Question Regarding Server 2022 Domain & Controller MSCT baselines
I have a basic 'Newbie' question regarding the MSCT baselines. I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'. I just want to confirm that we should only apply the'MSFT Windows Server 2022 - Domain Controller' policies to our DC's, and not the Member Server policies as well. While this seems obvious, I just want to make sure.
[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.
Microsoft Security Compliance Toolkit 1.0 and Azure Automanage Machine Configuration
I'm looking at deploying a number of Windows images in Azure with Security Baselines applied from the Microsoft Security Compliance Toolkit, all being managed byhttps://learn.microsoft.com/en-us/azure/governance/machine-configuration/?view=dsc-2.0. 1) Has anyone already done this? Are there tips/tricks/lessons learned that can be shared? 2) Is there any "pre-integrated" methodology to deploy Azure Windows VMs with current Security Compliance Toolkit Security Baselines, similar to the DoD STIG "Easy Button" approach? (seehttps://learn.microsoft.com/en-us/azure/azure-government/documentation-government-stig-windows-vm) [Apologies in Advance - Azure Automanage newbie...]
Continuous ATO when new services installed
What is best process used to add new services to environment and meet compliance. Does the new service need ATO? Does Azure need Continuous ATO process. How to conduct a review of the product baseline against existing Azure baselines? I am experienced in on prem FISMA but new to cloud compliance.Unable to Create Import Configuration Data - SCCM DCM (.CAB) Files
Respected, Unable to Create "Import Configuration Data" - SCCM DCM (.CAB) File for SCCM. Like to import CIS baseline of Windows 2016 in SCCM under Configuration Baselines\Configuration Items using an option called "Import Configuration Data" Unable to find a matching tool like SCM, where I can import GPO and export as SCCM DCM (CAB) File. the same file can be imported in SCCM under Configuration Items/Configuration Baselines. Can use them for bulk deployment & Run compliance scans. My requirement is: CIS Baselines need to import into SCCM & Run detailed Baseline reports.