microsoft Security Baselines
2KViews
1like
1Comment
Unsafe font block in windows
one of my windows admin say we should not use unsafe font like opensans by mentioning the following article https://www.tenforums.com/tutorials/139087-enable-disable-untrusted-font-blocking-windows-10-a.html but in MSForum it is says that setting is dropped https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068 which is correct ? Thanks
Solved
shivashankars
Copper Contributor
Nov 29, 2021 Place Microsoft Security Baselines
1.7KViews
1like
3Comments
Any way to modify Security Baseline GPOs before we import them on target?
I am okay with 90% of the security baseline parameters to be applied on the system. However, the 10% I am not very comfortable with and would like to remove them from GPOs/Baseline before actually applying this baseline on the target system. OS: Windows 10 IoT Could anyone provide a way to achieve this?
Solved
r0x0t
Copper Contributor
Nov 29, 2021 Place Microsoft Security Baselines
7.3KViews
1like
1Comment
Microsoft 365 Apps for enterprise security baseline by default?
Stupid or simple question - i couldnt find an answer. Given i use config.office.com to deploy (user) policies to M365 Apps for Enterprise. I see 132 security baseline policies. I read "microsoft recommended security baseline" and "if you disable or _not_ configure" the xyz secure setting is active. That means: Microsoft 365 Apps for enterprise are by default using the settings of the security baseline if I configure nothing? Here the security baseline policies purpose would be to set policies to the less secure setting - in case needed? best regards Markus
Solved
mark1nh
Copper Contributor
Nov 22, 2021 Place Microsoft Security Baselines
1KViews
1like
1Comment
REG_MULTI_SZ are not imported properly
Hi, Just wanted to check if I was doing something wrong, or if I hit a (hopefully known) bug : When I export a LGPO backup (generated with LGPO.exe /b) as a PolicyRules file (using the GPO2PolicyRules.exe binary), multi-lines registry (REG_MULTI_SZ) values are exported with \0 delimiter, but are not imported back with line breaks. A practical example: I do want to change the ECC curves preferred order on my systems, and I use the related GPEdit entry to change it. The setting is exported correctly in the PolicyRules file, but upon re-import (using LGPO.exe /p), the value is imported as a single-line string (see attached screnshots, I believe it does speak for itself :)) Is it a known behavior, and is there a workaround for it ? Thanks !
Solved
Harvester
Brass Contributor
Apr 29, 2021 Place Microsoft Security Baselines
2.1KViews
0likes
4Comments
i cant update microsoft security compliance manager after i installed it
Hi everyone. hope you can help. im trying to use microsoft security compliance manager but after i installed it, i cant update it. it says "please check your internet connection, the remote server return an error (404)". i have internet connection no problem, but this error keep on and on and i cant update. thanks.
Solved
brian2529
Copper Contributor
Feb 23, 2021 Place Microsoft Security Baselines
4.6KViews
1like
11Comments
SCT installation - standalone Windows 2019 server?
Anyone try installing the SCT baseline on a standalone instance of Win2019? When I try the install of the baseline on the host and reboot, I get punted to the repair window at boot. Does anyone know how to perform the standalone install without incurring a boot repair? Process summary (install via Hyper-V lab): Install Windows 2019 (w/desktop experience) 2GB RAM 127GB disk 2 vCPU Copy SCT component to the new Win2019 VM (in c:\temp) and extract LGPO.zip PolicyAnalyzer.zip Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip Copy the LGPO.exe binary to the baseline Local_Script/Tools dir Open an admin powershell window, navigate to the appropriate baseline dir, run the installer script with the appropriate standalone switch BaselineLocalInstall.ps1 -WS2019NonDomainJoined Once the installation of the system modifications are complete, reboot Any suggestions would be appreciated. Thanks, T.
Solved
Mughal1
Copper Contributor
Nov 15, 2020 Place Microsoft Security Baselines
2.8KViews
1like
4Comments
MS Security Baselines vs CIS Benchmarks vs DoD STIGs
I am trying to understand the differences between these sources for secure configuration of a Windows 10 machine and why someone would choose one over the other. I figured I would ask the community if there is a good source I am overlooking before trying to sift through thousands of settings.
Solved
bbmsei
Copper Contributor
Jul 20, 2020 Place Microsoft Security Baselines
19KViews
1like
1Comment
Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79
On the edge://flags-Page (Version 79.x) is written "experimental, this could cause security and privacy" or so. On the other hand, it is recommended to disable “Allow users to proceeded from the HTTPS warnings page. Well, in the new Edge there`s no policy to restrict access to experimental feature – in the ‚old‘ Edge there was one, Microsoft mind think about this. Kind Regards, Dennis
Solved
Dennis-Scherrer
Brass Contributor
Jan 30, 2020 Place Microsoft Security Baselines
1.5KViews
0likes
1Comment
Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79
Aaron Margosis : Feedback and questions on the latest Edge Chromium baselines: Extensions: Blocking all extensions may not be possible for many organizations. If an organization wants to maintain a list of extensions and extension sources that are allowable, what settings are required? I have configured the following: - Allow specific extensions to be installed - Configure extension and user script install sources (MS and Google URLs specified here) - Control which extensions are installed silently However, if I do the * block on "Control which extensions cannot be installed", the extensions that are specified as allowed but not silently installed immediately disable themselves. I've tried different combinations of settings over the last several months with no success. I want our conversion from Chrome to move us from the wild west for extensions to a curated, approved list. How can this be achieved? Passwords: - Microsoft and Google have recently added policies to prevent corporate password reuse and direct users to change passwords if they enter it on a phishing site. I think these would be good to encourage use of, but documentation is needed somewhere on how to configure these for a typical Microsoft customer (e.g., Office 365). References: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#passwordprotectionchangepasswordurl https://support.google.com/chrome/a/answer/9102482?hl=en SmartScreen: - Why not configure "Configure Microsoft Defender SmartScreen to block potentially unwanted apps"? - Why is "Force Microsoft Defender SmartScreen checks on downloads from trusted sources" configured to Disabled? Isn't it better to have SmartScreen on for trusted sourced (default) and allow the user to turn it off if required. This seems like a configuration appropriate for a STIG, rather than an MS baseline.
Solved
Doug Howell
Copper Contributor
Dec 27, 2019 Place Microsoft Security Baselines
5KViews
0likes
4Comments
User Logon Scripts Headache
Hello, I'm hardening a workstation in a workgroup environment, which means I have to rely on MDT, LGPO.exe and PowerShell scripts to achieve my goals - in an automated way of course. Sadly LGPO.exe does not support scripts, neither Group Policy Preferences. I have to use logon scripts, which wasn't hard on old OSes - just drop them to the appropriate "C:\Windows\System32\GroupPolicy\Scripts" subfolders on the target computer. In Windows 10 this is a different story - you also need to add a ini file to those folders, as well as create registry keys - for machine scripts, stuff under "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts". While it works for machine scripts, it fails for user scripts - I have tried with "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]" registry hives without success - error is "incorrect function" (the same I had for computer scripts until I configured all required registry keys). ProcMon detects some more updated key when manually adding login scripts using gpedit.msc, however those seems created automatically by those above. Did anyone manage to successfully add user logon/logoff scripts to a workstation preconfigured with LGPO ? Could it be some kind of permissions issue instead ? Thanks
Solved
Alban1999
Iron Contributor
Nov 26, 2019 Place Microsoft Security Baselines
9.6KViews
1like
8Comments

Events

Recent Blogs

1 MIN READ
Security Review for Microsoft Edge version 140
We have reviewed the new settings in Microsoft Edge version 140 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baselin...
Rick_Munck Microsoft Security Baselines Blog
Sep 09, 2025
compliance
final
guides
microsoft edge
security
261Views
1like
1Comment
2 MIN READ
Security baseline for Microsoft Edge version 139
We have reviewed the settings in Microsoft Edge version 139 and updated our guidance with the addition of one setting and the removal of one setting. A new Microsoft Edge security baseline package wa...
Rick_Munck Microsoft Security Baselines Blog
Aug 07, 2025
compliance
final
guides
microsoft edge
security
1.6KViews
3likes
3Comments

Resources

Tags

security baseline91

security compliance toolkit60

microsoft edge46

microsoft office4