We just added the Security Configuration and Vulnerability Management module recently and I am currently taking a look at how it works. So far I am a little confused at this point. I have looked at the resulting fixlets and tested a few on systems that need the given configuration change. One specifically is “Shutdown: Clear virtual memory pagefile”. This is a setting that we now include in our desktop core image but we still had some systems with an older image that need this setting configured.
When we set this manually we do it through Local Security Policy and just flip it to enabled which changes the reg value “ClearPageFileAtShutdown” to 1. When I run the action for this configuration in BigFix it says it completes and then the system is no longer listed as needing the action, but the setting in local policy is left at Disabled and the registry value remains 0.
Alternately, I checked a system that has our newest image with this setting configured properly and BF reports that it needs the action even though the setting “Shutdown: Clear virtual memory pagefile” in Local Security Policy is Enabled and the reg value is 1. When I then run the action on this system the reg value changes to 0 which I thought should be left as 1. I have also tested this with “Network security: LAN Manager authentication level” as well with the same result, it did not change anything under that setting when looking from LSP.
Am I just not understanding what BigFix is doing correctly or is the action not working? I am starting to think that since BF appears to apply this via a GPO (right?) that maybe the changes are correct but you cannot verify by checking the LSP or Reg settings? If this is even remotely true, then I still don’t understand why, when I set the setting manually BigFix does not mark it as correct? Can someone help shed some light on this issue?
How are you looking at these values? With gpedit.msc? If so, it seems to have some extensive caching it does (not exactly sure how, but I seem to remember it caching the data even if I close and reopen gpedit), but once you open it, it will not update its settings unless you change them through gpedit.msc.
You can run a test where you first make the change and then later open gpedit.msc and then see if it changes the policy.
Yea, I am checking through gpedit.msc or from regedit when checking the registry. So what you’re saying is that it’s just latency within gpedit? I will try the test you suggested and report back if there are any issues. How would one explain the issues with the registry values? Would this also be the same problem with latency? I know when I make a change using the LSP all I need to do is refresh regedit and it will show the change. The other issue that concerns me the most is that it is flagging systems that do have the correct value set from the local security policy. I will have to look at the full NIST documentation for a given setting and also figure out exactly what BF is doing when it remediates the issue. It could be that what we set manually may differ from what BF is evaluating, but for the options where it is either enabled or disabled it doesn’t seem like there is much room for variances.
Yes. If you look at the registry, there should be no latency in seeing the up-to-date values.
I am surprised if BigFix changed the value and it is not reflected in the registry. Is it possible that your GPO values have overwritten the BigFix value?