User Profile
jiecui
Copper Contributor
Joined Apr 13, 2023
User Widgets
Recent Discussions
Security baseline script not working
Recently I tried to run the security baseline script on the Win 2019 (Version 1809, OS Build 17763.4252) . But always failed ( can't see any change on the password length for example). Here below is the log files. Not sure if there are any experts can instruct me how to solve this? Many thanks in advance. ------------------here below is the log----------------------------- Baseline-LocalInstall.ps1, 4/14/2023 9:30:28 AM -------------------------------------------------------------------------------------------------- Windows Server - non-domain-joined GPOs to be installed: MSFT Internet Explorer 11 - Computer MSFT Internet Explorer 11 - User MSFT Windows 10 1909 and Server 1909 - Defender Antivirus MSFT Windows 10 1909 and Server 1909 - Domain Security MSFT Windows 10 1909 and Server 1909 Member Server - Credential Guard MSFT Windows Server 1909 - Member Server ================================================================================================== Copy custom administrative templates... ================================================================================================== Configuring Client Side Extensions... LGPO.exe v2.2 - Local Group Policy Object utility Enabling Group Policy client side extension for local policy: Mitigation Options Enabling Group Policy client side extension for local policy: Advanced Audit Policy Configuration Enabling Group Policy client side extension for local policy: Internet Explorer Zone Mapping Enabling Group Policy client side extension for local policy: Device Guard, Virtualization Based Security ================================================================================================== -------------------------------------------------------------------------------------------------- Applying GPO "MSFT Internet Explorer 11 - Computer"... -------------------------------------------------------------------------------------------------- LGPO.exe v2.2 - Local Group Policy Object utility Import Machine settings from registry.pol: ..\GPOs\{6E2073CE-B1B5-4A0F-B1E4-C007BD052B18}\DomainSysvol\GPO\Machine\registry.pol ; ---------------------------------------------------------------------- ; PROCESSING Computer POLICY ; Source file: ..\GPOs\{6E2073CE-B1B5-4A0F-B1E4-C007BD052B18}\DomainSysvol\GPO\Machine\registry.pol Computer Software\Microsoft\Windows\CurrentVersion\Policies\Ext RunThisTimeEnabled DWORD:0 Computer Software\Microsoft\Windows\CurrentVersion\Policies\Ext VersionCheckEnabled DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\Download RunInvalidSignatures DWORD:0 Computer Software\Policies\Microsoft\Internet Explorer\Download CheckExeSignatures SZ:yes Computer Software\Policies\Microsoft\Internet Explorer\Main Isolation64Bit DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\Main DisableEPMCompat DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\Main Isolation SZ:PMEM Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION (Reserved) SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION explorer.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION iexplore.exe SZ:1 Computer Software\Policies\Microsoft\Internet Explorer\PhishingFilter PreventOverrideAppRepUnknown DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\PhishingFilter PreventOverride DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\PhishingFilter EnabledV9 DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\Restrictions NoCrashDetection DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\Security DisableSecuritySettingsCheck DWORD:0 Computer Software\Policies\Microsoft\Internet Explorer\Security\ActiveX BlockNonAdminActiveXInstall DWORD:1 Computer Software\Policies\Microsoft\Windows\AxInstaller OnlyUseAXISForActiveXInstall DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Security_zones_map_edit DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Security_options_edit DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Security_HKLM_only DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings PreventIgnoreCertErrors DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnBadCertRecving DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings EnableSSL3Fallback DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols DWORD:2560 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 1C00 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 1C00 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 1C00 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 2301 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 2301 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 1C00 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap UNCAsIntranet DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1C00 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 270C DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 270C DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1201 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1C00 DWORD:65536 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1C00 DWORD:65536 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 270C DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1201 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2001 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2102 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1802 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 160A DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1201 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1804 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2200 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1209 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1206 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1809 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2500 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2103 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1606 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2402 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2004 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1C00 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1001 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1A00 DWORD:65536 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2708 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1004 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 120b DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1407 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1409 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 270C DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1607 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2709 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2101 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2301 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1806 DWORD:1 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 120c DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 140C DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1608 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1201 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1001 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1607 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 120b DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1809 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1004 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1606 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1407 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 160A DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1406 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2102 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2004 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2200 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2000 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1402 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1803 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2402 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1400 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A00 DWORD:196608 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2001 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2500 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1409 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1C00 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1209 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 270C DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1206 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2708 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1802 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2103 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2709 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1405 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2101 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2301 DWORD:0 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1200 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1804 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1806 DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 120c DWORD:3 Computer Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 140C DWORD:3 ; Computer POLICY SAVED. ; ---------------------------------------------------------------------- ================================================================================================== -------------------------------------------------------------------------------------------------- Applying GPO "MSFT Internet Explorer 11 - User"... -------------------------------------------------------------------------------------------------- LGPO.exe v2.2 - Local Group Policy Object utility Import User settings from registry.pol: ..\GPOs\{4E60D2FB-5E65-4AAB-843E-836833DEFA15}\DomainSysvol\GPO\User\registry.pol ; ---------------------------------------------------------------------- ; PROCESSING User POLICY ; Source file: ..\GPOs\{4E60D2FB-5E65-4AAB-843E-836833DEFA15}\DomainSysvol\GPO\User\registry.pol User Software\Policies\Microsoft\Internet Explorer\Control Panel FormSuggest Passwords DWORD:1 User Software\Policies\Microsoft\Internet Explorer\Main FormSuggest PW Ask SZ:no User Software\Policies\Microsoft\Internet Explorer\Main FormSuggest Passwords SZ:no ; User POLICY SAVED. ; ---------------------------------------------------------------------- ================================================================================================== -------------------------------------------------------------------------------------------------- Applying GPO "MSFT Windows 10 1909 and Server 1909 - Defender Antivirus"... -------------------------------------------------------------------------------------------------- LGPO.exe v2.2 - Local Group Policy Object utility Import Machine settings from registry.pol: ..\GPOs\{6359FA45-B4E8-4B56-864A-591B4DD8642C}\DomainSysvol\GPO\Machine\registry.pol ; ---------------------------------------------------------------------- ; PROCESSING Computer POLICY ; Source file: ..\GPOs\{6359FA45-B4E8-4B56-864A-591B4DD8642C}\DomainSysvol\GPO\Machine\registry.pol Computer Software\Policies\Microsoft\Windows Defender PUAProtection DWORD:1 Computer Software\Policies\Microsoft\Windows Defender\Real-Time Protection DisableBehaviorMonitoring DWORD:0 Computer Software\Policies\Microsoft\Windows Defender\Scan DisableRemovableDriveScanning DWORD:0 Computer Software\Policies\Microsoft\Windows Defender\Spynet SubmitSamplesConsent DWORD:1 Computer Software\Policies\Microsoft\Windows Defender\Spynet SpynetReporting DWORD:2 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR ExploitGuard_ASR_Rules DWORD:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 3b576869-a4ec-4529-8536-b80a7769e899 SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules d4f940ab-401b-4efc-aadc-ad5f3c50688a SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 5beb7efe-fd9a-4556-801d-275e5ffc04cc SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules d3e037e1-3eb8-44c8-a917-57927947596d SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 26190899-1602-49e8-8b27-eb1d0a1ce869 SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c SZ:1 Computer Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection EnableNetworkProtection DWORD:1 ; Computer POLICY SAVED. ; ---------------------------------------------------------------------- ================================================================================================== -------------------------------------------------------------------------------------------------- Applying GPO "MSFT Windows 10 1909 and Server 1909 - Domain Security"... -------------------------------------------------------------------------------------------------- LGPO.exe v2.2 - Local Group Policy Object utility Nothing to do. LGPO.exe has four modes: * Import and apply policy settings; * Export local policy to a GPO backup; * Parse a registry.pol file to "LGPO text" format; * Build a registry.pol file from "LGPO text". To apply policy settings: LGPO.exe command [...] where "command" is one or more of the following (each of which can be repeated): /g path import settings from one or more GPO backups under "path" /m path\registry.pol import settings from registry.pol into machine config /u path\registry.pol import settings from registry.pol into user config /ua path\registry.pol import settings from registry.pol into user config for Administrators /un path\registry.pol import settings from registry.pol into user config for Non-Administrators /u:username path\registry.pol import settings from registry.pol into user config for local user specified by "username" /s path\GptTmpl.inf apply security template /a[c] path\Audit.csv apply advanced auditing settings; /ac to clear policy first /t path\lgpo.txt apply registry commands from LGPO text /e <name>|<guid> enable GP extension for local policy processing; specify a GUID, or one of these names: * "zone" for IE zone mapping extension * "mitigation" for mitigation options, including font blocking * "audit" for advanced audit policy configuration * "LAPS" for Local Administrator Password Solution * "DGVBS" for Device Guard virtualization-based security * "DGCI" for Device Guard code integrity policy /boot reboot after applying policies /v verbose output /q quiet output (no headers) To create a GPO backup from local policy: LGPO.exe /b path [/n GPO-name] /b path Create GPO backup in "path" /n GPO-name Optional GPO display name (use quotes if it contains spaces) To parse a Registry.pol file to LGPO text (stdout): LGPO.exe /parse [/q] {/m|/u|/ua|/un|/u:username} path\registry.pol /m path\registry.pol parse registry.pol as machine config commands /u path\registry.pol parse registry.pol as user config commands /ua path\registry.pol parse registry.pol as user config for Administrators /un path\registry.pol parse registry.pol as user config for Non-Administrators /u:username path\registry.pol parse registry.pol as user config for local user specified by "username" /q quiet output (no headers) To build a Registry.pol file from LGPO text: LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v] /r path\lgpo.txt Read input from LGPO text file /w path\registry.pol Write new registry.pol file (See the documentation for more information and examples.) ================================================================================================== -------------------------------------------------------------------------------------------------- Applying GPO "MSFT Windows 10 1909 and Server 1909 Member Server - Credential Guard"... -------------------------------------------------------------------------------------------------- LGPO.exe v2.2 - Local Group Policy Object utility Import Machine settings from registry.pol: ..\GPOs\{BA64EEBE-B4EC-47F2-BED8-C53274D6CDF2}\DomainSysvol\GPO\Machine\registry.pol ; ---------------------------------------------------------------------- ; PROCESSING Computer POLICY ; Source file: ..\GPOs\{BA64EEBE-B4EC-47F2-BED8-C53274D6CDF2}\DomainSysvol\GPO\Machine\registry.pol Computer SOFTWARE\Policies\Microsoft\Windows\DeviceGuard EnableVirtualizationBasedSecurity DWORD:1 Computer SOFTWARE\Policies\Microsoft\Windows\DeviceGuard RequirePlatformSecurityFeatures DWORD:1 Computer SOFTWARE\Policies\Microsoft\Windows\DeviceGuard HypervisorEnforcedCodeIntegrity DWORD:1 Computer SOFTWARE\Policies\Microsoft\Windows\DeviceGuard HVCIMATRequired DWORD:0 Computer SOFTWARE\Policies\Microsoft\Windows\DeviceGuard LsaCfgFlags DWORD:1 Computer SOFTWARE\Policies\Microsoft\Windows\DeviceGuard ConfigureSystemGuardLaunch DWORD:1 ; Computer POLICY SAVED. ; ---------------------------------------------------------------------- ================================================================================================== -------------------------------------------------------------------------------------------------- Applying GPO "MSFT Windows Server 1909 - Member Server"... -------------------------------------------------------------------------------------------------- LGPO.exe v2.2 - Local Group Policy Object utility Import Machine settings from registry.pol: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\Machine\registry.pol ; ---------------------------------------------------------------------- ; PROCESSING Computer POLICY ; Source file: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\Machine\registry.pol Computer Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun DWORD:255 Computer Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoAutorun DWORD:1 Computer Software\Microsoft\Windows\CurrentVersion\Policies\System DisableAutomaticRestartSignOn DWORD:1 Computer Software\Microsoft\Windows\CurrentVersion\Policies\System LocalAccountTokenFilterPolicy DWORD:0 Computer Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters AllowEncryptionOracle DWORD:0 Computer Software\Policies\Microsoft\Biometrics\FacialFeatures EnhancedAntiSpoofing DWORD:1 Computer Software\Policies\Microsoft\Internet Explorer\Feeds DisableEnclosureDownload DWORD:1 Computer Software\Policies\Microsoft\Windows\CredentialsDelegation AllowProtectedCreds DWORD:1 Computer Software\Policies\Microsoft\Windows\EventLog\Application MaxSize DWORD:32768 Computer Software\Policies\Microsoft\Windows\EventLog\Security MaxSize DWORD:196608 Computer Software\Policies\Microsoft\Windows\EventLog\System MaxSize DWORD:32768 Computer Software\Policies\Microsoft\Windows\Explorer NoAutoplayfornonVolume DWORD:1 Computer Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoBackgroundPolicy DWORD:0 Computer Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoGPOListChanges DWORD:0 Computer Software\Policies\Microsoft\Windows\Installer AlwaysInstallElevated DWORD:0 Computer Software\Policies\Microsoft\Windows\Installer EnableUserControl DWORD:0 Computer Software\Policies\Microsoft\Windows\Kernel DMA Protection DeviceEnumerationPolicy DWORD:0 Computer Software\Policies\Microsoft\Windows\LanmanWorkstation AllowInsecureGuestAuth DWORD:0 Computer Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths \\*\SYSVOL SZ:RequireMutualAuthentication=1,RequireIntegrity=1 Computer Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths \\*\NETLOGON SZ:RequireMutualAuthentication=1,RequireIntegrity=1 Computer Software\Policies\Microsoft\Windows\Personalization NoLockScreenCamera DWORD:1 Computer Software\Policies\Microsoft\Windows\Personalization NoLockScreenSlideshow DWORD:1 Computer Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging EnableScriptBlockLogging DWORD:1 Computer Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging EnableScriptBlockInvocationLogging DELETE Computer Software\Policies\Microsoft\Windows\System EnumerateLocalUsers DWORD:0 Computer Software\Policies\Microsoft\Windows\System EnableSmartScreen DWORD:1 Computer Software\Policies\Microsoft\Windows\System ShellSmartScreenLevel SZ:Block Computer Software\Policies\Microsoft\Windows\Windows Search AllowIndexingEncryptedStoresOrItems DWORD:0 Computer Software\Policies\Microsoft\Windows\WinRM\Client AllowBasic DWORD:0 Computer Software\Policies\Microsoft\Windows\WinRM\Client AllowUnencryptedTraffic DWORD:0 Computer Software\Policies\Microsoft\Windows\WinRM\Client AllowDigest DWORD:0 Computer Software\Policies\Microsoft\Windows\WinRM\Service AllowBasic DWORD:0 Computer Software\Policies\Microsoft\Windows\WinRM\Service AllowUnencryptedTraffic DWORD:0 Computer Software\Policies\Microsoft\Windows\WinRM\Service DisableRunAs DWORD:1 Computer Software\Policies\Microsoft\Windows NT\DNSClient EnableMulticast DWORD:0 Computer Software\Policies\Microsoft\Windows NT\Rpc RestrictRemoteClients DWORD:1 Computer Software\Policies\Microsoft\Windows NT\Terminal Services DisablePasswordSaving DWORD:1 Computer Software\Policies\Microsoft\Windows NT\Terminal Services fDisableCdm DWORD:1 Computer Software\Policies\Microsoft\Windows NT\Terminal Services fPromptForPassword DWORD:1 Computer Software\Policies\Microsoft\Windows NT\Terminal Services fEncryptRPCTraffic DWORD:1 Computer Software\Policies\Microsoft\Windows NT\Terminal Services MinEncryptionLevel DWORD:3 Computer Software\Policies\Microsoft\WindowsFirewall PolicyVersion DWORD:538 Computer Software\Policies\Microsoft\WindowsFirewall\DomainProfile DefaultOutboundAction DWORD:0 Computer Software\Policies\Microsoft\WindowsFirewall\DomainProfile DefaultInboundAction DWORD:1 Computer Software\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall DWORD:1 Computer Software\Policies\Microsoft\WindowsFirewall\PrivateProfile EnableFirewall DWORD:1 Computer Software\Policies\Microsoft\WindowsFirewall\PrivateProfile DefaultInboundAction DWORD:1 Computer Software\Policies\Microsoft\WindowsFirewall\PrivateProfile DefaultOutboundAction DWORD:0 Computer Software\Policies\Microsoft\WindowsFirewall\PublicProfile EnableFirewall DWORD:1 Computer Software\Policies\Microsoft\WindowsFirewall\PublicProfile DefaultOutboundAction DWORD:0 Computer Software\Policies\Microsoft\WindowsFirewall\PublicProfile DefaultInboundAction DWORD:1 Computer Software\Policies\Microsoft\WindowsInkWorkspace AllowWindowsInkWorkspace DWORD:1 Computer Software\Policies\Microsoft Services\AdmPwd AdmPwdEnabled DWORD:1 Computer SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest UseLogonCredential DWORD:0 Computer SYSTEM\CurrentControlSet\Control\Session Manager\kernel DisableExceptionChainValidation DWORD:0 Computer SYSTEM\CurrentControlSet\Policies\EarlyLaunch DriverLoadPolicy DWORD:3 Computer SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 DWORD:0 Computer SYSTEM\CurrentControlSet\Services\MrxSmb10 Start DWORD:4 Computer SYSTEM\CurrentControlSet\Services\Netbt\Parameters NoNameReleaseOnDemand DWORD:1 Computer SYSTEM\CurrentControlSet\Services\Netbt\Parameters NodeType DWORD:2 Computer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters EnableICMPRedirect DWORD:0 Computer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters DisableIPSourceRouting DWORD:2 Computer SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters DisableIPSourceRouting DWORD:2 ; Computer POLICY SAVED. ; ---------------------------------------------------------------------- Import User settings from registry.pol: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\User\registry.pol ; ---------------------------------------------------------------------- ; PROCESSING User POLICY ; Source file: ..\GPOs\{3657C7A2-3FF3-4C21-9439-8FDF549F1D68}\DomainSysvol\GPO\User\registry.pol ; User POLICY SAVED. ; ---------------------------------------------------------------------- ================================================================================================== Non-domain-joined: back out the local-account restrictions... LGPO.exe v2.2 - Local Group Policy Object utility Apply security template: ConfigFiles\DeltaForNonDomainJoined.inf ---------------------------------------------------------------------- PROCESSING SECURITY TEMPLATE: ConfigFiles\DeltaForNonDomainJoined.inf C:\Windows\system32\secedit.exe /configure /db "C:\Users\Operator\AppData\Local\Temp\1\GPT8E4C.tmp" /cfg "ConfigFiles\DeltaForNonDomainJoined.inf" /log "C:\Users\Operator\AppData\Local\Temp\1\GPT8E4D.tmp" /overwrite /quiet [[[ Security template log file output follows: C:\Users\Operator\AppData\Local\Temp\1\GPT8E4D.tmp ]]] Completed 1 percent (0/63) Process Privilege Rights area Completed 25 percent (15/63) Process Privilege Rights area Completed 25 percent (15/63) Process Group Membership area Completed 49 percent (30/63) Process Group Membership area Completed 49 percent (30/63) Process Registry Keys area Completed 49 percent (30/63) Process File Security area Completed 49 percent (30/63) Process Services area Completed 65 percent (40/63) Process Services area Completed 73 percent (45/63) Process Services area Completed 73 percent (45/63) Process Security Policy area Completed 77 percent (48/63) Process Security Policy area Completed 84 percent (52/63) Process Security Policy area Completed 88 percent (55/63) Process Security Policy area Completed 93 percent (58/63) Process Security Policy area Completed 100 percent (63/63) Process Security Policy area The task has completed successfully. SECEDIT.EXE exited with exit code 0 ---------------------------------------------------------------------- Apply registry-based settings from LGPO text file: ConfigFiles\DeltaForNonDomainJoined.txt PROCESSING INPUT FILE FOR REGISTRY-BASED POLICY: ConfigFiles\DeltaForNonDomainJoined.txt Computer Configuration Software\Microsoft\Windows\CurrentVersion\Policies\System LocalAccountTokenFilterPolicy REG_DWORD 1 Computer Configuration Software\Policies\Microsoft\Windows NT\Rpc RestrictRemoteClients REG_DWORD 0 POLICY SAVED. ----------------------------------------------------------------------4.1KViews0likes2Comments
Recent Blog Articles
No content to show