Microsoft Zero Trust Assessment v2: Operationalizing Security with Precision
In an era where cyber threats evolve faster than ever, organizations can’t afford blind spots. Zero Trust is no longer optional it’s the foundation of modern security. With the release of the Microsoft Zero Trust Assessment v2, enterprises now have a powerful tool to measure, prioritize, and remediate security gaps with actionable intelligence. What Is Zero Trust Assessment v2? The Zero Trust Assessment is a security posture evaluation tool designed to help organizations operationalize Zero Trust principles. It automates checks across hundreds of configuration items aligned with: Secure Future Initiative (SFI) Zero Trust pillars: Identity, Devices, Applications, Data, Infrastructure and Networks Industry standards: NIST, CISA, CIS Microsoft’s internal security baselines Insights from thousands of real-world customer implementations How Does It Work? The assessment follows a structured, automated workflow: 1. Data Collection & Configuration Analysis Scans your Microsoft 365 environment and connected workloads. Evaluates identity configurations (e.g., MFA enforcement, conditional access policies). Reviews device compliance (e.g., Intune policies, OS hardening). Pulls telemetry from Azure AD, Microsoft Defender, and other integrated services. 2. Automated Testing Against Standards Runs hundreds of tests mapped to Zero Trust principles. Benchmarks your settings against: NIST Cybersecurity Framework CISA Zero Trust Maturity Model Microsoft security baselines Flags misconfigurations and policy gaps. 3. Risk Scoring & Prioritization Assigns risk levels based on: Impact (how critical the gap is) Effort (complexity of remediation) Provides a prioritized list of actions so you can focus on what matters most. 4. Actionable Recommendations Generates clear remediation steps not vague advice. Links to Microsoft Learn and security documentation for quick implementation. Suggests policy templates and automation scripts where applicable. 5. Comprehensive Reporting Delivers a detailed report with: Trends over time Risk heatmaps Compliance scores Enables executive dashboards for leadership visibility. Integration with Microsoft Security Tools Zero Trust Assessment v2 doesn’t operate in isolation it integrates seamlessly with Microsoft’s security ecosystem: Microsoft Defender for Endpoint Detects device vulnerabilities and feeds compliance data into the assessment. Microsoft Intune Ensures device configuration policies align with Zero Trust principles. Microsoft Sentinel Correlates assessment findings with threat intelligence for proactive incident response. Azure AD Conditional Access Validates identity policies like MFA and session controls. Microsoft Purview Extends Zero Trust to data governance and compliance. This integration ensures that remediation steps can be automated and enforced across your environment, reducing manual effort and accelerating security posture improvement. Sample Remediation Workflow Diagram Below is a simplified view of how remediation flows after an assessment: This closed-loop process ensures continuous improvement and operationalization of Zero Trust. Key Benefits Speed: Automates what used to take weeks of manual audits. Accuracy: Aligns with global standards and Microsoft’s own security posture. Operationalization: Moves Zero Trust from theory to practice with actionable steps. Future-Ready: Tests will soon be available enabling continuous improvement. Why This Matters Blind spots in identity or device security can lead to breaches, financial loss and reputational damage. Zero Trust Assessment v2 helps you: Respond faster to evolving threats. Reduce risk with prioritized remediation. Build resilience by embedding Zero Trust principles into daily operations.
Server 2025 Security Baseline breaks Failover Cluster
Hello everyone, while testing the Server 2025 Security Baseline with our Hyper-V Hosts in a Failover Cluster, we noticed the Cluster Service (ClusSvc) was unable to start correctly. It failed with Event 7024 - "A specified authentication package is unknown". From testing and the event logs, we noticed that the .dll file "CLUSAUTHMGR.DLL" was unable to load. After setting "Allow Custom SSPs and APs to be loaded into LSASS" to "Disabled", we were able to start the service again. I assume that the cluster auth manager .dll is not recognized as a trusted Microsoft SSP/AP and therefore blocked as "custom" when enabling this setting. Has anyone tested this using Hyper-V clusters and/or made similar observations? (P.S.: Before debugging, we should have googled, since apparently we are not the only one to have this issue: https://jigsolving.com/failover-cluster-service-wont-start-server-2025/
Microsoft Policy Analyzer 4.0 crashes after apply April updates
Good morning community !! After apply security/.NET patches corresponding to April, the policy analyzer is not working anymore... On details See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** Deleted because system do not permit to publish it ************** Loaded Assemblies ************** mscorlib Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll ---------------------------------------- PolicyAnalyzer Assembly Version: 4.0.2004.13001 Win32 Version: 4.0.2004.13001 CodeBase: file:///C:/Personal/PolicyAnalyzer/PolicyAnalyzer/PolicyAnalyzer_40/PolicyAnalyzer.exe ---------------------------------------- System.Windows.Forms Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll ---------------------------------------- System Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll ---------------------------------------- System.Drawing Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll ---------------------------------------- System.Configuration Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll ---------------------------------------- System.Xml Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll ---------------------------------------- Accessibility Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll ---------------------------------------- System.Core Assembly Version: 4.0.0.0 Win32 Version: 4.8.9032.0 built by: NET481REL1 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll ---------------------------------------- ************** JIT Debugging ************** To enable just-in-time (JIT) debugging, the .config file for this application or computer (machine.config) must have the jitDebugging value set in the system.windows.forms section. The application must also be compiled with debugging enabled. For example: <configuration> <system.windows.forms jitDebugging="true" /> </configuration> When JIT debugging is enabled, any unhandled exception will be sent to the JIT debugger registered on the computer rather than be handled by this dialog box. It was working fine since patching apply. I tried to uninstall patches, but the error still remains Any clue to fix this? Thank you !!
[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.Your connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge). The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page. The second issue is even more problematic. On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "http://www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM" We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites. Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites. Some web sites that give this error allow us to move forwards, while others like google, won't even allow that. Would appreciate any help. MikeMicrosoft Security Compliance Toolkit 1.0 and Azure Automanage Machine Configuration
I'm looking at deploying a number of Windows images in Azure with Security Baselines applied from the Microsoft Security Compliance Toolkit, all being managed by https://learn.microsoft.com/en-us/azure/governance/machine-configuration/?view=dsc-2.0 . 1) Has anyone already done this? Are there tips/tricks/lessons learned that can be shared? 2) Is there any "pre-integrated" methodology to deploy Azure Windows VMs with current Security Compliance Toolkit Security Baselines, similar to the DoD STIG "Easy Button" approach? (see https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-stig-windows-vm) [Apologies in Advance - Azure Automanage newbie...]
Policy Analyzer showing incorrect values
Today I created a backup of my group policy objects and compared them to Microsoft's baselines. But, the GPO backup seems to be displaying the wrong values in Policy Analyzer. As seen in this picture on the left, the Policy Setting RestrictAnonymous and RestrictAnonymousSam are set to 0 according to my GPO backup. Both of these say the Default Domain Policy are setting them to 0. But when I open up the Default Domain Policy on the right, you can see that these values are both set to 1. I have tried three times now to backup and re import the GPO into the policy analyzer, but the values are still appearing incorrectly. These are not the only values that this is happening too. I noticed some of the values are grayed out, when they actually have been set.
Intent behind configuring Network Protection but not enabling it in Windows Server Baselines
What is the intent behind the following two settings in the Windows Server 2019/2022 Baseline: Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection Prevent users and apps from accessing dangerous websites Block Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. In Windows Server Network Protection is not enabled by default, so when the 2nd setting is left to unconfigured the first setting cannot and does not work. Why configure it then?
