Forum Discussion

jiecui's avatar
jiecui
Copper Contributor
Apr 14, 2023

Security baseline script not working

  Recently I tried to run the security baseline script on the Win 2019 (Version 1809, OS Build 17763.4252) . But always failed ( can't see any change  on the password length for example). Here below is the log files. Not sure if there are any experts can instruct me how to solve this? Many thanks in advance. 

 

------------------here below is the log-----------------------------

 

Baseline-LocalInstall.ps1, 4/14/2023 9:30:28 AM
--------------------------------------------------------------------------------------------------
Windows Server - non-domain-joined
GPOs to be installed:
MSFT Internet Explorer 11 - Computer
MSFT Internet Explorer 11 - User
MSFT Windows 10 1909 and Server 1909 - Defender Antivirus
MSFT Windows 10 1909 and Server 1909 - Domain Security
MSFT Windows 10 1909 and Server 1909 Member Server - Credential Guard
MSFT Windows Server 1909 - Member Server
==================================================================================================

Copy custom administrative templates...
==================================================================================================
Configuring Client Side Extensions...
LGPO.exe v2.2 - Local Group Policy Object utility

Enabling Group Policy client side extension for local policy: Mitigation Options
Enabling Group Policy client side extension for local policy: Advanced Audit Policy Configuration
Enabling Group Policy client side extension for local policy: Internet Explorer Zone Mapping
Enabling Group Policy client side extension for local policy: Device Guard, Virtualization Based Security
==================================================================================================
--------------------------------------------------------------------------------------------------
Applying GPO "MSFT Internet Explorer 11 - Computer"...
--------------------------------------------------------------------------------------------------

LGPO.exe v2.2 - Local Group Policy Object utility

Import Machine settings from registry.pol: ..\GPOs\{6E2073CE-B1B5-4A0F-B1E4-C007BD052B18}\DomainSysvol\GPO\Machine\registry.pol
; ----------------------------------------------------------------------
; PROCESSING Computer POLICY
; Source file: ..\GPOs\{6E2073CE-B1B5-4A0F-B1E4-C007BD052B18}\DomainSysvol\GPO\Machine\registry.pol

Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Ext
RunThisTimeEnabled
DWORD:0

Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Ext
VersionCheckEnabled
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\Download
RunInvalidSignatures
DWORD:0

Computer
Software\Policies\Microsoft\Internet Explorer\Download
CheckExeSignatures
SZ:yes

Computer
Software\Policies\Microsoft\Internet Explorer\Main
Isolation64Bit
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main
DisableEPMCompat
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main
Isolation
SZ:PMEM

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
(Reserved)
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
explorer.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
iexplore.exe
SZ:1

Computer
Software\Policies\Microsoft\Internet Explorer\PhishingFilter
PreventOverrideAppRepUnknown
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\PhishingFilter
PreventOverride
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\PhishingFilter
EnabledV9
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\Restrictions
NoCrashDetection
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\Security
DisableSecuritySettingsCheck
DWORD:0

Computer
Software\Policies\Microsoft\Internet Explorer\Security\ActiveX
BlockNonAdminActiveXInstall
DWORD:1

Computer
Software\Policies\Microsoft\Windows\AxInstaller
OnlyUseAXISForActiveXInstall
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Security_zones_map_edit
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Security_options_edit
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Security_HKLM_only
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
CertificateRevocation
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
PreventIgnoreCertErrors
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnBadCertRecving
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
EnableSSL3Fallback
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
SecureProtocols
DWORD:2560

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
1C00
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
1C00
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
1C00
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
2301
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
2301
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
1C00
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1C00
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
270C
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
270C
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1201
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1C00
DWORD:65536

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1C00
DWORD:65536

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
270C
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1201
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2001
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2102
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1802
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
160A
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1201
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1406
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1804
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2200
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1209
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1206
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1809
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2500
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2103
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1606
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2402
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2004
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1C00
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1001
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1A00
DWORD:65536

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2708
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1004
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
120b
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1407
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1409
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
270C
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1607
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2709
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2101
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2301
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1806
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
120c
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
140C
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1608
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1201
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1001
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1607
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
120b
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1809
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1004
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1606
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1407
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
160A
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1406
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2102
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2004
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2200
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2000
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1402
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1803
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2402
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1400
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1A00
DWORD:196608

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2001
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2500
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1409
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1C00
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1209
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
270C
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1206
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2708
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1802
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2103
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2709
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1405
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2101
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2301
DWORD:0

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1200
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1804
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1806
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
120c
DWORD:3

Computer
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
140C
DWORD:3

; Computer POLICY SAVED.
; ----------------------------------------------------------------------

==================================================================================================

--------------------------------------------------------------------------------------------------
Applying GPO "MSFT Internet Explorer 11 - User"...
--------------------------------------------------------------------------------------------------

LGPO.exe v2.2 - Local Group Policy Object utility

Import User settings from registry.pol: ..\GPOs\{4E60D2FB-5E65-4AAB-843E-836833DEFA15}\DomainSysvol\GPO\User\registry.pol
; ----------------------------------------------------------------------
; PROCESSING User POLICY
; Source file: ..\GPOs\{4E60D2FB-5E65-4AAB-843E-836833DEFA15}\DomainSysvol\GPO\User\registry.pol

User
Software\Policies\Microsoft\Internet Explorer\Control Panel
FormSuggest Passwords
DWORD:1

User
Software\Policies\Microsoft\Internet Explorer\Main
FormSuggest PW Ask
SZ:no

User
Software\Policies\Microsoft\Internet Explorer\Main
FormSuggest Passwords
SZ:no

; User POLICY SAVED.
; ----------------------------------------------------------------------

==================================================================================================

--------------------------------------------------------------------------------------------------
Applying GPO "MSFT Windows 10 1909 and Server 1909 - Defender Antivirus"...
--------------------------------------------------------------------------------------------------

LGPO.exe v2.2 - Local Group Policy Object utility

Import Machine settings from registry.pol: ..\GPOs\{6359FA45-B4E8-4B56-864A-591B4DD8642C}\DomainSysvol\GPO\Machine\registry.pol
; ----------------------------------------------------------------------
; PROCESSING Computer POLICY
; Source file: ..\GPOs\{6359FA45-B4E8-4B56-864A-591B4DD8642C}\DomainSysvol\GPO\Machine\registry.pol

Computer
Software\Policies\Microsoft\Windows Defender
PUAProtection
DWORD:1

Computer
Software\Policies\Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring
DWORD:0

Computer
Software\Policies\Microsoft\Windows Defender\Scan
DisableRemovableDriveScanning
DWORD:0

Computer
Software\Policies\Microsoft\Windows Defender\Spynet
SubmitSamplesConsent
DWORD:1

Computer
Software\Policies\Microsoft\Windows Defender\Spynet
SpynetReporting
DWORD:2

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR
ExploitGuard_ASR_Rules
DWORD:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
3b576869-a4ec-4529-8536-b80a7769e899
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
d4f940ab-401b-4efc-aadc-ad5f3c50688a
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
5beb7efe-fd9a-4556-801d-275e5ffc04cc
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
d3e037e1-3eb8-44c8-a917-57927947596d
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
26190899-1602-49e8-8b27-eb1d0a1ce869
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
SZ:1

Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
EnableNetworkProtection
DWORD:1

; Computer POLICY SAVED.
; ----------------------------------------------------------------------

==================================================================================================

--------------------------------------------------------------------------------------------------
Applying GPO "MSFT Windows 10 1909 and Server 1909 - Domain Security"...
--------------------------------------------------------------------------------------------------

LGPO.exe v2.2 - Local Group Policy Object utility

Nothing to do.

LGPO.exe has four modes:

* Import and apply policy settings;

* Export local policy to a GPO backup;

* Parse a registry.pol file to "LGPO text" format;

* Build a registry.pol file from "LGPO text".

 

To apply policy settings:

 

LGPO.exe command [...]

 

where "command" is one or more of the following (each of which can be repeated):

 

/g path import settings from one or more GPO backups under "path"

/m path\registry.pol import settings from registry.pol into machine config

/u path\registry.pol import settings from registry.pol into user config

/ua path\registry.pol import settings from registry.pol into user config for Administrators

/un path\registry.pol import settings from registry.pol into user config for Non-Administrators

/u:username path\registry.pol

import settings from registry.pol into user config for local user

specified by "username"

/s path\GptTmpl.inf apply security template

/a[c] path\Audit.csv apply advanced auditing settings; /ac to clear policy first

/t path\lgpo.txt apply registry commands from LGPO text

/e <name>|<guid> enable GP extension for local policy processing; specify a

GUID, or one of these names:

* "zone" for IE zone mapping extension

* "mitigation" for mitigation options, including font blocking

* "audit" for advanced audit policy configuration

* "LAPS" for Local Administrator Password Solution

* "DGVBS" for Device Guard virtualization-based security

* "DGCI" for Device Guard code integrity policy

/boot reboot after applying policies

/v verbose output

/q quiet output (no headers)

 

To create a GPO backup from local policy:

 

LGPO.exe /b path [/n GPO-name]

 

/b path Create GPO backup in "path"

/n GPO-name Optional GPO display name (use quotes if it contains spaces)

 

To parse a Registry.pol file to LGPO text (stdout):

 

LGPO.exe /parse [/q] {/m|/u|/ua|/un|/u:username} path\registry.pol

 

/m path\registry.pol parse registry.pol as machine config commands

/u path\registry.pol parse registry.pol as user config commands

/ua path\registry.pol parse registry.pol as user config for Administrators

/un path\registry.pol parse registry.pol as user config for Non-Administrators

/u:username path\registry.pol

parse registry.pol as user config for local user

specified by "username"

/q quiet output (no headers)

 

To build a Registry.pol file from LGPO text:

 

LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

 

/r path\lgpo.txt Read input from LGPO text file

/w path\registry.pol Write new registry.pol file

 

(See the documentation for more information and examples.)
==================================================================================================

--------------------------------------------------------------------------------------------------
Applying GPO "MSFT Windows 10 1909 and Server 1909 Member Server - Credential Guard"...
--------------------------------------------------------------------------------------------------

LGPO.exe v2.2 - Local Group Policy Object utility

Import Machine settings from registry.pol: ..\GPOs\{BA64EEBE-B4EC-47F2-BED8-C53274D6CDF2}\DomainSysvol\GPO\Machine\registry.pol
; ----------------------------------------------------------------------
; PROCESSING Computer POLICY
; Source file: ..\GPOs\{BA64EEBE-B4EC-47F2-BED8-C53274D6CDF2}\DomainSysvol\GPO\Machine\registry.pol

Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
EnableVirtualizationBasedSecurity
DWORD:1

Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
RequirePlatformSecurityFeatures
DWORD:1

Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
HypervisorEnforcedCodeIntegrity
DWORD:1

Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
HVCIMATRequired
DWORD:0

Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
LsaCfgFlags
DWORD:1

Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
ConfigureSystemGuardLaunch
DWORD:1

; Computer POLICY SAVED.
; ----------------------------------------------------------------------

==================================================================================================

--------------------------------------------------------------------------------------------------
Applying GPO "MSFT Windows Server 1909 - Member Server"...
--------------------------------------------------------------------------------------------------

LGPO.exe v2.2 - Local Group Policy Object utility

Import Machine settings from registry.pol: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\Machine\registry.pol
; ----------------------------------------------------------------------
; PROCESSING Computer POLICY
; Source file: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\Machine\registry.pol

Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
DWORD:255

Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoAutorun
DWORD:1

Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableAutomaticRestartSignOn
DWORD:1

Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
LocalAccountTokenFilterPolicy
DWORD:0

Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
AllowEncryptionOracle
DWORD:0

Computer
Software\Policies\Microsoft\Biometrics\FacialFeatures
EnhancedAntiSpoofing
DWORD:1

Computer
Software\Policies\Microsoft\Internet Explorer\Feeds
DisableEnclosureDownload
DWORD:1

Computer
Software\Policies\Microsoft\Windows\CredentialsDelegation
AllowProtectedCreds
DWORD:1

Computer
Software\Policies\Microsoft\Windows\EventLog\Application
MaxSize
DWORD:32768

Computer
Software\Policies\Microsoft\Windows\EventLog\Security
MaxSize
DWORD:196608

Computer
Software\Policies\Microsoft\Windows\EventLog\System
MaxSize
DWORD:32768

Computer
Software\Policies\Microsoft\Windows\Explorer
NoAutoplayfornonVolume
DWORD:1

Computer
Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
NoBackgroundPolicy
DWORD:0

Computer
Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
NoGPOListChanges
DWORD:0

Computer
Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated
DWORD:0

Computer
Software\Policies\Microsoft\Windows\Installer
EnableUserControl
DWORD:0

Computer
Software\Policies\Microsoft\Windows\Kernel DMA Protection
DeviceEnumerationPolicy
DWORD:0

Computer
Software\Policies\Microsoft\Windows\LanmanWorkstation
AllowInsecureGuestAuth
DWORD:0

Computer
Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
\\*\SYSVOL
SZ:RequireMutualAuthentication=1,RequireIntegrity=1

Computer
Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
\\*\NETLOGON
SZ:RequireMutualAuthentication=1,RequireIntegrity=1

Computer
Software\Policies\Microsoft\Windows\Personalization
NoLockScreenCamera
DWORD:1

Computer
Software\Policies\Microsoft\Windows\Personalization
NoLockScreenSlideshow
DWORD:1

Computer
Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
EnableScriptBlockLogging
DWORD:1

Computer
Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
EnableScriptBlockInvocationLogging
DELETE

Computer
Software\Policies\Microsoft\Windows\System
EnumerateLocalUsers
DWORD:0

Computer
Software\Policies\Microsoft\Windows\System
EnableSmartScreen
DWORD:1

Computer
Software\Policies\Microsoft\Windows\System
ShellSmartScreenLevel
SZ:Block

Computer
Software\Policies\Microsoft\Windows\Windows Search
AllowIndexingEncryptedStoresOrItems
DWORD:0

Computer
Software\Policies\Microsoft\Windows\WinRM\Client
AllowBasic
DWORD:0

Computer
Software\Policies\Microsoft\Windows\WinRM\Client
AllowUnencryptedTraffic
DWORD:0

Computer
Software\Policies\Microsoft\Windows\WinRM\Client
AllowDigest
DWORD:0

Computer
Software\Policies\Microsoft\Windows\WinRM\Service
AllowBasic
DWORD:0

Computer
Software\Policies\Microsoft\Windows\WinRM\Service
AllowUnencryptedTraffic
DWORD:0

Computer
Software\Policies\Microsoft\Windows\WinRM\Service
DisableRunAs
DWORD:1

Computer
Software\Policies\Microsoft\Windows NT\DNSClient
EnableMulticast
DWORD:0

Computer
Software\Policies\Microsoft\Windows NT\Rpc
RestrictRemoteClients
DWORD:1

Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
DisablePasswordSaving
DWORD:1

Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fDisableCdm
DWORD:1

Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fPromptForPassword
DWORD:1

Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fEncryptRPCTraffic
DWORD:1

Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
MinEncryptionLevel
DWORD:3

Computer
Software\Policies\Microsoft\WindowsFirewall
PolicyVersion
DWORD:538

Computer
Software\Policies\Microsoft\WindowsFirewall\DomainProfile
DefaultOutboundAction
DWORD:0

Computer
Software\Policies\Microsoft\WindowsFirewall\DomainProfile
DefaultInboundAction
DWORD:1

Computer
Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
DWORD:1

Computer
Software\Policies\Microsoft\WindowsFirewall\PrivateProfile
EnableFirewall
DWORD:1

Computer
Software\Policies\Microsoft\WindowsFirewall\PrivateProfile
DefaultInboundAction
DWORD:1

Computer
Software\Policies\Microsoft\WindowsFirewall\PrivateProfile
DefaultOutboundAction
DWORD:0

Computer
Software\Policies\Microsoft\WindowsFirewall\PublicProfile
EnableFirewall
DWORD:1

Computer
Software\Policies\Microsoft\WindowsFirewall\PublicProfile
DefaultOutboundAction
DWORD:0

Computer
Software\Policies\Microsoft\WindowsFirewall\PublicProfile
DefaultInboundAction
DWORD:1

Computer
Software\Policies\Microsoft\WindowsInkWorkspace
AllowWindowsInkWorkspace
DWORD:1

Computer
Software\Policies\Microsoft Services\AdmPwd
AdmPwdEnabled
DWORD:1

Computer
SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential
DWORD:0

Computer
SYSTEM\CurrentControlSet\Control\Session Manager\kernel
DisableExceptionChainValidation
DWORD:0

Computer
SYSTEM\CurrentControlSet\Policies\EarlyLaunch
DriverLoadPolicy
DWORD:3

Computer
SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
SMB1
DWORD:0

Computer
SYSTEM\CurrentControlSet\Services\MrxSmb10
Start
DWORD:4

Computer
SYSTEM\CurrentControlSet\Services\Netbt\Parameters
NoNameReleaseOnDemand
DWORD:1

Computer
SYSTEM\CurrentControlSet\Services\Netbt\Parameters
NodeType
DWORD:2

Computer
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirect
DWORD:0

Computer
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableIPSourceRouting
DWORD:2

Computer
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
DisableIPSourceRouting
DWORD:2

; Computer POLICY SAVED.
; ----------------------------------------------------------------------

Import User settings from registry.pol: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\User\registry.pol
; ----------------------------------------------------------------------
; PROCESSING User POLICY
; Source file: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\User\registry.pol

; User POLICY SAVED.
; ----------------------------------------------------------------------

==================================================================================================

Non-domain-joined: back out the local-account restrictions...
LGPO.exe v2.2 - Local Group Policy Object utility

Apply security template: ConfigFiles\DeltaForNonDomainJoined.inf
----------------------------------------------------------------------
PROCESSING SECURITY TEMPLATE: ConfigFiles\DeltaForNonDomainJoined.inf

C:\Windows\system32\secedit.exe /configure /db "C:\Users\Operator\AppData\Local\Temp\1\GPT8E4C.tmp" /cfg "ConfigFiles\DeltaForNonDomainJoined.inf" /log "C:\Users\Operator\AppData\Local\Temp\1\GPT8E4D.tmp" /overwrite /quiet


[[[ Security template log file output follows: C:\Users\Operator\AppData\Local\Temp\1\GPT8E4D.tmp ]]]
Completed 1 percent (0/63) Process Privilege Rights area
Completed 25 percent (15/63) Process Privilege Rights area
Completed 25 percent (15/63) Process Group Membership area
Completed 49 percent (30/63) Process Group Membership area
Completed 49 percent (30/63) Process Registry Keys area
Completed 49 percent (30/63) Process File Security area
Completed 49 percent (30/63) Process Services area
Completed 65 percent (40/63) Process Services area
Completed 73 percent (45/63) Process Services area
Completed 73 percent (45/63) Process Security Policy area
Completed 77 percent (48/63) Process Security Policy area
Completed 84 percent (52/63) Process Security Policy area
Completed 88 percent (55/63) Process Security Policy area
Completed 93 percent (58/63) Process Security Policy area
Completed 100 percent (63/63) Process Security Policy area

The task has completed successfully.

SECEDIT.EXE exited with exit code 0
----------------------------------------------------------------------
Apply registry-based settings from LGPO text file: ConfigFiles\DeltaForNonDomainJoined.txt
PROCESSING INPUT FILE FOR REGISTRY-BASED POLICY: ConfigFiles\DeltaForNonDomainJoined.txt

Computer Configuration Software\Microsoft\Windows\CurrentVersion\Policies\System LocalAccountTokenFilterPolicy REG_DWORD 1

Computer Configuration Software\Policies\Microsoft\Windows NT\Rpc RestrictRemoteClients REG_DWORD 0

POLICY SAVED.
----------------------------------------------------------------------

 

2 Replies

  • AaronMargosis_Tanium's avatar
    AaronMargosis_Tanium
    Iron Contributor
    Apr 17, 2023
    I just downloaded the Server 2019 baseline and ran the script for non-domain-joined, and what I've got looks different from yours. For one thing, your logs reference "Server 1909" but the one I've got referenced "Server 2019." And something went wrong with yours: At Applying GPO "MSFT Windows 10 1909 and Server 1909 - Domain Security" it says "Nothing to do." Mine worked without errors or warnings, and the password length is set to 14.
    Did you modify the content of the baseline or the script before you ran it? Did you get it from the Microsoft SCT or from another source?
    • jiecui's avatar
      jiecui
      Copper Contributor
      Apr 20, 2023

      AaronMargosis_Tanium Thanks so much for your reminder. I re downloaded the security baseline from Microsoft website and now ok. Possibly the problem one was changed somewhere. 

Resources