...
ConnectSecure has Active Directory GPO templates for the required OS (Windows 10, Windows 11, Windows Server 2022, Windows Server 2016, Windows Server 2012, and Windows Server 2019) which helps in remediating major CIS controls.
...
After creating GPOs for (Windows 10 Computer, Windows 10 User, Windows Server 2022 Computer and Windows Server 2022 User) we have to Link these GPOs with the OU CCNS_CIS.
To Link these GPOs to OU, right click on the OU CCNS_CIS and then click on Link an Existing GPO and select all the GPOs for Windows 10 and Windows Server 2022 Computer and User.
...
Select all the GPOs for the required OS (Windows 10, Windows 11, Windows Server 2022, Windows Server 2016, Windows Server 2012, and Windows Server 2019 Computer and User).
...
Select a Windows 10 GPO and right-click on Group Policy Objects.
Select Import Settings, click Next → Next → select the shared backup file for the corresponding Windows 10 computer and user, and then click on Finish.
...
After updating the GPO’s GPO's in the AD machine, we have to update the GPO policy in the linked AD machine.
Open Powershell as administrator and run the below command in the linked AD Windows 10 machine and linked Windows Server 2022 machine to update the GPO Policy
...
Eg. After Applying GPO the Non-Compliant Count is 39 for Windows Server 2022.
...
This completes the Remediation Compliance documentation.
Compliance Remediation for Workgroup Machines
To apply Compliance Remediation policies for Workgroup machines, please refer to the below video for reference.
Download the LGPO.exe using the below link
https://www.microsoft.com/en-us/download/details.aspx?id=55319
Download the GPO files for the preferred Operating System from the Compliance Remediation tab from ConnectSecure Portal.
Delete the “Backup.xml” and “gpreport.xml” files from the Compliance GPO folder downloaded from ConnectSecure.
Eg. Before Applying GPO the Non-Compliant Count is 281 for Windows 10.
...
Create a folder to take the backup of the existing group policy of the machine.
Please open the Command Prompt as an administrator and navigate to the downloaded LGPO folder and give space and give “/b” and give the path of the created backup folder.
e.g. :
>> C:\Users\hash\Downloads\LGPO\LGPO_30\LGPO.exe /b
>> C:\Users\hash\Downloads\gpo_backup
...
Now Backup will be created in the folder.
Navigate to the downloaded LGPO folder and give space and give “/g” and give the path of the Compliance Remediation folder downloaded from the portal
C:\Users\hash\Downloads\LGPO\LGPO_30\LGPO.exe /g C:\Users\hash\Downloads\GPO_Windows_10\GPO_Windows_10
...
| Info |
|---|
NOTE If the mentioned organization-specific User Rights Assignments are not modified within C:\LGPO\DoD Windows 10 v2r4\GPOs\{AD8929AD-5491-4E51-A04E-6588E76D85B6}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf prior to executing the script, LGPO would report the following error: |
...
This Error can be ignored if received.
Once the policy is updated successfully you can run “gpupdate”.
...
Now the policy will be applied to Workgroup Machines.
Kindly restart the workgroup machine once the command is run.
Initiate a scan and check.
Eg. After Applying GPO the Non-Compliant Count is reduced to 50 for Windows 10.
...
| Note |
|---|
Please try this at your own risk and try it first in the test instance and then install it in the product instance. ConnectSecure will not be responsible for any issues arising out of this. |
...