Q: How can I apply a security baseline that I defined through Microsoft Security Compliance Manager to a non-domain-joined Windows machine?

A:When you install Security Compliance Manager 2 (SCM 2), it automatically installs the installation program of a tool called LocalGPO. This tool letsyou apply an SCM security baseline to a non-domain-joined computer-that is, a computer where you can't leverage Active Directory (AD) Group PolicyObjects (GPOs) to apply SCM security baselines.

To use LocalGPO on a non-domain-joined computer, you must either install a local copy of the tool or use the GPOPack option. GPOPack bundles LocalGPOand the GPO settings inside a self-extracting file that you can then automatically install on your clients. More information can be found in the SCM 2Help files, in the section titled "Create a GPOPack to apply the same settings to a computer without installing LocalGPO." GPOPack is the simplestoption.

For the other option, to install a local copy of LocalGPO, you must follow these steps. You can find LocalGPO.msi in the %Systemdrive%ProgramFilesMicrosoft Security Compliance ManagerLGPO file system folder of a computer where you successfully installed SCM 2. Copy the installation file tothe non-domain-joined computer and run it. To verify that LocalGPO installed successfully, click Start, All Programs, and check that the LocalGPOfolder shows up in the program list.

Then you can use the SCM tool to generate the GPO backup of the desired baseline. To do so, navigate to the baseline in the SCM interface and selectthe GPO Backup (folder) option under Export in the Action pane on the right, as Figure 1 shows.

Figure 1: The SCM interface, showing the GPO Backup (folder) option in the Action pane on the right (click image for larger view)

Finally, you must copy the GPO backup from the SCM machine to the non-domain-joined computer and run LocalGPO to effectively apply the settings in theGPO backup to the local policy of the non-domain-joined computer. To do so, right-click the LocalGPO command-line in the Start menu and selectRun as administrator. Then, type the following at the command prompt to apply the GPO security baseline to the non-domain-joined computer:

LocalGPO.wsf /path:""

For example:

LocalGPO.wsf /path:"C:UsersJanDesktopGPO Backup{e08fb722-7c4f-43ae-bc82-da717a5fe815}"