sharkee
New Contributor

‎Apr 06 2021 11:59 PM

‎Apr 06 2021 11:59 PM

Missing security parameters using the Baseline-LocalInstall.ps1 script

Hello,

 

      I have a machine that is running windows 10 and it is not connected to a domain, so I applied the Microsoft Baseline security for windows 10 v2004. I applied the Microsoft Baseline security using the script "Baseline-LocalInstall.ps1" using the parameter "Win10NonDomainJoined". The script ran successfully with no errors. 

 

       However, when I ran the policy PolicyAnalyzer I discovered that few of the security parameters were not applies, as shown below:

 

Screenshot 2021-04-07 093644.jpg

            

            When selecting the Microsoft baseline security for the PolicyAnalyzer, I selected the following:

Screenshot 2021-04-07 094916.jpg

 

Why the missing security parameters not set using the "Baseline-LocalInstall.ps1" script? do I have to run another script to set the missing paraments?

 

 

Thanking you

 

Best regards 

       

1,501 Views
1 Like
3 Replies
Reply
AaronMargosis_Tanium

‎Apr 08 2021 01:52 PM

‎Apr 08 2021 01:52 PM

Re: Missing security parameters using the Baseline-LocalInstall.ps1 script

I'm not getting a repro on that, @sharkee. Fresh Win10 v2004 VM, not joined, downloaded LGPO, Policy Analyzer, and the Win10 v2004 baseline. Ran the baseline install script with the non-DJ switch. Ran PA, imported the baseline, selected it, compared effective state, and there I filtered out the Server-only GPOs using View | GPO filter. I also selected View | Show only differences. The only settings showing under "Baseline(s)" that varied from "Effective state" were the three settings that get changed for non-DJ: LocalAccountTokenFilterPolicy and the deny logon rights for "Local account."
Make sure there weren't any "path too long" errors when you extracted the files from the baseline zip file and that all the baseline files were present.
0 Likes
Reply
sharkee

‎Apr 11 2021 02:16 AM

‎Apr 11 2021 02:16 AM

Re: Missing security parameters using the Baseline-LocalInstall.ps1 script

hello @AaronMargosis_Tanium 

Thank you for your reply,

1. but when you are in the PA, and "imported the baseline, selected it," which policies did you select?

2. After you ran the PA comparison of the Baseline security policies and the effective state of the machine, did you get any policies in the effective state that are not set? while in the imported baseline they have a value?

Thank you
Best regards

 

0 Likes
Reply

‎Apr 11 2021 02:56 PM

‎Apr 11 2021 02:56 PM

Re: Missing security parameters using the Baseline-LocalInstall.ps1 script

@sharkee -
1. I imported the entire baseline, but when I did the comparison, I filtered out the Server-only settings from the results. Effect should be the same either way.
2. No - everything was applied, except for the adjustments that the non-domain-joined option does.

Can you verify that when you extracted the baseline that you didn't have any "path too long" errors that interfered with successful extraction from the zip? The paths in the zip file are VERY long.
0 Likes
Reply
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE