Forum Discussion
Security Baseline for Server 2025 is missing ADMX/ADML files?
I imported the new "Windows Server 2025 Security Baseline" into our AD using Baseline-ADImport.ps1. Not a problem.
From the "Templates" folder, I copied the SecGuide.admx and MSS-Legacy.admx files, along with the en-US folder to our central store in SYSVOL, as normal (backed upp the files I replace first).
When checking the GPOs in Group Policy Management though, I see a lot of "Extra Registry Settings" which would indicate that its missing a admx/adml file or similar. I've verified that neither of the included files i copied includes anything about the missing registry settings.
For MSFT Windows Server 2025 - Member Server, there is a whole list of Extra Registry Settings.
What am I missing here?
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITHashAlgorithmConfigurationEnabled 1
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA1 1
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA256 3
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA384 3
Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\PKINITSHA512 3
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitHashAlgorithmConfigurationEnabled 1
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA1 1
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA256 3
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA384 3
Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\PKInitSHA512 3
Software\Policies\Microsoft\Windows NT\Printers\RPC\ForceKerberosForRpc 0
Software\Policies\Microsoft\Windows NT\Printers\RPC\RpcProtocols 5
Software\Policies\Microsoft\Windows\Bowser\EnableMailslots 0
Software\Policies\Microsoft\Windows\LanmanServer\AuditClientDoesNotSupportEncryption 1
Software\Policies\Microsoft\Windows\LanmanServer\AuditClientDoesNotSupportSigning 1
Software\Policies\Microsoft\Windows\LanmanServer\AuditInsecureGuestLogon 1
Software\Policies\Microsoft\Windows\LanmanServer\EnableAuthRateLimiter 1
Software\Policies\Microsoft\Windows\LanmanServer\InvalidAuthenticationDelayTimeInMs 2000
Software\Policies\Microsoft\Windows\LanmanServer\MinSmb2Dialect 768
Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditInsecureGuestLogon 1
Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditServerDoesNotSupportEncryption 1
Software\Policies\Microsoft\Windows\LanmanWorkstation\AuditServerDoesNotSupportSigning 1
Software\Policies\Microsoft\Windows\LanmanWorkstation\MinSmb2Dialect 768
Software\Policies\Microsoft\Windows\NetworkProvider\EnableMailslots 0
Software\Policies\Microsoft\Windows\System\AllowCustomSSPsAPs 1
Software\Policies\Microsoft\Windows\System\RunAsPPL 1
Looks like you need to import the latest Administrative Templates into your central store. Lots of new settings in the Win11 24H2 and WS2025 templates.
5 Replies
You're looking for this location : computer configuration administrative templates network \lanman workstation\
Right there you can configure Lanman parameters for the rest its in administrative templates\MSS (Legacy) & MS Security Guide.Be careful with Lanman parameter, i have issue with rdp now on my server, because the service doesnt want to start and im trying to figure this out.
Also dont applie all firewall settings, you might lose connection with your DC's and there for cannot do gpupdate to fix that.I think you misunderstood the question =)
Its not supposed to look like this and I can not find any admx files for it. The MSS-legacy.admx and SecGuide.admx have already been updated in our central store.
Looks like you need to import the latest Administrative Templates into your central store. Lots of new settings in the Win11 24H2 and WS2025 templates.
Yes, but where are they? In the "Windows Server 2025 Security Baseline" zip package, there are only two in the templates folder. MSS-legacy.admx and SecGuide.admx and its not either of them.
Think I found it based on your comment. You do this so seldom that you forget these things =)
Found them here: https://www.microsoft.com/en-us/download/details.aspx?id=106295
