SOLVED

SCT installation - standalone Windows 2019 server?

%3CLINGO-SUB%20id%3D%22lingo-sub-1888763%22%20slang%3D%22en-US%22%3ESCT%20installation%20-%20standalone%20Windows%202019%20server%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1888763%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20try%20installing%20the%20SCT%20baseline%20on%20a%20standalone%20instance%20of%20Win2019%3F%26nbsp%3B%20When%20I%20try%20the%20install%20of%20the%20baseline%20on%20the%20host%20and%20reboot%2C%20I%20get%20punted%20to%20the%20repair%20window%20at%20boot.%26nbsp%3B%20Does%20anyone%20know%20how%20to%20perform%20the%20standalone%20install%20without%20incurring%20a%20boot%20repair%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2220201115%20-%20SCT%20install%20Win2019%20error%20on%20boot.png%22%20style%3D%22width%3A%20614px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F233655i8B1C4CE25F044FD8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%2220201115%20-%20SCT%20install%20Win2019%20error%20on%20boot.png%22%20alt%3D%2220201115%20-%20SCT%20install%20Win2019%20error%20on%20boot.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProcess%20summary%20(install%20via%20Hyper-V%20lab)%3A%3C%2FP%3E%3CUL%3E%3CLI%3EInstall%20Windows%202019%20(w%2Fdesktop%20experience)%3CUL%3E%3CLI%3E2GB%20RAM%3C%2FLI%3E%3CLI%3E127GB%20disk%3C%2FLI%3E%3CLI%3E2%20vCPU%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3ECopy%20SCT%20component%20to%20the%20new%20Win2019%20VM%20(in%20c%3A%5Ctemp)%20and%20extract%3CUL%3E%3CLI%3ELGPO.zip%3C%2FLI%3E%3CLI%3EPolicyAnalyzer.zip%3C%2FLI%3E%3CLI%3EWindows%2010%20Version%201809%20and%20Windows%20Server%202019%20Security%20Baseline.zip%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3ECopy%20the%20LGPO.exe%20binary%20to%20the%20baseline%20Local_Script%2FTools%20dir%3C%2FLI%3E%3CLI%3EOpen%20an%20admin%20powershell%20window%2C%20navigate%20to%20the%20appropriate%20baseline%20dir%2C%20run%20the%20installer%20script%20with%20the%20appropriate%20standalone%20switch%3CUL%3E%3CLI%3EBaselineLocalInstall.ps1%20-WS2019NonDomainJoined%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EOnce%20the%20installation%20of%20the%20system%20modifications%20are%20complete%2C%20reboot%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAny%20suggestions%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ET.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1888817%22%20slang%3D%22en-US%22%3ERe%3A%20SCT%20installation%20-%20standalone%20Windows%202019%20server%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1888817%22%20slang%3D%22en-US%22%3ESet-ExecutionPolicy%20RemoteSigned%20didn't%20help.%3CBR%20%2F%3E%3CBR%20%2F%3ET.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1918270%22%20slang%3D%22en-US%22%3ERE%3A%20SCT%20installation%20-%20standalone%20Windows%202019%20server%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1918270%22%20slang%3D%22en-US%22%3EIs%20'Secure%20Launch%20'%20enabled%3F%20'Computer%20Configuration%5CAdministrative%20Templates%5CSystem%5CDevice%20Guard%5CTurn%20On%20Virtualization%20Based%20Security'%20Disable%20it%20via%20gpedit.msc.%3C%2FLINGO-BODY%3E
Occasional Contributor

Anyone try installing the SCT baseline on a standalone instance of Win2019?  When I try the install of the baseline on the host and reboot, I get punted to the repair window at boot.  Does anyone know how to perform the standalone install without incurring a boot repair?

 

20201115 - SCT install Win2019 error on boot.png

 

Process summary (install via Hyper-V lab):

  • Install Windows 2019 (w/desktop experience)
    • 2GB RAM
    • 127GB disk
    • 2 vCPU
  • Copy SCT component to the new Win2019 VM (in c:\temp) and extract
    • LGPO.zip
    • PolicyAnalyzer.zip
    • Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip
  • Copy the LGPO.exe binary to the baseline Local_Script/Tools dir
  • Open an admin powershell window, navigate to the appropriate baseline dir, run the installer script with the appropriate standalone switch
    • BaselineLocalInstall.ps1 -WS2019NonDomainJoined
  • Once the installation of the system modifications are complete, reboot

Any suggestions would be appreciated.

 

Thanks,

 

T.

4 Replies
Set-ExecutionPolicy RemoteSigned didn't help.

T.
Best Response confirmed by Rick_Munck (Microsoft)
Solution
Is 'Secure Launch ' enabled? 'Computer Configuration\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security' Disable it via gpedit.msc.

My thanks - your fix regarding the disablement of "Secure Launch" via gpedit.msc seems to have done the trick.

 

T.