Q: How can I apply a security baseline that I defined through Microsoft Security Compliance Manager to a non-domain-joined Windows machine?

A: When you install Security Compliance Manager 2 (SCM 2), it automatically installs the installation program of a tool called LocalGPO. This tool lets you apply an SCM security baseline to a non-domain-joined computer-that is, a computer where you can't leverage Active Directory (AD) Group Policy Objects (GPOs) to apply SCM security baselines.

To use LocalGPO on a non-domain-joined computer, you must either install a local copy of the tool or use the GPOPack option. GPOPack bundles LocalGPO and the GPO settings inside a self-extracting file that you can then automatically install on your clients. More information can be found in the SCM 2 Help files, in the section titled "Create a GPOPack to apply the same settings to a computer without installing LocalGPO." GPOPack is the simplest option.

For the other option, to install a local copy of LocalGPO, you must follow these steps. You can find LocalGPO.msi in the %Systemdrive%\Program Files\Microsoft Security Compliance Manager\LGPO file system folder of a computer where you successfully installed SCM 2. Copy the installation file to the non-domain-joined computer and run it. To verify that LocalGPO installed successfully, click Start, All Programs, and check that the LocalGPO folder shows up in the program list.

Then you can use the SCM tool to generate the GPO backup of the desired baseline. To do so, navigate to the baseline in the SCM interface and select the GPO Backup (folder) option under Export in the Action pane on the right, as Figure 1 shows.

Figure 1: The SCM interface, showing the GPO Backup (folder) option in the Action pane on the right (click image for larger view)

Finally, you must copy the GPO backup from the SCM machine to the non-domain-joined computer and run LocalGPO to effectively apply the settings in the GPO backup to the local policy of the non-domain-joined computer. To do so, right-click the LocalGPO command-line in the Start menu and select Run as administrator. Then, type the following at the command prompt to apply the GPO security baseline to the non-domain-joined computer:

LocalGPO.wsf /path:""

For example:

LocalGPO.wsf /path:"C:\Users\Jan\Desktop\GPO Backup\{e08fb722-7c4f-43ae-bc82-da717a5fe815}"
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.