Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Compliance Remediation Templates

Info

The download for CIS Compliance remediation utilising AD GPO policies are detailed in this document to help remediating major non-compliant CIS controls.

Info
  • When the new GPO is updated, please refer this Excel sheet(GPO Policies) for the remediation steps.

  • Please backup your existing GPO to avoid any inconvenience.

  • Recommend to test the templates in the test environment before going to production environment.

Compliance Remediation GPO download from CyberCNS.

  • ConnectSecure has Active Directory GPO templates for

...

  • OS (Windows 10, Windows 11, Windows Server

...

  • 2012, Windows Server 2016, Windows Server

...

  • 2019, and Windows Server

...

  • 2022) which helps

...

  • remediate major CIS controls.

  • Navigate Open CyberCNS Console, navigate to Company View> View > Compliance section and select Remediation to get to Remediation Compliance for the required OS for the selected company.

...

  • Compliance Remediation Script Disclaimer.

  • Download Select the required OS and click on Download GPO policy from this section.

...

Compliance Remediation for Domain-joined Machines

Steps to Create GPO and

...

Link into OU

...

in Domain Controller

  • Navigate to Domains and select the domain to Group Policy Management under Domain, right-click on WMI Filter be used.

  • For that domain, In Group Policy Objects, create rules for Computers and Users for the OS. To create a new rule, right-click on Group Policy Objects → click on New.
    Eg : For Windows 10 OS (ConnectSecure_Windows10_Computer)

...

  • Create a GPO policy for an OS like a Windows 10 Computer, and then click on OK.

...

  • Select a newly created GPO (eg. ConnectSecure_Windows10_Computer)under Group Policy Objects and right-click on that GPO.

  • Select Import Settings for the corresponding GPO under Group Policy Objects.

...

  • Click on Next to run through the wizard.

...

  • Click on Next to start the backup GPO process as shown below to import the file from CyberCNS.

...

  • Browse and select the backup file for the corresponding GPO.

...

  • Click on Next to select the source GPO. (Source GPO will be a remediation GPO template download from CyberCNS)

...

  • Click on Finish. This completes the Computer GPO import.

...

  • For User Profile GPO import please follow the below steps.

  • Create a new GPO for the user profile. eg: For Windows 10 OS (ConnectSecure_Windows10_User)

  • Name a GPO policy for an OS like Windows 10 User, and then click on OK.

...

  • Select a created Windows 10 user GPO and right-click on Group Policy Objects.

  • Select Import Settings for the corresponding Windows 10 user file under Group Policy Objects

...

  • click on Next to start the import process.

...

  • Click on Next and select the backup file for the corresponding GPO.

...

  • Click on Browse to select the shared backup file for the corresponding Windows 10 user GPO.

...

  • Click on Next to select the source user GPO. (Source GPO will be a remediation GPO template download from CyberCNS)

...

  • click on Finish to complete the import process.

...

  • Created GPO files to be imported to the WMI filter for further processing.

  • Navigate to Group Policy Management. Right-click on WMI Filter, and then click on Import and select the WMI Filter file for the required OS (Windows 10, Windows 11, Windows Server 2022, Windows Server 2016, Windows Server 2012, and Windows Server 2019) . Then click on Importfrom the downloaded file from CyberCNS > Compliance remediation ( different OS will have different files downloaded from CyberCNS). Please find the below screenshot for reference.

  • Please select the required OS file from the download.

...

  • E.g. WMI Filter for Windows 10.

...

  • Click on the Import Button as shown in the below screenshot:

...

  • The existing OU will appear under Domain in Group Policy Management.

...

  • Right-click on We have to add a WMI Filter for the created GPOs.

  • Go to Group Policy Objects and click on New and create a New the GPO for Windows 10 Computer , and Windows 10 User, Windows Server 2022 Computer and Windows Server 2022 User and then click on OK.
    Eg : cis_win10_computer, cis_win10_user, cis_win2022_computer, cis_win2022_user

...

  • After creating GPOs for (Windows 10 Computer, Windows 10 User, Windows Server 2022 Computer and Windows Server 2022 User) we have to Link these GPOs with the OU CCNS_CIS. then scroll down and change WMI Filter to All Versions Windows 10 forWindows 10 as per requirement. Please find the below screenshot for reference.

  • Click on yes to make changes in the WMI filter to All Version Windows 10

...

  • WMI filter value will change from None to the selected value.

...

  • To Link these GPOs to OU, right-click on the OU CCNS_CIS to be used and then click on Link an Existing GPO and select all the added GPOs for Windows 10 and Windows Server 2022 Computer and User at a time.

...

  • Select all the GPOs for the required OS (Windows 10, Windows 11, Windows Server 2022, Windows Server 2016, Windows Server 2012, and Windows Server 2019 User and Computer and User).

...

  • We have to add a WMI Filter for the created GPOs.

  • Go to Group Policy Objects and click on the GPO ccns_win10_computer and ccns_win10_user, then scroll down and change WMI Filter to All Versions Windows 10 for Windows 10. Please find the below screenshot for reference.

  • For Windows Server 2022, select the WMI Filter as Windows Server 2022 Domain Controller.

...

  • Select a Windows 10 GPO and right-click on Group Policy Objects.

  • Select Import Settings, click NextNext → select the shared backup file for the corresponding Windows 10 computer and user, and then click on Finish.

...

  • After updating the GPO's Click on OK.

...

  • Here are the Linked Group Policy Objects as shown below.

...

  • After updating the GPOs in the AD machine, we have to update the GPO policy in the linked AD machine as well.

  • Open Powershell as administrator and run the below command in the linked AD e.g. Windows 10 machine and linked Windows Server 2022 machine to update and results of the GPO Policy.

  • gpupdate /force

...

  • After applying GPO, kindly install an agent and check the compliance count and verifyTo check the results, run the below command under Powershell as administrator.

  • gpresult /r

...

  • Below is the result of Compliance remediation process.

  • Eg. Before Applying GPO the Non-Compliant Count is 220 for Windows Server 2022.

...

  • Eg. After Applying GPO the Non-Compliant Count is 39 for Windows Server 2022.

...

  • This completes the Compliance Remediation

...

  • documentation for Domain-joined machines.

Compliance Remediation for Workgroup Machines

Info

Please make sure to take a backup of the system/s to avoid any issues which may arise.

  • To apply Compliance Remediation policies for Workgroup machines, please refer to the below video for reference.

  • Download the LGPO.exe using the below link

...

  • Download the GPO files for the preferred Operating System from the Compliance Remediation tab in the ConnectSecure Portal.

  • Delete the “Backup.xml” and “gpreport.xml” files from the Compliance GPO folder downloaded from ConnectSecure.

  • Eg. Before Applying GPO the Non-Compliant Count is 281 for Windows 10.

...

Note

Please try this at your own risk and try it first in the test instance and then install it in the production instance. Also please backup existing GPO to avoid any issuescomplications.

...

Compliance Remediation Through Intune.

  • Log in to Microsoft Intune Admin Center. Then, navigate to Devices > Policy > Group Policy analytics (preview) > Import.

  • The dashboard displays the migration readiness analysis.

...

  • In Import Group Policy Object Select a file that has been downloaded from Connect Secure portal.

...

  • Select the downloaded compliance remediation Windows file from the Connect Secure portal.

...

  • Add Scope tags on the scope tags page if needed and click on next.

...

  • When delving into MDM support, you'll encounter a detailed inventory of settings derived from the Group Policy Object that are eligible for migration, as well as those that are not. Upon clicking the "Migrate" button, it will initiate the "Migrate Group Policy Settings to the Cloud" wizard.

...

  • Select the settings that need to migrate, or click the Select all on this page button.

...

  • The Configuration page shows the settings included in the migration.

...

  • Name the new configuration profile on the Profile info page.

    Image Added
  • Add Scope tags on the scope tags page if needed.

...

  • On the Assignments page, you can scope the configuration profile to all users or specific users in the organization. Click the Add Groups button to choose your Microsoft 365 groups.

...

  • Finally, review and deploy the new configuration profile containing the migrated Group Policy Object settings.

...

Info

Intune has limitations regarding which policies can be applied in the MDM settings. As a result, many businesses may opt to utilize a combination of GPOs and cloud-based MDM management through solutions such as Microsoft Intune.

  • This completes the Compliance Remediation documentation for Workgroup machines.