Windows Server

Secure Standalone Windows Servers Using Security Compliance Manager

Security Hero

In today’s Ask the Admin, I’ll show you how to use the localGPO command line tool in Security Compliance Manager (SCM) to apply security templates to computers that are not part of an Active Directory domain.

Security Compliance Manager comes with a command line tool for applying template settings to Local Group Policy Objects, i.e. for use on devices that are not joined to an Active Directory domain. For more information on SCM, see Using the Microsoft Security Compliance Manager Tool on the Petri IT Knowledgebase.

The installer for the localGPO tool is located in the c:\program files (x86)\microsoft security compliance manager\lgpo directory, and you need to run the .msi file to install it on the computer where you want to use the tool. Note that at the time of writing, localGPO is not supported on Windows Server 2012 R2.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

  • Double click LocalGPO.msi.
  • Click Next on the welcome screen.
  • On the End-User License Agreement screen, check I accept the terms in the License Agreement and click Next.
  • On the Features to install screen, click Next.
  • The tool will now install. Click Finish to close the installer window.

The tool is installed in the “c:\program files (x86)\localgpo” directory. To work with the tool, run the “command-line here” batch file in the localgpo directory. This will open a command prompt window in the right directory and display information about the available switches that can be used with the tool, along with some useful examples.

To export the current local policy settings as a GPO backup, run the following command:

cscript localgpo.wsf /path:c:\gpobackups /export


Export local policy settings as a GPO backup (Image Credit: Russell Smith)
Export local policy settings as a GPO backup (Image Credit: Russell Smith)

The folder specified in the /path switch must exist. Once the command has completed, the name of the folder containing the backup will be displayed in the command prompt window. You can add the /GPOPack switch to the above command to generate a script that can be run on servers independently of the localgpo tool. Just copy the resulting folder to the desired server and run the gpopack.wsf script.

cscript localgpo.wsf /path:c:\gpobackups /export /gpopack

To apply a GPO backup to the local computer run the command below, replacing c:\gpobackups\{36034CB9-E459-4652-8720-DE7F3AD51044} with the path of the GPO backup you want to apply.
cscript localgpo.wsf /path:c:\gpobackups\{36034CB9-E459-4652-8720-DE7F3AD51044}

You can compare the current local policy with a GPO backup using the /compare switch:
cscript localgpo.wsf /path: c:\gpobackups\{36034cb9-e459-4652-8720-de7f3ad51044} /compare


Compare local policy with a GPO backup (Image Credit: Russell Smith)
Compare local policy with a GPO backup (Image Credit: Russell Smith)

To restore the local computer policy to the default settings, run:

cscript localgpo.wsf /restore

Additional switches

LocalGPO has a few additional switches that you might find useful. The /ConfigSCE switch displays settings in local computer policy that were developed by Microsoft Solutions for Security (MSS) but are not visible by default. Conversely, the /ResetSCE switch hides the MSS settings from local computer policy.

Hidden Microsoft Solutions for Security (MSS) settings (Image Credit: Russell Smith)
Hidden Microsoft Solutions for Security (MSS) settings (Image Credit: Russell Smith)

The /MLGPO switch can be used to apply a GPO backup to specific local users. This switch can also be used with gpopack.wsf scripts generated using the /GPOPack switch. For instance, the following command would apply the user section of the specified GPO backup to local user DavidSmith.

cscript localgpo.wsf /path:c:\gpobackups\{36034CB9-E459-4652-8720-DE7F3AD51044} /MLGPO:DavidSmith

Administrators and Non-Administrators are also both valid users that can be specified with the /MLGPO switch, applying the user section of the specified GPO backup to all local administrators, or all local users that are not administrators respectively.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: