Recent Discussions
Microsoft 365 Apps for Enterprise Security Baseline 2412; when available?
https://learn.microsoft.com/en-us/intune/intune-service/protect/security-baseline-v2-office-settings?pivots=v2306 is currently available in Intune. Microsoft already released the 2412 version via the Microsoft Security Compliance Toolkit. Unfortunately, this version is not available in Intune nyet. When can we expect that version to become available in Intune?
DSC SecurityPolicyDsc: "Could not infer CimType from the provided .NET object"
Hello Everyone, I'm encountering a persistent issue while applying security baseline settings using the SecurityPolicyDsc module on Windows Server 2022. Despite providing valid settings (like Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only = 'Enabled'), the DSC execution fails with the following error: Could not infer CimType from the provided .NET object. The PowerShell DSC resource '[SecurityOption]LimitBlankPasswords' with SourceInfo '<file path>::SecurityOption' threw one or more non-terminating errors while running the Test-TargetResource functionality. What I've done so far: Verified the syntax and parameters using only one setting at a time Downgraded SecurityPolicyDsc to 2.9.0.0 (as 2.10.0.0 has known CimType issues) Confirmed MSFT_SecurityOption.schema.mof exists in the module directory Ensured no null or invalid values are passed Used explicit paths in Start-DscConfiguration Ran under PowerShell 5.1 on Windows Server 2022 (Azure VM, domain-joined) Despite all this, the error persists — even for a minimal configuration like: Configuration SecurityTest { Import-DscResource -ModuleName 'SecurityPolicyDsc' Node 'localhost' { SecurityOption LimitBlankPasswords { Name = 'LimitBlankPasswords' Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only = 'Enabled' } } } SecurityTest -OutputPath "C:\Temp\SecurityTest" Start-DscConfiguration -Path "C:\Temp\SecurityTest" -Wait -Verbose -Force Any guidance or workarounds would be greatly appreciated. If there’s a known fix or update planned for SecurityPolicyDsc, I’d be happy to test that as well. Thanks in advance!Edge Security Baseline v128 - Dynamic Code Setting
Cross-posted this in the annoucement for v128 and the review of v134... Enabling the Dynamic Code Settings "Enabled:Prevent the browser process from creating dynamic code" breaks printing to network printers in Active Directory. Edge tries to generate the print preview page, and hangs.
DSC Error for 2022 Security Baseline
Hello Everyone, I am trying to find out more about this error but no luck....... I have converted the GPOs to DSC for Windows Server 2022 - Member Server using Windows Server-2022-Security-Baseline-FINAL and have applied it to a test VM which is currently domain joined, initially I was getting too many dsc errors so I tried to narrow down and do a small batch of configurations and I still get the same error with the following message DSC Error : Could not infer CimType from the provided .NET object. The PowerShell DSC resource '[SecurityOption]SecuritySetting(INF): LSAAnonymousNameLookup' with SourceInfo 'C:\onedsc\PasswordComplexityConfig.ps1::33::9::SecurityOption' threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details. Could not infer CimType from the provided .NET object. Does anyone have any insight what could be wrong here?and how do I go about correcting it Thanks
Server 2025 Security Baseline breaks Failover Cluster
Hello everyone, while testing the Server 2025 Security Baseline with our Hyper-V Hosts in a Failover Cluster, we noticed the Cluster Service (ClusSvc) was unable to start correctly. It failed with Event 7024 - "A specified authentication package is unknown". From testing and the event logs, we noticed that the .dll file "CLUSAUTHMGR.DLL" was unable to load. After setting "Allow Custom SSPs and APs to be loaded into LSASS" to "Disabled", we were able to start the service again. I assume that the cluster auth manager .dll is not recognized as a trusted Microsoft SSP/AP and therefore blocked as "custom" when enabling this setting. Has anyone tested this using Hyper-V clusters and/or made similar observations? (P.S.: Before debugging, we should have googled, since apparently we are not the only one to have this issue: https://jigsolving.com/failover-cluster-service-wont-start-server-2025/How to Use Baselines Correctly as a Beginner
Hello everyone, regarding baselines I am a beginner, I downloaded them yesterday for Windows 11 pro and tried to document myself to use them in the right way but I found fragmentary information around the web. First I ran the script to install them as a standalone machine : PowerShell.exe -ExecutionPolicy RemoteSigned -File .\Baseline-LocalInstall.ps1 -Win11NonDomainJoined and everything was applied at least from what I read in the logs file. The first question is, if I wanted to return to the starting situation then without the applied changes should I run the Remove-EPBaselineSettings.ps1 script without specifying any parameters? Then I tried using the policy analyzer by feeding it the rules xslx file for Windows 11 and comparing with the current state. Would this already be enough to verify that indeed everything has been applied? However, when I do the comparison I get an error message and a warning but then it still shows me the comparison. Attached is the screenshot Can you tell me if there is complete and detailed documentation on both the baselines and for the policy analyzer? There are several options that I don't really understand so I haven't ventured to use. Thanks to all
Question regarding MSCT 1.0 baselines for Windows Server 2016, 2019, and 2022
Hi All, I have a mix of Windows Server 2016, 2019, and 2022 Domain Controllers. Given the above, what admx and adml files should I copy to the respective SYSVOL folders: C:\Windows\SYSVOL\domain\Policies C:\Windows\SYSVOL\domain\Policies\en-US E.G. If you look in the Templates folder for 2016, 2019, and 2022 they all have the same filenames and will overwrite each other. I'm assuming I should use Windows Server-2022-Security-Baseline-FINAL, but won't this have incompatibilities with 2016/2019 DCs? Windows-Server-2016-Security-Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 4k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 4k Windows Server 2019 Security Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 28k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 12k Windows Server-2022-Security-Baseline-FINAL Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 32k en-US AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 16kSecurity Baseline Version 23H2, greenfield deployment
Hi, Is there a best practice to start rolling out the Microsoft security baseline. I am in a Greenfield situation where I would like to use this baseline as a starting point. This by first adjusting the baseline by removing what I think might be causing issues for the user. There are a lot of settings in this baseline so I am sure some of them will causes issues for users. Since you simply can't disable the policy and all settings will be reverted what is the best practice around this? Make a copy of the existing baseline adjust settings and re-apply the correct settings? I read that Intune is tattooing some settings an the only way to reverse is to wipe and re-deploy, or manually fix in registry. Any advice on this, maybe not use the baseline and built template gradually.
Question Regarding Server 2022 Domain & Controller MSCT baselines
I have a basic 'Newbie' question regarding the MSCT baselines. I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'. I just want to confirm that we should only apply the 'MSFT Windows Server 2022 - Domain Controller' policies to our DC's, and not the Member Server policies as well. While this seems obvious, I just want to make sure.Office security baseline breaks excel feature: "analysis toolpak"
Hi team, I have found that the Office security baseline (Intune v2306) breaks an excel feature: analysis toolpak add-in (the data analysis menu item does not load). There was a known issue note on the v2206 office baseline that stated the setting "Prevent Excel from running XLM macros" broke analysis toolpak and referred to a workaround: https://support.microsoft.com/office/06cd719c-1e9b-4624-815b-c377ad5ca236 But, I have tested removing/disabling the "Prevent Excel from running XLM macros" from the baseline and the issue persists. I also tested deploying/enabling only the "Prevent Excel from running XLM macros" and it doesn't cause the feature to stop working. I've come to the conclusion that "Prevent Excel from running XLM macros" is no longer a relevant setting (and the workaround is no longer accurate). I've tested a dozen settings from excel trust center without success in finding the offending setting. The "analysis toolpak" doesn't show in the trust center logging. 1. It looks like this needs to be a known issue for the office baseline again, 2. Any recommendations on how to troubleshoot the issue (short of working through each setting in the baseline)?Your connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge). The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page. The second issue is even more problematic. On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "http://www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM" We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites. Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites. Some web sites that give this error allow us to move forwards, while others like google, won't even allow that. Would appreciate any help. MikeSecuring Group Policy Template and importing it to windows server 2016 Group Policy
Hi, I'm working on the Security Hardening of windows server 2016 according to [CIS Benchmark V 1.2.0][1], for this I found a Security Compliance project from Microsoft which is [Microsoft Security Compliance Toolkit 1.0][2]. This project works on a preconfigured Group Policy for Member Server or Domain Controller and that group policy has a Hardened configuration that complies with the CIS Benchmark. Microsoft Security Compliance Toolkit 1.0 has some tools and configurations that can be installed from [here][3]. the main problem with this toolkit and its group policy configuration is they are not implementing all the CIS Benchmark for windows server 2016 so I start working on my own Group Policy Template. For building my Hardening Group Policy Template I started by taking snapshot from my windows server 2016 so I can work on a system, like the production, then deploying the Hardened Group policy that comes with the Toolkit (as a starting point) then check every point from the CIS Benchmark document and reflect the Recommended configuration on that Template Group Policy. after finishing some of those Security recommendations I took another snapshot from the production server and used the LGPO.exe (included in the toolkit) tool to import the Hardened Group Policy Template that I was working on and apply it to the new server snapshot. after importing the Hardened Group Policy to the test server I start facing many problems when trying to log in to my administrator account, as seen in the photos : 1. After login, I receive this error, and if log in again it doesn't occur again : https://drive.google.com/file/d/1emPuoTKajuUmTifi8sSirb1vUJIhi9sI/view?usp=sharing 2. After login sometimes the server hangs on the following state : https://drive.google.com/file/d/1Vp48d7sxdCfabs93IfRW10_T9xHo44R3/view?usp=sharing 3. receive this error sometimes : https://drive.google.com/file/d/16BJEMn6OZAS8J5pTRFF4tGcFfGMAYRGN/view?usp=sharing Note that the previous errors occur sometimes and if you try to access the same thing again it works, 4.this occurs every time I log in to the account : https://drive.google.com/file/d/16W86tVTVgoo9amvhlsfCsmsMb-XMAFZl/view?usp=sharing All of these errors start happening after deploying the Hardened Group Policy to the test server, Also I had another snapshot from the production server where I tried to do the same Security Recommendations Manually, so I did the same Security Recommendations that I configured in the Group Policy and caused all the previous errors but this time manually and everything was working as expected with no errors !! So my Issue Is what goes wrong with having a tool such as LGPO.exe (official Microsoft tool) that imports Group Policy GPO to the current Group Policy, and why I had all the previous issues when doing that? but when doing manual works it worked well? what is the best way to Make Secure Group Policy as per CIS Benchmark and export it then import to each Server you have ? what is the best way for doing this? **Note:** 1. I have only one admin user that I'm using during the work 2. my win server 2016 is non-domain machine - stand alone Thanks in advance [1]: https://www.newnettechnologies.com/cis-benchmark.html?utm_campaign=Search+-+ROW+-+Quantity&utm_medium=ppc&utm_source=adwords&utm_term=&hsa_acc=2189148223&hsa_cam=134925607&hsa_grp=78721086889&hsa_src=g&hsa_tgt=dsa-688559004445&hsa_kw=&hsa_ad=361557470862&hsa_net=adwords&hsa_mt=b&hsa_ver=3&gclid=Cj0KCQjw3ZX4BRDmARIsAFYh7ZIAuQlReBpbGLHvKYCCQxq7QQrBYKgvrhxZu7tJne57NuBNQtT7gDIaAjDYEALw_wcB [2]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10 [3]: https://www.microsoft.com/en-us/download/details.aspx?id=55319Does Microsoft Defender for Endpoint baseline set windows 10 machine account password age
We have enrolled Windows 10 computers into Intune and configured Defender for Endpoint baseline version 6. All these computers we are getting trust relationship error after some days. So does Defender for Endpoint baseline version 6 or Intune change machine account password? Thanks[Updates] GPOs Configure Automatic Updates vs. Specify deadlines for automatic updates and restarts
Dear all, we have about 500 Windows servers in our Standalone WSUS environment. I would like to change local GPOs for the (new) non-AD-members, so the compliance related to Windows Updates is improving. Mostly we are using GPO Cofigure Automatic Updates with AU options 4 (schedule the install) as of today. As far as I know, the new GPO “Specify deadlines for automatic updates and restarts” ignores the Configure Automatic Updates GPO with all the AU options (See https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines), so they can not be combined together. Question 1: Is it true? Do you have some up-to-date information about that? Reading through the update baselines https://www.microsoft.com/en-us/download/details.aspx?id=101056, as far as I can see, the Configure Automatic Updates GPO will be not supported in the future and some related GPO settings are not even recommended due to this reason because they might not work as intended. Question 2: Is it true? Do you have some up-to-date information about that what is still supported? Question 3: Do you know a deadline to deprecate the Configure Automatic Update GPO by Microsoft? (We are planning to have some scheduler settings to begin the installation of Windows Updates and as I can see, “Specify deadlines for automatic updates and restarts” can not do that (it can only schedule the restart) and Configure Automatic Update GPO seems to be moved out from support slowly.) I also checked this material but could not find a focused material for Windows Updates only, especially for servers: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Question 4: Do you have where to find such a material for Windows Updates only or who to ask for them? (Mostly for Windows Server 2016, 2019 and 2022). Many thanks upfront for your answers.
Windows 11 22H2, Server 2022 Baselines - CIS Level 1
Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.
Security Baseline for M365 Apps for enterprise May 2023 version
Is there any known issue with the Security Baseline for M365 Apps not applying? I have a customer who said it worked for a while and then stopped working. They had to do everything via configuration profiles. Apparently they also heard from other companies that this baseline stopped working suddenly.
Can we adjust security baseline in Automanage from Azure VM?
Hi ! We enabled the Automange -> Automanage Machine Configuration -> Enable security baseline After that we can see some guest assignment available Are we able to adjust / add/ remove those policies from AzureWindowsBaseline For example, if I can adjust the rule "Auto MPSSVC Rule-Level Policy Change" ? If it is possible, could you guide me how to change it? Thank you for the help.
Recent Blogs
- We have reviewed the new settings in Microsoft Edge version 142 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baselin...Nov 03, 2025
- We have reviewed the new settings in Microsoft Edge version 141 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baselin...Oct 09, 2025
