scipag / HardeningKitty

HardeningKitty - Checks and hardens your Windows configuration
MIT License
1.33k stars 166 forks source link

XblGameSave Standby Task, 11060 #30

Closed FLeven closed 1 year ago

FLeven commented 1 year ago

I know the recommendation exist (and you should disable), but it never made it into the official Microsoft OS machine baselines, right ? I remember they mentioned somewhere, they think about expanding the baselines and adding user based tasks and services..

11060 | Scheduled Task | XblGameSave Standby Task

0x6d69636b commented 1 year ago

This is officially part of the baseline (at least of the documentation MS Security Baseline Windows 11 v22H2.xlsx)

image

FLeven commented 1 year ago

Yes, I wish the Excel files would not exist, policy analyzer for example, shows the actual settings that get deployed.

The Item 11060, will always be reported as a wrong setting, because it does not exist: If one would like to disable a service for example, it can be disable in the "legacy/pre gpp" settings computer / windows settings / systemservice

or (MSFT Windows 11 - Computer) Windows11-Security-Baseline-FINAL\GPOs{9FE25A81-CB6B-4F76-B9D2-147E9BED9A06}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

if we check the GPO backup that we imported, no schedules task is changed. There are no GPP settings in any security baseline (Schedules Tasks are set in GPP), as far as I know.

I asked here, maybe someone will clarify, as this is not a new setting it would affect all client OS baselines: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/bc-p/3729327#M560

0x6d69636b commented 1 year ago

I like the Excel list because it simplifies my list-making work a lot. PolicyAnalyzer cannot check Scheduled Tasks settings as there are no registry keys for scheduled tasks as far as I know. However, as Aaron Margosis states, it is part of the baseline and Microsoft uses other tools to configure it.

But I'm basically interested to know what Microsoft's official position is on this, as the Excel list and other sources are sometimes conflicting. And then there is Intune...

FLeven commented 1 year ago

Other tools = import to local gpo .... better do it with a computer gpp

I integrate all the important Microsoft security baselines (easier to implement then cis or dod, BSI is too much sisyphus), enforce them and report regularly that they stay unchanged, afterwards I can guaranty all vendor recommendations are set and not changed over time.

Then I add the customer customizations, maybe some security options etc. (Citrix recommendations are really tight and good).

I will delete the task from my list(s) or move it to an optional one.