Missing security parameters using the Baseline-LocalInstall.ps1 script

%3CLINGO-SUB%20id%3D%22lingo-sub-2258279%22%20slang%3D%22en-US%22%3EMissing%20security%20parameters%20using%20the%20Baseline-LocalInstall.ps1%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2258279%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20I%20have%20a%20machine%20that%20is%20running%20windows%2010%20and%20it%20is%20not%20connected%20to%20a%20domain%2C%20so%20I%20applied%20the%20Microsoft%20Baseline%20security%20for%20windows%2010%20v2004.%20I%20applied%20the%26nbsp%3BMicrosoft%20Baseline%20security%20using%20the%20script%20%22Baseline-LocalInstall.ps1%22%20using%20the%20parameter%20%22Win10NonDomainJoined%22.%20The%20script%20ran%20successfully%20with%20no%20errors.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BHowever%2C%20when%20I%20ran%20the%20policy%26nbsp%3BPolicyAnalyzer%20I%20discovered%20that%20few%20of%20the%20security%20parameters%20were%20not%20applies%2C%20as%20shown%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-04-07%20093644.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F270680i8EBDA3E1310DD3D3%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-04-07%20093644.jpg%22%20alt%3D%22Screenshot%202021-04-07%20093644.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20When%20selecting%20the%20Microsoft%20baseline%20security%20for%20the%20PolicyAnalyzer%2C%20I%20selected%20the%20following%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-04-07%20094916.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F270682iB54285F74F36B21F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-04-07%20094916.jpg%22%20alt%3D%22Screenshot%202021-04-07%20094916.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20the%20missing%20security%20parameters%20not%20set%20using%20the%26nbsp%3B%22Baseline-LocalInstall.ps1%22%20script%3F%20do%20I%20have%20to%20run%20another%20script%20to%20set%20the%20missing%20paraments%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanking%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2262372%22%20slang%3D%22en-US%22%3ERe%3A%20Missing%20security%20parameters%20using%20the%20Baseline-LocalInstall.ps1%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2262372%22%20slang%3D%22en-US%22%3EI'm%20not%20getting%20a%20repro%20on%20that%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F791725%22%20target%3D%22_blank%22%3E%40sharkee%3C%2FA%3E.%20Fresh%20Win10%20v2004%20VM%2C%20not%20joined%2C%20downloaded%20LGPO%2C%20Policy%20Analyzer%2C%20and%20the%20Win10%20v2004%20baseline.%20Ran%20the%20baseline%20install%20script%20with%20the%20non-DJ%20switch.%20Ran%20PA%2C%20imported%20the%20baseline%2C%20selected%20it%2C%20compared%20effective%20state%2C%20and%20there%20I%20filtered%20out%20the%20Server-only%20GPOs%20using%20View%20%7C%20GPO%20filter.%20I%20also%20selected%20View%20%7C%20Show%20only%20differences.%20The%20only%20settings%20showing%20under%20%22Baseline(s)%22%20that%20varied%20from%20%22Effective%20state%22%20were%20the%20three%20settings%20that%20get%20changed%20for%20non-DJ%3A%20LocalAccountTokenFilterPolicy%20and%20the%20deny%20logon%20rights%20for%20%22Local%20account.%22%3CBR%20%2F%3EMake%20sure%20there%20weren't%20any%20%22path%20too%20long%22%20errors%20when%20you%20extracted%20the%20files%20from%20the%20baseline%20zip%20file%20and%20that%20all%20the%20baseline%20files%20were%20present.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2266279%22%20slang%3D%22en-US%22%3ERe%3A%20Missing%20security%20parameters%20using%20the%20Baseline-LocalInstall.ps1%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2266279%22%20slang%3D%22en-US%22%3E%3CP%3Ehello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F689486%22%20target%3D%22_blank%22%3E%40AaronMargosis_Tanium%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20reply%2C%3C%2FP%3E%3CP%3E1.%20but%20when%20you%20are%20in%20the%20PA%2C%20and%20%22imported%20the%20baseline%2C%20selected%20it%2C%22%20which%20policies%20did%20you%20select%3F%3C%2FP%3E%3CP%3E2.%20After%20you%20ran%20the%20PA%20comparison%20of%20the%20Baseline%20security%20policies%20and%20the%20effective%20state%20of%20the%20machine%2C%20did%20you%20get%20any%20policies%20in%20the%20effective%20state%20that%20are%20not%20set%3F%20while%20in%20the%20imported%20baseline%20they%20have%20a%20value%3F%3C%2FP%3E%3CP%3EThank%20you%3CBR%20%2F%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello,

 

      I have a machine that is running windows 10 and it is not connected to a domain, so I applied the Microsoft Baseline security for windows 10 v2004. I applied the Microsoft Baseline security using the script "Baseline-LocalInstall.ps1" using the parameter "Win10NonDomainJoined". The script ran successfully with no errors. 

 

       However, when I ran the policy PolicyAnalyzer I discovered that few of the security parameters were not applies, as shown below:

 

Screenshot 2021-04-07 093644.jpg

            

            When selecting the Microsoft baseline security for the PolicyAnalyzer, I selected the following:

Screenshot 2021-04-07 094916.jpg

 

Why the missing security parameters not set using the "Baseline-LocalInstall.ps1" script? do I have to run another script to set the missing paraments?

 

 

Thanking you

 

Best regards 

       

3 Replies
I'm not getting a repro on that, @sharkee. Fresh Win10 v2004 VM, not joined, downloaded LGPO, Policy Analyzer, and the Win10 v2004 baseline. Ran the baseline install script with the non-DJ switch. Ran PA, imported the baseline, selected it, compared effective state, and there I filtered out the Server-only GPOs using View | GPO filter. I also selected View | Show only differences. The only settings showing under "Baseline(s)" that varied from "Effective state" were the three settings that get changed for non-DJ: LocalAccountTokenFilterPolicy and the deny logon rights for "Local account."
Make sure there weren't any "path too long" errors when you extracted the files from the baseline zip file and that all the baseline files were present.

hello @AaronMargosis_Tanium 

Thank you for your reply,

1. but when you are in the PA, and "imported the baseline, selected it," which policies did you select?

2. After you ran the PA comparison of the Baseline security policies and the effective state of the machine, did you get any policies in the effective state that are not set? while in the imported baseline they have a value?

Thank you
Best regards

 

@sharkee -
1. I imported the entire baseline, but when I did the comparison, I filtered out the Server-only settings from the results. Effect should be the same either way.
2. No - everything was applied, except for the adjustments that the non-domain-joined option does.

Can you verify that when you extracted the baseline that you didn't have any "path too long" errors that interfered with successful extraction from the zip? The paths in the zip file are VERY long.
www.000webhost.com