Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Baseline throws a silent error. Suggestion for a quick fix in BaselineLocalInstall.ps1

Steel Contributor

Hi,

 

the BaselineLocalInstall.ps1 in SCT 1.0 for Server 2019 throws a silent error under certain circumstances that is added to the error variable. Responsible is line 147:

 

if ($null -eq (Get-Command LGPO.exe -ErrorAction SilentlyContinue))

 

When the script runs successful, this is the only error in $Error. Since $Error is currently the only way to check whether the baseline script ran successful or not, this causes an issue.

 

The fix is simple, however. Please replace the error action with Ignore.

 

if ($null -eq (Get-Command LGPO.exe -ErrorAction Ignore))

 

This acts like SilentlyContinue but does not add the error to the $Error variable, and if the script ran successful $Error will be empty.

 

11 Replies

@Daniel Niccoli @Rick_Munck - that change makes sense to me. Good idea - thanks.

@Daniel Niccoli we greatly appreciate the suggestion and will make the change in the Final 20H2 package we are planning to release towards the middle of the month!

Hi @Rick_Munck, it would be great if you could backport the fix to the Server 2019 baseline.

@Daniel Niccoli it should have been included in the 20H2 package for client and server.  Are you seeing something to the contrary?

 

@Rick_Munck The SCT 1.0 contains a Server 2019 package with files that have not been modified since 2018. The server 20H2 package in that SCT 1.0 has modified files and I do see the changes there. But we use Server 2019 (LTSC) and not Server 20H2.

Side question: What does the version number stand for? I see packages being added, but the version number doesn't change.

@Daniel Niccoli unfortunately we don't have the cycles to go back and update old baselines.  Our recommendations/ fixes are always reflected in the latest version.  You can take the script out of the newest and use with your version, shouldn't be an issue.

 

As for version number, that is a required field that has to be there, technically LGPO and every other download should be it's own DL and version but we decided it was best to use a master name for the download and keep everything in one spot for ease.

@Rick_Munck Old? Server 2019 is still in Mainstream support until the second half of 2024. :thinking_face: Do you test the 20H2 baselines against Server 2019? Because if you do, then I trust that they work and don't break anything. The baseline does change some quite delicate settings.

Security baselines only get one pass per release, we do not go back and revisit previous releases. Our recommendations build upon older baselines and are updated to reflect new and updated guidance. In the case of 2019 (LTSC) I suggest you use Policy Analyzer and compare the initial release versus the current and make an informed decision
:( okay.

So, for "Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline" I find the following Analyzer rulesets in the documentation folder:

MSFT-WS2019-DomainController-FINAL.PolicyRules
MSFT-WS2019-MemberServer-FINAL.PolicyRules

For the "Windows-10-Windows Server-v20H2-Security-Baseline-FINAL" I only find

MSFT-Win10-WS-v20H2-FINAL.PolicyRules

Was that forgotten or was it decided that there will be no more server policyrules included?
We used to provide separate PolicyRule files but as we thought more about it and spoke with customers, it became clear one was okay since the filter in Policy Analyzer can achieve the same result.