Checklist question

Hi, we are implementing CIS checklist on windows 11 and windows 10 and “Prevent users from sharing files within their profile.” Check getting failed on all the endpoints. What could be the reason any thoughts…

Do you mean that the system reports non-compliant (Fixlet is relevant) or that sending a remediation action fails?

What’s the checklist name and Fixlet ID?

Do you mean that the system reports non-compliant (Fixlet is relevant) or that sending a remediation action fails? - Yes That’s correct, When we send remediation action, script executed without any issue (as per the logs) but action status showing Failed.

My observation is that registry value created “NoInPlaceSharing = 1” but Group policy configuration not updated for this check under “User Configuration\Policies\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profile”

Fixlet Name is -(L1) Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’

ID - 147039

Nothing executed.on the client, including via BigFix, can override a Domain Group Policy. You will have to remove or modify the Domain GPO that is making the client non-compliant.

If this is applied via Local Group Policy, it would be possible to write a Fixlet to modify the Local GPO, but that is not provided in the Compliance content as applying Local GPOnis an unusual configuration.

You may use the output of gpresult /h:gpreport.htm on the client to determine which Group Policy Objects are applying the setting so you can determine where it needs to be changed.

I have run the script locally on my domain machine and it’s executed successfully, and checked the Domain Group Policy as well, we don’t have any policy configured for this. I will check with team and update here.

image1900×260 25.2 KB

image1170×218 24.3 KB

image1337×204 21.3 KB

Checking the fixlet actionscript, it appears to configure the per-user registry keys, but only for the users who are logged on when the action executes. If a different user logs in later, that new user does not have the remediation applied.

This does not affect the Local Group Policy definition, however, and will not be reflected in the gpedit.msc console.

Agreed, but I am not able to understand why action got failed in case of execution succeeded for logged on user. It should be Fixed and if different user logged in then it should be applicable again on that machine. Please correct me if I am wrong.

You could try these queries in the Fixlet Debugger, using the ‘Evaluate in client context’ option to see which relevance piece is flagging the action as a failure.
Since this action only affects the currently logged on users, if a new user logs on who has not been configured with the setting, I do expect the action to switch to ‘Failed’. The action probably needs to be sent as a Policy with ‘Reapply whenever it becomes relevant again’ to ensure it continues to fix the next users that log on.

// Original fixlet relevance
q: not exists 1 whose (number of (values "NoInPlaceSharing" of keys "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" of current user keys (logged on users) of native registry) whose ((type of it = "REG_DWORD") of it and ((if (type of it = "REG_BINARY" or type of it = "REG_NONE") then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of ("1"))) = number of current user keys (logged on users) of native registry)
A: False
T: 0.065 ms

// number of values found in registry paths
q: number of (values "NoInPlaceSharing" of keys "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" of current user keys (logged on users) of native registry)
A: 1
T: 0.032 ms

// number of validly-configured registry values
q: number of (values "NoInPlaceSharing" of keys "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" of current user keys (logged on users) of native registry) whose ((type of it = "REG_DWORD") of it and ((if (type of it = "REG_BINARY" or type of it = "REG_NONE") then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of ("1"))) 
A: 1
T: 0.066 ms

// number of logged-on users found; count should match the number of validly-configured keys
q: number of current user keys (logged on users) of native registry
A: 1
T: 0.026 ms

// pathnames & values of validly-configured registry keys
q:  (pathname of parent key of it, name of it, it) of (values "NoInPlaceSharing" of keys "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" of current user keys (logged on users) of native registry) whose ((type of it = "REG_DWORD") of it and ((if (type of it = "REG_BINARY" or type of it = "REG_NONE") then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of ("1"))) 
A: HKEY_USERS\S-1-5-21-2837794078-1115317433-2018215637-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, noinplacesharing, 1
T: 0.072 ms

// pathnames of logged-on user hives
q: pathnames of current user keys (logged on users) of native registry
A: HKEY_USERS\S-1-5-21-2837794078-1115317433-2018215637-500
T: 0.015 ms

Please find the results.

Q:not exists 1 whose (number of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry) whose ((type of it = “REG_DWORD”) of it and ((if (type of it = “REG_BINARY” or type of it = “REG_NONE”) then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of (“1”))) = number of current user keys (logged on users) of native registry)
A: False
T: 0.163 ms

Q:number of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry)
A: 1
T: 0.067 ms

Q:number of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry) whose ((type of it = “REG_DWORD”) of it and ((if (type of it = “REG_BINARY” or type of it = “REG_NONE”) then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of (“1”)))
A: 1
T: 0.128 ms

Q:number of current user keys (logged on users) of native registry
A: 1
T: 0.056 ms

Q:(pathname of parent key of it, name of it, it) of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry) whose ((type of it = “REG_DWORD”) of it and ((if (type of it = “REG_BINARY” or type of it = “REG_NONE”) then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of (“1”)))
A: HKEY_USERS\S-1-5-21-333653013-2304839960-3876203932-1924848\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, noinplacesharing, 1
T: 6.844 ms

Q:pathnames of current user keys (logged on users) of native registry
A: HKEY_USERS\S-1-5-21-333653013-2304839960-3876203932-1924848
T: 0.050 ms

Ok that looks like it is working as expected on that machine. The “False” on the first result should give a successful action result.

Hi Jason,
I have checked the relevance on one of the problematic machine and found below mentioned results. Please suggest.

Q:not exists 1 whose (number of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry) whose ((type of it = “REG_DWORD”) of it and ((if (type of it = “REG_BINARY” or type of it = “REG_NONE”) then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of (“1”))) = number of current user keys (logged on users) of native registry)
A: True
T: 59.000 ms

Q:number of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry)
A: 0
T: 58.000 ms

Q:number of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry) whose ((type of it = “REG_DWORD”) of it and ((if (type of it = “REG_BINARY” or type of it = “REG_NONE”) then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of (“1”)))
A: 0
T: 62.000 ms

Q:number of current user keys (logged on users) of native registry
A: 1
T: 62.000 ms

Q:(pathname of parent key of it, name of it, it) of (values “NoInPlaceSharing” of keys “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” of current user keys (logged on users) of native registry) whose ((type of it = “REG_DWORD”) of it and ((if (type of it = “REG_BINARY” or type of it = “REG_NONE”) then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of (“1”)))
A:
T: 64.000 ms

Q:pathnames of current user keys (logged on users) of native registry
A: HKEY_USERS\S-1-12-1-3117294876-1235333950-2326105504-3770619662
T: 63.000 ms

It appears the action has not run, while that particular user account was logged on.
You’ll probably need to take a repeating, policy action, that reapplies whenever it becomes relevant again, to ensure the action runs again every time a new user logs on