This is an awesome tool that helps you define and document your Group Policy Objects. It can be downloaded here: https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx. As part of the installation, it will install SQL Server Express with a small database. The rest of the installation is straightforward.
Baselines
When you launch the tool for the first time, it will go ahead download all some older baselines (up to Windows 8, Server 2012, and Office 2010). To add current baselines, click the “Download Microsoft baselines automatically” link under “Get knowledge.”
After a quick search, the tool returns all available baselines. Select the items you want and click “Download”. I choose both of the options for Windows 10 1607.
Windows 10 is broken into several baselines, each for implementing particular security features. Not all baselines will be broken down like this. You start exploring the policies by clicking on a baseline.
Importing Your GPO
The really powerful feature of this tool is it’s ability to compare baselines to each other, or to your current settings. To start, you must import your GPO into the tool. To do this, you need to export your GPO. To do this, right-click on the GPO in the Group Policy Management MMC snap-in and select Back Up.
Give the wizard a location and description. The GPO SID becomes the folder name. In SCM, select “GPO Backup (folder)” from the Import section of the Action pane.
Select your backup folder and the program will import your GPO as a custom baseline.
Comparing Baselines
Now that we have our GPO imported, we can run a compare against a Microsoft baseline. To do this, select “Compare / Merge” from the action pane.
The wizard will ask you which baseline to compare too. I’m going to select the “Win10-1607 Computer Security Compliance 1.0” baseline.
After this, we have our comparison, broken down by settings that differ, settings that match, settings that are only in baseline A (my GPO), and only settings that are in baseline B (the Microsoft baseline).
I highlighted one import thing from the comparison screenshot – Export to Excel. This can exported to Excel, where you get this information in different sheets. Unfortunately you cannot work in Excel and have that information reflected in SCM. You will have to configure settings from within SCM.
Modifying Settings within SCM
You can change settings from within SCM. In the screenshot above, you can see that I have it set to prevent changing the lock screen image. If I decide that does not conform to a baseline and what I to change it back, I can select the setting and change it to “Not Configured”.
That will now be reflected in my current baseline.
Creating a GPO from a Baseline
Now that I’m setting “Prevent changing the lock screen image” to “Not Configured”, I need to get this back to Group Policy. To do that, you have to export the baseline. The easiest way to do this is to create a GPO Backup. This create the same folder structure from the GPO export above, and allow us to import it through the Group Policy Management MMC. To do this, select “GPO Backup (folder)” from the Export section of the Action Pane.
Tell the wizard where to export your backup. From there, import the backup. You now have your updates GPO.
Uses
In this case (changing one setting), I would not have bothered with the export – I would’ve just changed the one setting I needed changed. This tool is really powerful for making sure that you are still within your baselines. It’s also really helpful when a new operating system comes out. Using this tool, I can make sure that my Windows 10 1607 GPO’s are still within the GPO I defined for Windows 10 1511. I can modify the GPO as needed to ensure that Windows 10 1607 is still in compliance.
Non-Microsoft Baselines
This tool is really fast and easy for importing Microsoft baselines. What about baselines from NSIT or CIS? Well these can also be imported. If you can download a cab or GPO backup folder, those are easy, just select “GPO Backup (folder)” or “SCM (.cab)” from the import section. If that’s not available, you can take the baseline GPO’s and import them through the Group Policy Management MMC, then re-export them as a GPO Backup. That will allow them to be imported into this tool.
Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.
