Microsoft Policy Analyzer 4.0 crashes after apply April updates
Good morning community !! After apply security/.NET patches corresponding to April, the policy analyzer is not working anymore... On details See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** Deleted because system do not permit to publish it ************** Loaded Assemblies ************** mscorlib Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll ---------------------------------------- PolicyAnalyzer Assembly Version: 4.0.2004.13001 Win32 Version: 4.0.2004.13001 CodeBase: file:///C:/Personal/PolicyAnalyzer/PolicyAnalyzer/PolicyAnalyzer_40/PolicyAnalyzer.exe ---------------------------------------- System.Windows.Forms Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll ---------------------------------------- System Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll ---------------------------------------- System.Drawing Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll ---------------------------------------- System.Configuration Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll ---------------------------------------- System.Xml Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll ---------------------------------------- Accessibility Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll ---------------------------------------- System.Core Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll ---------------------------------------- ************** JIT Debugging ************** To enable just-in-time (JIT) debugging, the .config file for this application or computer (machine.config) must have the jitDebugging value set in the system.windows.forms section. The application must also be compiled with debugging enabled. For example: <configuration> <system.windows.forms jitDebugging="true" /> </configuration> When JIT debugging is enabled, any unhandled exception will be sent to the JIT debugger registered on the computer rather than be handled by this dialog box. It was working fine since patching apply. I tried to uninstall patches, but the error still remains Any clue to fix this? Thank you !!
[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.
Server 2025 Security Baseline breaks Failover Cluster
Hello everyone, while testing the Server 2025 Security Baseline with our Hyper-V Hosts in a Failover Cluster, we noticed the Cluster Service (ClusSvc) was unable to start correctly. It failed with Event 7024 - "A specified authentication package is unknown". From testing and the event logs, we noticed that the .dll file "CLUSAUTHMGR.DLL" was unable to load. After setting "Allow Custom SSPs and APs to be loaded into LSASS" to "Disabled", we were able to start the service again. I assume that the cluster auth manager .dll is not recognized as a trusted Microsoft SSP/AP and therefore blocked as "custom" when enabling this setting. Has anyone tested this using Hyper-V clusters and/or made similar observations? (P.S.: Before debugging, we should have googled, since apparently we are not the only one to have this issue: Failover Cluster Service won’t start on Server 2025 | Jigsolving)Your connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge). The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page. The second issue is even more problematic. On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM" We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites. Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites. Some web sites that give this error allow us to move forwards, while others like google, won't even allow that. Would appreciate any help. MikeMicrosoft Security Compliance Toolkit 1.0 and Azure Automanage Machine Configuration
I'm looking at deploying a number of Windows images in Azure with Security Baselines applied from the Microsoft Security Compliance Toolkit, all being managed by https://learn.microsoft.com/en-us/azure/governance/machine-configuration/?view=dsc-2.0 . 1) Has anyone already done this? Are there tips/tricks/lessons learned that can be shared? 2) Is there any "pre-integrated" methodology to deploy Azure Windows VMs with current Security Compliance Toolkit Security Baselines, similar to the DoD STIG "Easy Button" approach? (see https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-stig-windows-vm) [Apologies in Advance - Azure Automanage newbie...]
Policy Analyzer showing incorrect values
Today I created a backup of my group policy objects and compared them to Microsoft's baselines. But, the GPO backup seems to be displaying the wrong values in Policy Analyzer. As seen in this picture on the left, the Policy Setting RestrictAnonymous and RestrictAnonymousSam are set to 0 according to my GPO backup. Both of these say the Default Domain Policy are setting them to 0. But when I open up the Default Domain Policy on the right, you can see that these values are both set to 1. I have tried three times now to backup and re import the GPO into the policy analyzer, but the values are still appearing incorrectly. These are not the only values that this is happening too. I noticed some of the values are grayed out, when they actually have been set.
Intent behind configuring Network Protection but not enabling it in Windows Server Baselines
What is the intent behind the following two settings in the Windows Server 2019/2022 Baseline: Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection Prevent users and apps from accessing dangerous websites Block Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. In Windows Server Network Protection is not enabled by default, so when the 2nd setting is left to unconfigured the first setting cannot and does not work. Why configure it then?
