Product Name
CIS Benchmark™
Product Version
Windows Benchmarks
Date
Problem
I am unable to remove or edit the extra Registry Settings in the from the Windows Benchmarks.
Or
I would like more information on the extra Registry Settings in the Windows Benchmarks
Solution
Please see this WorkBench Discussion entitled - “Alot of "Extra registry settings" in GPO” - which contains useful information from a Windows Community Expert. (Note that you will have to join the Windows WorkBench Community before viewing the discussion)
There are some additional Microsoft-created ADMX templates that we utilize in the benchmark that are not included in the main Windows set. Please download either the PDF or Word versions of the benchmark, and you will see that each and every recommendation in sections 18 and 19 (which are the ones that use Group Policy templates) references which ADMX template file the associated setting comes from.
We try to carefully document each and every recommendation as much as possible in the PDF/Word versions of the Windows benchmarks, and we highly recommend having one (or both) of those documents handy as a reference. Certainly, they are too long to read from front to back, but there is all kinds of useful information to be gleaned from those documents, including known problems that can sometimes occur due to some recommendations.
If unable to remove an Extra Registry setting, this 3rd party blog post may be helpful: Removing Extra Registry Settings from GPOs. Specifically, this section:
If you no longer have the underlying ADMX or ADM files that represented those registry settings, you won’t see them in the GP Editor and therefore cannot unset them. Or can you?
PowerShell to the Rescue (again–sheesh PowerShell you are so annoyingly good)
The good news is that there is a way you can remove these zombies, thanks to the Group Policy (import-module -name GroupPolicy) PowerShell module. The module has a useful set of cmdlets that allow you to read and write directly to the underlying storage file–registry.pol— where Administrative Templates settings are stored. These cmdlets are:
Get-GPRegistryValue Remove-GPRegistryValue Set-GPRegistryValue
The cmdlet that is going to help us in this case, is Remove-GPRegistryValue, which lets us manually pluck registry entries out of the registry.pol file within a GPO’s storage in SYSVOL.
Visit the blog post for further information and instruction: Removing Extra Registry Settings from GPOs
The Product Support team focuses on troubleshooting CIS products such as CIS-CAT Assessor, we do not have expertise in the CIS Benchmarks. The best place to get advice/ask questions about Windows Benchmarks is the WorkBench community page for CIS Microsoft Windows Benchmarks.
This will allow for direct communication with the Benchmark Developer and other community members. You must first join the community, then you can start a discussion thread.
0 Comments