Forum Discussion

Turranius's avatar
Turranius
Copper Contributor
Feb 12, 2025
Solved

Security Baseline for Server 2025 is missing ADMX/ADML files?

I imported the new "Windows Server 2025 Security Baseline" into our AD using Baseline-ADImport.ps1. Not a problem. 

From the "Templates" folder, I copied the SecGuide.admx and MSS-Legacy.admx files, along with the en-US folder to our central store in SYSVOL, as normal (backed upp the files I replace first).

When checking the GPOs in Group Policy Management though, I see a lot of "Extra Registry Settings" which would indicate that its missing a admx/adml file or similar. I've verified that neither of the included files i copied includes anything about the missing registry settings.

For MSFT Windows Server 2025 - Member Server, there is a whole list of Extra Registry Settings.

What am I missing here?

Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITHashAlgorithmConfigurationEnabled 1 
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA1 1 
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA256 3 
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA384 3 
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA512 3 
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitHashAlgorithmConfigurationEnabled 1 
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA1 1 
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA256 3 
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA384 3 
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA512 3 
Software\Policies\Microsoft\Windows NT\Printers\RPC\ForceKerberosForRpc 0 
Software\Policies\Microsoft\Windows NT\Printers\RPC\RpcProtocols 5 
Software\Policies\Microsoft\Windows\Bowser\EnableMailslots 0 
Software\Policies\Microsoft\Windows\LanmanServer\AuditClientDoesNotSupportEncryption 1 
Software\Policies\Microsoft\Windows\LanmanServer\AuditClientDoesNotSupportSigning 1 
Software\Policies\Microsoft\Windows\LanmanServer\AuditInsecureGuestLogon 1 
Software\Policies\Microsoft\Windows\LanmanServer\EnableAuthRateLimiter 1 
Software\Policies\Microsoft\Windows\LanmanServer\InvalidAuthenticationDelayTimeInMs 2000 
Software\Policies\Microsoft\Windows\LanmanServer\MinSmb2Dialect 768 
Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditInsecureGuestLogon 1 
Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditServerDoesNotSupportEncryption 1 
Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditServerDoesNotSupportSigning 1 
Software\Policies\Microsoft\Windows\LanmanWorkstation\MinSmb2Dialect 768 
Software\Policies\Microsoft\Windows\NetworkProvider\EnableMailslots 0 
Software\Policies\Microsoft\Windows\System\AllowCustomSSPsAPs 1 
Software\Policies\Microsoft\Windows\System\RunAsPPL 1 

  • Looks like you need to import the latest Administrative Templates into your central store. Lots of new settings in the Win11 24H2 and WS2025 templates.

5 Replies

  • Arhim's avatar
    Arhim
    Copper Contributor

    You're looking for this location : computer configuration administrative templates network \lanman workstation\
    Right there you can configure Lanman parameters for the rest its in administrative templates\MSS (Legacy) & MS Security Guide.

    Be careful with Lanman parameter, i have issue with rdp now on my server, because the service doesnt want to start and im trying to figure this out.
    Also dont applie all firewall settings, you might lose connection with your DC's and there for cannot do gpupdate to fix that.

    • Turranius's avatar
      Turranius
      Copper Contributor

      I think you misunderstood the question =) 

      Its not supposed to look like this and I can not find any admx files for it. The MSS-legacy.admx and SecGuide.admx have already been updated in our central store.

       

  • Looks like you need to import the latest Administrative Templates into your central store. Lots of new settings in the Win11 24H2 and WS2025 templates.

    • Turranius's avatar
      Turranius
      Copper Contributor

      Yes, but where are they? In the "Windows Server 2025 Security Baseline" zip package, there are only two in the templates folder. MSS-legacy.admx and SecGuide.admx and its not either of them.

      • Turranius's avatar
        Turranius
        Copper Contributor

        Think I found it based on your comment. You do this so seldom that you forget these things =)

         

        Found them here: https://www.microsoft.com/en-us/download/details.aspx?id=106295

Resources