Windows-itpro-docs: Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading.

@chiners68 Thanks for the post. I don't know these specific options, but I can try to get info. Are you asking why these settings do not work when the baseline is applied?

Really I need a fix but as these are Microsoft facilities that are being pushed in azure , should these be blocked by the baseline? I don’t think they should be, so a fix is essential.

Sent from my iPhone

On 15 May 2019, at 16:44, Justin Hall <[email protected]notifications@github.com> wrote:

@chiners68https://github.com/chiners68 Thanks for the post. I don't know these specific options, but I can try to get info. Are you asking why these settings do not work when the baseline is applied?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3PMBTRNG5R7QESSTLLPVQVUXA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVPCQSQ#issuecomment-492709962, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3LUEW4DLFXNCCVZAEDPVQVUXANCNFSM4HNBX4OA.

@chiners68 can you confirm the names of the baseline settings you are asking about?

Might want to bring this to the attention of @AaronMargosis who maintains the baselines.

The baseline GPO causing the issue is

MSFT Windows 10 RS4 - Computer

Regards

Mark
Sent from my iPhone

On 15 May 2019, at 21:31, Justin Hall <[email protected]notifications@github.com> wrote:

@chiners68https://github.com/chiners68 can you confirm the names of the baseline settings you are asking about?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3P6JJYQE7CPFGIK2VLPVRXLRA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVP3RMQ#issuecomment-492812466, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NYQ3A7QCQWTHCL5STPVRXLRANCNFSM4HNBX4OA.

Understood. Can you identify which setting or settings within the GPO are causing the issue you're seeing? Thanks.

Hi Aaron,
If I knew the setting it’s unlikely I would of logged the issue. There are so many settings I haven’t got an idea where to start in that policy.
From today I will not be onsite with a device to test for a Couple of weeks.

Would appreciate if someone can identify or give a rough indication so I can test when I’m next in the customers site.

Regards

Mark

Sent from my iPhone

On 17 May 2019, at 14:37, Aaron Margosis <[email protected]notifications@github.com> wrote:

Understood. Can you identify which setting or settings within the GPO are causing the issue you're seeing? Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3NFO5QJW5OUHLMNFB3PV2YJ7A5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVUYYPA#issuecomment-493456444, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3PJGJD6JGNBBY4WH7LPV2YJ7ANCNFSM4HNBX4OA.

OK. Can you describe the symptoms more precisely? What exactly isn't working the way you believe it should? Please be detailed. Thanks.

Hi Aaron,
Here is a one drive link with two small videos. Link expires tomorrow.

https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBp5RpVZ01pQrLKeSLbX6Veg?e=GXykZy

The Malaysian mounting screen is the customer device with Baseline applied. You can see I press the Reset Password Link, it starts to process to the rest page but returns to the lock screen. The other device is my work laptop with no baseline and you can see the same process on this gets me to the rest password page.

This same issue occurs if you try to rest the PIN for Windows Hello, but if you fix it for the password reset, it will fix this same issue loading another reset page.

Regards

Mark

From: Aaron Margosis notifications@github.com
Sent: 17 May 2019 16:47
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

OK. Can you describe the symptoms more precisely? What exactly isn't working the way you believe it should? Please be detailed. Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LHB56T6M4KI3I5M6LPV3HQHA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVD6CI#issuecomment-493502217, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NMMKHRWISFSMLFGYTPV3HQHANCNFSM4HNBX4OA.

My email address isn’t recognized in your sharepoint apparently

— Aaron
Sent from mobile device. Probably overly trusting voice to text.

From: chiners68 notifications@github.com
Sent: Friday, May 17, 2019 12:25:20 PM
To: MicrosoftDocs/windows-itpro-docs
Cc: Aaron Margosis; Mention
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

Hi Aaron,
Here is a one drive link with two small videos. Link expires tomorrow.

https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBp5RpVZ01pQrLKeSLbX6Veg?e=GXykZy

The Malaysian mounting screen is the customer device with Baseline applied. You can see I press the Reset Password Link, it starts to process to the rest page but returns to the lock screen. The other device is my work laptop with no baseline and you can see the same process on this gets me to the rest password page.

This same issue occurs if you try to rest the PIN for Windows Hello, but if you fix it for the password reset, it will fix this same issue loading another reset page.

Regards

Mark

From: Aaron Margosis notifications@github.com
Sent: 17 May 2019 16:47
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

OK. Can you describe the symptoms more precisely? What exactly isn't working the way you believe it should? Please be detailed. Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LHB56T6M4KI3I5M6LPV3HQHA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVD6CI#issuecomment-493502217, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NMMKHRWISFSMLFGYTPV3HQHANCNFSM4HNBX4OA.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AFZZDGES527ST6OAFQOVOS3PV3L7BA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVHA7Y#issuecomment-493514879, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFZZDGCFM2HUNFFL2S7SRITPV3L7BANCNFSM4HNBX4OA.

Got it this time

— Aaron
Sent from mobile device. Probably overly trusting voice to text.

From: Aaron Margosis
Sent: Friday, May 17, 2019 6:57:36 PM
To: MicrosoftDocs/windows-itpro-docs; MicrosoftDocs/windows-itpro-docs
Cc: Mention
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

My email address isn’t recognized in your sharepoint apparently

— Aaron
Sent from mobile device. Probably overly trusting voice to text.

From: chiners68 notifications@github.com
Sent: Friday, May 17, 2019 12:25:20 PM
To: MicrosoftDocs/windows-itpro-docs
Cc: Aaron Margosis; Mention
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

Hi Aaron,
Here is a one drive link with two small videos. Link expires tomorrow.

https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBp5RpVZ01pQrLKeSLbX6Veg?e=GXykZy

The Malaysian mounting screen is the customer device with Baseline applied. You can see I press the Reset Password Link, it starts to process to the rest page but returns to the lock screen. The other device is my work laptop with no baseline and you can see the same process on this gets me to the rest password page.

This same issue occurs if you try to rest the PIN for Windows Hello, but if you fix it for the password reset, it will fix this same issue loading another reset page.

Regards

Mark

From: Aaron Margosis notifications@github.com
Sent: 17 May 2019 16:47
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

OK. Can you describe the symptoms more precisely? What exactly isn't working the way you believe it should? Please be detailed. Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LHB56T6M4KI3I5M6LPV3HQHA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVD6CI#issuecomment-493502217, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NMMKHRWISFSMLFGYTPV3HQHANCNFSM4HNBX4OA.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AFZZDGES527ST6OAFQOVOS3PV3L7BA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVHA7Y#issuecomment-493514879, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFZZDGCFM2HUNFFL2S7SRITPV3L7BANCNFSM4HNBX4OA.

@AaronMargosis Here are some potential policy settings that could interfere: https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows#limitations

@AaronMargosis

I'm not able to test this so these are just guesses because they deal with lock screen and PIN.

Control Panel > Personalization

• Prevent enabling lock screen camera - Enabled
• Prevent enabling lock screen slide show - Enabled

System > Logon >

• Turn on convenience PIN sign-in - Disabled

I checked those settings before reporting the problem. They are not set.

Sent from my iPhone

On 18 May 2019, at 00:45, D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 <[email protected]notifications@github.com> wrote:

@AaronMargosishttps://github.com/AaronMargosis Here are some potential policies settings that could interfere: https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows#limitations

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LFVTV5OBWQBYA465TPV47S7A5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVWCZRY#issuecomment-493628615, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3MJFNI34YXBBONWXH3PV47S7ANCNFSM4HNBX4OA.

Won’t be the top and bottom one as we are using Windows hello on the surface. Requires camera and pin. I’ll check the middle one.

Sent from my iPhone

On 18 May 2019, at 01:07, D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 <[email protected]notifications@github.com> wrote:

I'm not able to test this so these are just guesses because they deal with lock screen and PIN.

Control Panel > Personalization

• Prevent enabling lock screen camera - Enabled
• Prevent enabling lock screen slide show - Enabled

System > Logon >

• Turn on convenience PIN sign-in - Disabled

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3OWBSPT5HTWZHS5VIDPV5CE5A5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVWDN5Y#issuecomment-493631223, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NHHMRBCKCG5HA555LPV5CE5ANCNFSM4HNBX4OA.

@officedocsbot assign @e0i

@chiners68

One more guess.

Windows Components > Biometrics > Facial Features

• Configure enhanced anti-spoofing

That setting is enabled. I will get someone to check to see if that is the issue, I’m not onsite now for a while.

Sent from my iPhone

On 19 May 2019, at 18:58, D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 <[email protected]notifications@github.com> wrote:

@chiners68https://github.com/chiners68

One more guess.

Windows Components > Biometrics > Facial Features

• Configure enhanced anti-spoofing

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3IQWZJV3KQW7SXH4BDPWGIOBA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVXHHTI#issuecomment-493777869, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3JFAC2YMY3A2J55ED3PWGIOBANCNFSM4HNBX4OA.

HELPHELPHELP=== Verbose logging started: 5/21/2019 7:08:47 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\mech4\Downloadsintel-sw-tools-installation-bundle-win-win (2)\system_studio_2019.3.063_windows_target_web_configurator_online\install.exe ===
MSI (c) (A4:A4) [07:08:47:059]: Resetting cached policy values
MSI (c) (A4:A4) [07:08:47:059]: Machine policy value 'Debug' is 0
MSI (c) (A4:A4) [07:08:47:059]: * RunEngine:
* Product: {00ED74F0-B617-4608-85DD-555DE69C726C}
* Action:
* CommandLine: **

MSI (c) (A4:A4) [07:08:47:059]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (A4:A4) [07:08:47:059]: Grabbed execution mutex.
MSI (c) (A4:A4) [07:08:47:059]: Cloaking enabled.
MSI (c) (A4:A4) [07:08:47:059]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (A4:A4) [07:08:47:059]: Incrementing counter to disable shutdown. Counter after increment: 0
=== Logging started: 5/21/2019 7:08:47 ===
Action start 7:08:47: INSTALL.
Action start 7:08:47: ValidateProductID.
Action ended 7:08:47: ValidateProductID. Return value 1.
Action start 7:08:47: CostInitialize.
Action ended 7:08:47: CostInitialize. Return value 1.
Action start 7:08:47: FileCost.
Action ended 7:08:47: FileCost. Return value 1.
Action start 7:08:47: CostFinalize.
Action ended 7:08:47: CostFinalize. Return value 1.
Action start 7:08:47: ScanCreateSymbolicLink.5FA2DF5F_70F7_4C01_A113_57E80E09147C.
Action ended 7:08:47: ScanCreateSymbolicLink.5FA2DF5F_70F7_4C01_A113_57E80E09147C. Return value 3.
Action ended 7:08:47: INSTALL. Return value 3.
Property(S): DiskPrompt = Disk [1]
Property(S): INSTALLDIR = C:\Program Files (x86)\IntelSWTools\
Property(S): windows = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019\windows\
Property(S): tbb = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.3.203\windows\tbb\
Property(S): JA = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.3.203\licensing\tbb\ja\
Property(S): EN = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.3.203\licensing\tbb\en\
Property(S): COMMON = C:\Program Files (x86)\IntelSWTools\documentation_2019\ja\tbb\common\
Property(S): COMMON1 = C:\Program Files (x86)\IntelSWTools\documentation_2019\en\tbb\common\
Property(S): ARPINSTALLLOCATION = is_defined_during_installation
Property(S): compilers_and_libraries_2016 = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019\
Property(S): windows1 = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.3.203\windows\
Property(S): compilers_and_libraries_2016_update_pkg_num = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.3.203\
Property(S): TBB = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.3.203\licensing\tbb\
Property(S): LICENSING = C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.3.203\licensing\
Property(S): TBB1 = C:\Program Files (x86)\IntelSWTools\documentation_2019\ja\tbb\
Property(S): JA1 = C:\Program Files (x86)\IntelSWTools\documentation_2019\ja\
Property(S): DOCUMENTATION_2019 = C:\Program Files (x86)\IntelSWTools\documentation_2019\
Property(S): TBB2 = C:\Program Files (x86)\IntelSWTools\documentation_2019\en\tbb\
Property(S): EN1 = C:\Program Files (x86)\IntelSWTools\documentation_2019\en\
Property(S): _12_0_ = C:\Program Files (x86)\Intel\Compiler\12.0\
Property(S): COMPILER = C:\Program Files (x86)\Intel\Compiler\
Property(S): INTEL = C:\Program Files (x86)\Intel\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): Intel = 6
Property(S): TARGETDIR = F:\
Property(S): INSTALLLEVEL = 100
Property(S): ALLUSERS = 1
Property(S): REBOOT = ReallySuppress
Property(S): INTEL_PRODUCT_NAME = Intel(R) Compiler and Libraries 2019 Update 3 for Windows*
Property(S): INTEL_PRODUCT_VERSION = 19.0.5003.203
Property(S): CMM_CC_ProductFamily = ;CPro_190;WW_TBB_LIC;
Property(S): ARPSYSTEMCOMPONENT = 1
Property(S): RUN_SETUP_EXE = Please launch Install.exe to install the product.
Property(S): Manufacturer = Intel Corporation
Property(S): ProductCode = {00ED74F0-B617-4608-85DD-555DE69C726C}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Intel TBB
Property(S): ProductVersion = 19.0.4.203
Property(S): UpgradeCode = {16F2C018-F653-491C-94BB-5868C19ADAF4}
Property(S): SecureCustomProperties = COEXUPGRADE;SUPPORTDIR
Property(S): MsiLogFileLocation = C:\Users\mech4\AppData\Local\Temp\pset_tmp_ISS2019WT_Mech4Life1970\2019.05.21_03.52.25_00002fa4\log{00ED74F0-B617-4608-85DD-555DE69C726C}.log
Property(S): PackageCode = {784D61C7-01C3-47B5-94D1-4A67D41FF267}
Property(S): ProductState = 5
Property(S): ProductToBeRegistered = 1
Property(S): REMOVE = ALL
Property(S): CURRENTDIRECTORY = C:\Users\mech4\Downloadsintel-sw-tools-installation-bundle-win-win (2)
Property(S): CLIENTUILEVEL = 3
Property(S): MSICLIENTUSESEXTERNALUI = 1
Property(S): CLIENTPROCESSID = 12196
Property(S): MsiRestartManagerSessionKey = 813997d10ca49944b4d4a3214b8b490c
Property(S): MsiSystemRebootPending = 1
Property(S): PRODUCTLANGUAGE = 1033
Property(S): VersionDatabase = 200
Property(S): VersionMsi = 5.00
Property(S): VersionNT = 603
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 1
Property(S): WindowsFolder = C:\WINDOWS\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\WINDOWS\system32\
Property(S): SystemFolder = C:\WINDOWS\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\Users\mech4\AppData\Local\Temp\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Users\mech4\AppData\Roaming\
Property(S): FavoritesFolder = C:\Users\mech4\Favorites\
Property(S): NetHoodFolder = C:\Users\mech4\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\mech4\OneDrive\Documents\
Property(S): PrintHoodFolder = C:\Users\mech4\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\mech4\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\Users\mech4\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\Users\mech4\AppData\Local\
Property(S): MyPicturesFolder = C:\Users\mech4\OneDrive\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\WINDOWS\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): PhysicalMemory = 3893
Property(S): VirtualMemory = 5787
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = Mech4Life1970
Property(S): UserSID = S-1-5-21-3921398528-3817173331-292429632-1001
Property(S): UserLanguageID = 1033
Property(S): ComputerName = NIZZLES
Property(S): SystemLanguageID = 1033
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 19
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 7:08:47
Property(S): Date = 5/21/2019
Property(S): MsiNetAssemblySupport = 4.8.3752.0
Property(S): MsiWin32AssemblySupport = 6.3.18362.1
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): Privileged = 1
Property(S): USERNAME = [email protected]
Property(S): Installed = 00:00:00
Property(S): DATABASE = C:\WINDOWS\Installer\9fd5ba.msi
Property(S): OriginalDatabase = C:\WINDOWS\Installer\9fd5ba.msi
Property(S): UILevel = 2
Property(S): Preselected = 1
Property(S): ACTION = INSTALL
Property(S): ROOTDRIVE = F:\
Property(S): CostingComplete = 0
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
=== Logging stopped: 5/21/2019 7:08:47 ===
MSI (c) (A4:A4) [07:08:47:404]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (A4:A4) [07:08:47:404]: MainEngineThread is returning 1603
=== Verbose logging stopped: 5/21/2019 7:08:47 ===

I will be on the customer site on Thursday/Friday so will check out these GPO settings myself to give you feedback.

Regards

Mark

From: D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 notifications@github.com
Sent: 19 May 2019 18:59
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

@chiners68https://github.com/chiners68

One more guess.

Windows Components > Biometrics > Facial Features

• Configure enhanced anti-spoofing

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3IQWZJV3KQW7SXH4BDPWGIOBA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVXHHTI#issuecomment-493777869, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3JFAC2YMY3A2J55ED3PWGIOBANCNFSM4HNBX4OA.

I have found the offending policy.

So just a recap this MS Security baseline policy in MSFT Windows 10 RS4- Computer prevents the reset password on the lock screen for Azure SSPR from working.

Computer Configuration > Policies > Administrative Templates > Windows components > App Runtime >

· Block Launching Windows Store apps with Windows Runtime API access from hosted content

Regards

Mark Chinery

From: D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 notifications@github.com
Sent: 19 May 2019 18:59
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

@chiners68https://github.com/chiners68

One more guess.

Windows Components > Biometrics > Facial Features

• Configure enhanced anti-spoofing

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3IQWZJV3KQW7SXH4BDPWGIOBA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVXHHTI#issuecomment-493777869, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3JFAC2YMY3A2J55ED3PWGIOBANCNFSM4HNBX4OA.

I have set the following but it has not resolved the issue.

Control Panel > Personalization

• Prevent enabling lock screen camera – Not-Configured
• Prevent enabling lock screen slide show – Not-Configured

System > Logon >

• Turn on convenience PIN sign-in - Enabled

From: D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 notifications@github.com
Sent: 18 May 2019 01:08
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

I'm not able to test this so these are just guesses because they deal with lock screen and PIN.

Control Panel > Personalization

• Prevent enabling lock screen camera - Enabled
• Prevent enabling lock screen slide show - Enabled

System > Logon >

• Turn on convenience PIN sign-in - Disabled

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3OWBSPT5HTWZHS5VIDPV5CE5A5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVWDN5Y#issuecomment-493631223, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NHHMRBCKCG5HA555LPV5CE5ANCNFSM4HNBX4OA.

Turning off enhanced anti spoofing did not resolve the issue, back to the drawing board.

From: D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 notifications@github.com
Sent: 19 May 2019 18:59
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

@chiners68https://github.com/chiners68

One more guess.

Windows Components > Biometrics > Facial Features

• Configure enhanced anti-spoofing

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3IQWZJV3KQW7SXH4BDPWGIOBA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVXHHTI#issuecomment-493777869, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3JFAC2YMY3A2J55ED3PWGIOBANCNFSM4HNBX4OA.

Hi Aaron,
The Following GPO Settings in the Baseline prevents the Reset Password from functioning

Computer Configuration > Policies > Administrative Templates > Windows components > App Runtime >

· Block Launching Windows Store apps with Windows Runtime API access from hosted content

Regards

Mark Chinery

From: Mark Chinery
Sent: 17 May 2019 17:25
To: MicrosoftDocs/windows-itpro-docs reply@reply.github.com; MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: Mention mention@noreply.github.com
Subject: RE: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

Hi Aaron,
Here is a one drive link with two small videos. Link expires tomorrow.

https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBp5RpVZ01pQrLKeSLbX6Veg?e=GXykZy

The Malaysian mounting screen is the customer device with Baseline applied. You can see I press the Reset Password Link, it starts to process to the rest page but returns to the lock screen. The other device is my work laptop with no baseline and you can see the same process on this gets me to the rest password page.

This same issue occurs if you try to rest the PIN for Windows Hello, but if you fix it for the password reset, it will fix this same issue loading another reset page.

Regards

Mark

From: Aaron Margosis <[email protected]notifications@github.com>
Sent: 17 May 2019 16:47
To: MicrosoftDocs/windows-itpro-docs <[email protected]windows-itpro-docs@noreply.github.com>
Cc: chiners68 <[email protected]markchinery@hotmail.com>; Mention <[email protected]mention@noreply.github.com>
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

OK. Can you describe the symptoms more precisely? What exactly isn't working the way you believe it should? Please be detailed. Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LHB56T6M4KI3I5M6LPV3HQHA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVD6CI#issuecomment-493502217, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NMMKHRWISFSMLFGYTPV3HQHANCNFSM4HNBX4OA.

Well, that’s certainly surprising. Can you please provide a new link to the videos demonstrating the problem that I can share with colleagues?

Thanks.

– Aaron

From: chiners68 notifications@github.com
Sent: Friday, May 31, 2019 04:09
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: Aaron Margosis aaronmar@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

Hi Aaron,
The Following GPO Settings in the Baseline prevents the Reset Password from functioning

Computer Configuration > Policies > Administrative Templates > Windows components > App Runtime >

· Block Launching Windows Store apps with Windows Runtime API access from hosted content

Regards

Mark Chinery

From: Mark Chinery
Sent: 17 May 2019 17:25
To: MicrosoftDocs/windows-itpro-docs <[email protected]reply@reply.github.com>; MicrosoftDocs/windows-itpro-docs <[email protected]windows-itpro-docs@noreply.github.com>
Cc: Mention <[email protected]mention@noreply.github.com>
Subject: RE: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

Hi Aaron,
Here is a one drive link with two small videos. Link expires tomorrow.

https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBp5RpVZ01pQrLKeSLbX6Veg?e=GXykZy

The Malaysian mounting screen is the customer device with Baseline applied. You can see I press the Reset Password Link, it starts to process to the rest page but returns to the lock screen. The other device is my work laptop with no baseline and you can see the same process on this gets me to the rest password page.

This same issue occurs if you try to rest the PIN for Windows Hello, but if you fix it for the password reset, it will fix this same issue loading another reset page.

Regards

Mark

From: Aaron Margosis <[email protected]<mailto:[email protected]>>
Sent: 17 May 2019 16:47
To: MicrosoftDocs/windows-itpro-docs <[email protected]<mailto:[email protected]>>
Cc: chiners68 <[email protected]<mailto:[email protected]>>; Mention <[email protected]<mailto:[email protected]>>
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

OK. Can you describe the symptoms more precisely? What exactly isn't working the way you believe it should? Please be detailed. Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LHB56T6M4KI3I5M6LPV3HQHA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVD6CI#issuecomment-493502217, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NMMKHRWISFSMLFGYTPV3HQHANCNFSM4HNBX4OA.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AFZZDGDVOFKO45JQZSST523PYDMIDA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWUQ2YI#issuecomment-497618273, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFZZDGDWAVY2EZKNK6HLJ6DPYDMIDANCNFSM4HNBX4OA.

2 day read only access to original videos.
https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBzj_ZD56LPWuYcBLLLeF5UA?e=Wx22gs

If you want videos demonstrating the GPO setting on the same device I would need to do this Monday for you

Regards

Mark Chinery

Sent from my iPhone

On 31 May 2019, at 17:18, Aaron Margosis <[email protected]notifications@github.com> wrote:

Well, that’s certainly surprising. Can you please provide a new link to the videos demonstrating the problem that I can share with colleagues?

Thanks.

– Aaron

From: chiners68 <[email protected]notifications@github.com>
Sent: Friday, May 31, 2019 04:09
To: MicrosoftDocs/windows-itpro-docs <[email protected]windows-itpro-docs@noreply.github.com>
Cc: Aaron Margosis <[email protected]aaronmar@microsoft.com>; Mention <[email protected]mention@noreply.github.com>
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

Hi Aaron,
The Following GPO Settings in the Baseline prevents the Reset Password from functioning

Computer Configuration > Policies > Administrative Templates > Windows components > App Runtime >

· Block Launching Windows Store apps with Windows Runtime API access from hosted content

Regards

Mark Chinery

From: Mark Chinery
Sent: 17 May 2019 17:25
To: MicrosoftDocs/windows-itpro-docs <[email protected]reply@reply.github.comreply@reply.github.com>; MicrosoftDocs/windows-itpro-docs <[email protected]windows-itpro-docs@noreply.github.comwindows-itpro-docs@noreply.github.com>
Cc: Mention <[email protected]mention@noreply.github.commention@noreply.github.com>
Subject: RE: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

Hi Aaron,
Here is a one drive link with two small videos. Link expires tomorrow.

https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBp5RpVZ01pQrLKeSLbX6Veg?e=GXykZy

The Malaysian mounting screen is the customer device with Baseline applied. You can see I press the Reset Password Link, it starts to process to the rest page but returns to the lock screen. The other device is my work laptop with no baseline and you can see the same process on this gets me to the rest password page.

This same issue occurs if you try to rest the PIN for Windows Hello, but if you fix it for the password reset, it will fix this same issue loading another reset page.

Regards

Mark

From: Aaron Margosis <[email protected]notifications@github.com<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]notifications@github.com>>>
Sent: 17 May 2019 16:47
To: MicrosoftDocs/windows-itpro-docs <[email protected]windows-itpro-docs@noreply.github.com<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]windows-itpro-docs@noreply.github.com>>>
Cc: chiners68 <[email protected]markchinery@hotmail.com<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]markchinery@hotmail.com>>>; Mention <[email protected]mention@noreply.github.com<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]mention@noreply.github.com>>>
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

OK. Can you describe the symptoms more precisely? What exactly isn't working the way you believe it should? Please be detailed. Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LHB56T6M4KI3I5M6LPV3HQHA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVD6CI#issuecomment-493502217, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3NMMKHRWISFSMLFGYTPV3HQHANCNFSM4HNBX4OA.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AFZZDGDVOFKO45JQZSST523PYDMIDA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWUQ2YI#issuecomment-497618273, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFZZDGDWAVY2EZKNK6HLJ6DPYDMIDANCNFSM4HNBX4OA.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3OX2VOTUZ3Y6RRYBD3PYFFTTA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWVWCCQ#issuecomment-497770762, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3ODKSVPMSJCPPPZXA3PYFFTTANCNFSM4HNBX4OA.

Can you make the access to the videos longer? It's already Friday afternoon here and I don't know how quickly anyone's going to have a chance to look at this.

Link valid till Friday 7th June

https://marath0nps-my.sharepoint.com/:f:/g/personal/mark_chinery_marathon-ps_com/EvFeN7-30kpJttsnhvuSl_gBzj_ZD56LPWuYcBLLLeF5UA?e=d5ICm1

You should be able to copy the files out if you want to keep them.

Sent from my iPhone

On 31 May 2019, at 17:42, Aaron Margosis <[email protected]notifications@github.com> wrote:

Can you make the access to the videos longer? It's already Friday afternoon here and I don't know how quickly anyone's going to have a chance to look at this.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3JSXTODEM4P3677NSTPYFIOHA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWVYCOA#issuecomment-497779000, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3LRNYQIBIBSZKFRIDLPYFIOHANCNFSM4HNBX4OA.

I just looked into this setting. Microsoft's security configuration baselines have never recommended configuring it for Windows, nor (AFAICT) have the DISA STIGs. I do see that the Center for Internet Security has included it in their Level 2 benchmarks for Windows. The settings in the CIS L2 benchmarks are known to break lots of useful functionality and are intended only for environments where extreme constraints are acceptable.

Do you have a regulatory/compliance reason to keep that setting in place, or any other CIS L2 settings for that matter?

The company is this is in is a law firm and I’m sure they have CIS or some other compliance, I created the baseline but don’t recall adding this setting. They may of done this themselves. It might explain why I’m using the azure security baseline but it dosent affect me for the reset password as that setting is not there.

We have change control approving the removal of this setting from the GPO so it won’t be an issue going forward. I have reset a message to the owners of the reset password SSPR page to add this to the list of GP settings that would prevent it from working. Hopefully that will prevent someone else having this issue.

Regards

Mark

Sent from my iPhone

On 31 May 2019, at 20:31, Aaron Margosis <[email protected]notifications@github.com> wrote:

I just looked into this setting. Microsoft's security configuration baselines have never recommended configuring it for Windows, nor (AFAICT) have the DISA STIGs. I do see that the Center for Internet Security has included it in their Level 2 benchmarks for Windows. The settings in the CIS L2 benchmarks are known to break lots of useful functionality and are intended only for environments where extreme constraints are acceptable.

Do you have a regulatory/compliance reason to keep that setting in place, or any other CIS L2 settings for that matter?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3OD7BXAMXIR35GMZMLPYF4KJA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWWFQJQ#issuecomment-497834022, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3LE7NRBVXKY2TTTGSDPYF4KJANCNFSM4HNBX4OA.

I'd be surprised if they actually have a regulatory obligation (other than self-imposed) to use the CIS Level 2 benchmarks. Level 1, perhaps, but not level 2.

Yeah, that setting has never been part of the Windows STIGs. CIS Windows benchmarks are way overkill.

They are using the CIS benchmarking tool which the device has been pen tested against but essentially they are a mix of NCSC, CIS and NIST.

From: Aaron Margosis notifications@github.com
Sent: 01 June 2019 04:59
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: chiners68 markchinery@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Security Baseline Computer Policy Blocks the Rest PIN and Resset Password(SSPR) pages from loading. (#3696)

I'd be surprised if they actually have a regulatory obligation (other than self-imposed) to use the CIS Level 2 benchmarks. Level 1, perhaps, but not level 2.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/windows-itpro-docs/issues/3696?email_source=notifications&email_token=AJ3CC3LEVOSWLXD7HN5TQDLPYHXXXA5CNFSM4HNBX4OKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWWYBGI#issuecomment-497909913, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJ3CC3JD2TZ66TTHZELME3TPYHXXXANCNFSM4HNBX4OA.

I'm 99% sure that the CIS benchmarking tool gives the option whether to inspect the Level 2 settings or just Level 1. Don't inspect the L2 settings. They guarantee unhappiness.

@chiners68 In our understanding your questions seems to have been answered through community interaction.

Note that the issues section of this repository is intended for documentation and content issues only.

Should you have any further issues similar to this one, please consider opening a product support ticket here:

Windows 10 Support

Thanks.