Defrag Tools #173 - Troubleshooting with the Windows Sysinternals Tools, 2nd Edition

In this episode of Defrag Tools, Andrew Richards and Chad Beeder are joined by Aaron Margosis. We talk about the Security Baseline for Windows 10. We also look at the Policy Analyzer and Local Group Policy Objects (LGPO) tools.
Resources:
Microsoft Security Guidance Blog
Policy Analyzer v3.1
Local Group Policy Objects (LGPO)
Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog
Troubleshooting with the Windows Sysinternals Tools, 2nd Edition
Just check your mother hasn't already got it...
This is a great episode. Especially the Policy Viewer and LGPO tools. Good Job Aaron.
Can we apply the security and audit setting to local policy using policy analyzer or LGPO.
LGPO can apply settings. Policy Analyzer is a "read-only" tool - it doesn't apply settings, just reports on them.
what emulates win 10 OS ?
In the video Aaron mentions that some of the baseline security settings go to undocumented areas of the registry. Therefore when running "Compare local registry" not all of the values set by the baseline security stuff can be read by the tool.
That means:
1. It is not possible to check whether all of the baseline security settings were set correctly or not (since some are in hidden areas of the registry and can therefore not read out).
2. Let's say I want to audit a Windows system which joined a domain. I'd like to know if the baseline security settings provided by Microsoft were applied. From my understanding I'm not able to verify that for all settings, without having a Backup of the GPOs from domain controller. Since just comparing against the registry, doesn't give me all the values.
Is that correct?
@Aaron
I'm impressed that you answered that fast. Very much apprechiated!
Let me summarize that:
I can use the "Compare local registry" feature to compare against selected baselines. Since that doesn't allow to also compare stuff under HKLM\Security, I would need to export via
secedit.exe /export /cfg export.inf
and compare the values with the ones in the baseline. Then every settings should have been covered.
Correct?