How to Set Up and Use Security Compliance Toolkit on Windows Server 2025

The Microsoft Security Compliance Toolkit (SCT) is a free collection of tools and baseline configurations that help organizations implement and verify security settings aligned with Microsoft’s recommended guidance. For Windows Server 2025, the SCT includes a security baseline published by the Microsoft Security team, along with utilities like Policy Analyzer, LGPO.exe, and Set-PolicyFileEntry that make it practical to apply, compare, and maintain security policies at scale. Whether you’re a system administrator setting up a new server fleet or a security engineer auditing existing Group Policy Objects, the SCT gives you a structured, repeatable approach to hardening without building everything from scratch.

Prerequisites

  • Windows Server 2025 (Standard or Datacenter), joined to a domain or standalone
  • PowerShell 5.1 or later with Administrator privileges
  • Group Policy Management Console (GPMC) — install via Server Manager if not present
  • Microsoft Security Compliance Toolkit downloaded from the Microsoft Security Guidance page
  • An Active Directory domain (optional but recommended for GPO-based deployment)
  • A dedicated test OU or staging server to validate changes before production rollout

Step 1: Download the Security Compliance Toolkit

The SCT is distributed as a ZIP archive from the Microsoft Security Guidance download center. The package includes baselines for Windows Server 2025, Windows 11, Microsoft 365 Apps, and Microsoft Edge. Download the toolkit and extract it to a working directory:

# Download SCT from Microsoft (use the official URL from Microsoft Security Guidance)
$sctUrl = "https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows_Server_2025_Security_Baseline.zip"
$sctDest = "C:SCTWindows_Server_2025_Security_Baseline.zip"

New-Item -Path "C:SCT" -ItemType Directory -Force
Invoke-WebRequest -Uri $sctUrl -OutFile $sctDest -UseBasicParsing

# Extract the archive
Expand-Archive -Path $sctDest -DestinationPath "C:SCT" -Force

# Review the extracted contents
Get-ChildItem -Path "C:SCT" -Recurse -Depth 2 | Select-Object FullName, LastWriteTime

After extraction, you’ll find subdirectories for GPO backups, ADMX templates, scripts, and documentation. The key folder is GPOs, which contains exported Group Policy backups ready for import into your environment.

Step 2: Install ADMX Templates

The SCT includes updated ADMX/ADML administrative template files required for some baseline settings to appear correctly in the Group Policy Editor. Copy these to your central store:

# Identify the domain's SYSVOL central store (adjust domain name)
$domain = (Get-ADDomain).DNSRoot
$centralStore = "\$domainSYSVOL$domainPoliciesPolicyDefinitions"

# Create central store if it doesn't exist
if (-not (Test-Path $centralStore)) {
    New-Item -Path $centralStore -ItemType Directory -Force
    New-Item -Path "$centralStoreen-US" -ItemType Directory -Force
}

# Copy ADMX files from SCT
$admxSource = "C:SCTTemplatesADMX"
Copy-Item -Path "$admxSource*.admx" -Destination $centralStore -Force
Copy-Item -Path "$admxSourceen-US*.adml" -Destination "$centralStoreen-US" -Force

Write-Host "ADMX templates installed to central store: $centralStore"
(Get-ChildItem $centralStore -Filter "*.admx").Count | ForEach-Object { Write-Host "$_ ADMX files installed" }

Step 3: Import the Windows Server 2025 Security Baseline with LGPO.exe

LGPO.exe is a command-line tool included in the SCT that allows you to import GPO backup folders directly into Local Group Policy or export current local policy for analysis. To apply the Windows Server 2025 baseline to local policy on a standalone system, or to import it as a new GPO in Active Directory:

# Apply baseline GPO backup to LOCAL policy using LGPO.exe
# Navigate to the SCT tools directory
cd "C:SCTScripts"

# Apply the Member Server baseline to local policy
.LGPO.exe /g "C:SCTGPOsMSFT Windows Server 2025 - Member Server"

# Verify local policy was updated by checking a known setting
Get-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTDNSClient" `
    -ErrorAction SilentlyContinue

# For DOMAIN GPO import: use LGPO in /b mode (backup import)
# First create a new GPO shell
$gpo = New-GPO -Name "MSFT-WS2025-MemberServer-Baseline" `
               -Comment "Microsoft Security Baseline for Windows Server 2025 Member Server"

# Get the GPO ID
$gpoId = $gpo.Id.ToString("B").ToUpper()
Write-Host "GPO ID: $gpoId"
# Import the GPO backup into the new GPO
$backupPath = "C:SCTGPOsMSFT Windows Server 2025 - Member Server"
$backupId = (Get-ChildItem $backupPath -Directory | Select-Object -First 1).Name

Import-GPO -BackupId $backupId `
           -BackupGpoName "MSFT Windows Server 2025 - Member Server" `
           -Path "C:SCTGPOs" `
           -TargetName "MSFT-WS2025-MemberServer-Baseline" `
           -CreateIfNeeded

# Link the GPO to the Member Servers OU
New-GPLink -Name "MSFT-WS2025-MemberServer-Baseline" `
           -Target "OU=Member Servers,DC=contoso,DC=com" `
           -LinkEnabled Yes `
           -Enforced No

Step 4: Use Policy Analyzer to Compare Existing GPO vs. Baseline

Policy Analyzer is a GUI tool included with the SCT that lets you compare two sets of policy settings side by side, highlighting differences between your current configuration and a reference baseline. This is invaluable for identifying gaps or conflicting settings before and after applying the SCT.

# Launch Policy Analyzer (GUI tool — run from Explorer or Start menu)
Start-Process "C:SCTPolicyAnalyzerPolicyAnalyzer.exe"

# Alternatively, use LGPO.exe to export current local policy to a parseable format
.LGPO.exe /parse /m "C:WindowsSystem32GroupPolicyMachineRegistry.pol" `
    > "C:SCTAnalysiscurrent_machine_policy.txt"

.LGPO.exe /parse /u "C:WindowsSystem32GroupPolicyUserRegistry.pol" `
    > "C:SCTAnalysiscurrent_user_policy.txt"

# Export current local policy as a GPO backup for Policy Analyzer import
.LGPO.exe /b "C:SCTAnalysisLocalPolicyBackup" /n "CurrentLocalPolicy"

In the Policy Analyzer GUI: click Add…Add Files from GPO(s) and select the exported local policy backup. Then add the SCT baseline folder as a second policy set. Policy Analyzer will display a color-coded comparison table showing which settings match, which differ, and which are only present in one policy set.

Step 5: Use Set-PolicyFileEntry for Script-Based Policy Management

The Set-PolicyFileEntry cmdlet (from the PolicyFileEditor PowerShell module, included in the SCT) allows you to programmatically set Registry.pol values without editing the binary file directly. This is useful for automating specific baseline settings in a CI/CD pipeline:

# Install the PolicyFileEditor module if not already available
Install-Module -Name PolicyFileEditor -Scope AllUsers -Force

Import-Module PolicyFileEditor

# Define the machine policy file path
$machinePol = "$env:SystemRootSystem32GroupPolicyMachineRegistry.pol"

# Set a specific CIS/SCT-required registry value via policy
# Example: Disable anonymous enumeration of SAM accounts
Set-PolicyFileEntry -Path $machinePol `
    -Key "SYSTEMCurrentControlSetControlLsa" `
    -ValueName "RestrictAnonymousSAM" `
    -Data 1 `
    -Type DWord

# Example: Enable structured audit logging
Set-PolicyFileEntry -Path $machinePol `
    -Key "SOFTWAREPoliciesMicrosoftWindowsEventLogSecurity" `
    -ValueName "MaxSize" `
    -Data 196608 `
    -Type DWord

# Apply changes immediately
gpupdate /force

# Verify a setting was written
Get-PolicyFileEntry -Path $machinePol -Key "SYSTEMCurrentControlSetControlLsa" -ValueName "RestrictAnonymousSAM"

Step 6: Create a Delta GPO for Organization-Specific Exceptions

In most organizations, applying the SCT baseline verbatim will break some legitimate functionality. The recommended practice is to create a separate delta GPO that overrides specific baseline settings for your environment, and link it with a higher precedence than the baseline GPO. This keeps your deviation from the baseline explicit and auditable:

# Create the delta/exception GPO
$deltaGpo = New-GPO -Name "MSFT-WS2025-Delta-Exceptions" `
                    -Comment "Organization-specific exceptions to the SCT baseline"

# Link it to the same OU with higher precedence (lower link order number = higher precedence)
New-GPLink -Name "MSFT-WS2025-Delta-Exceptions" `
           -Target "OU=Member Servers,DC=contoso,DC=com" `
           -LinkEnabled Yes `
           -Order 1    # Link order 1 = highest precedence

# The baseline GPO should have a higher order number (lower precedence)
# Adjust link order of the baseline GPO
Set-GPLink -Name "MSFT-WS2025-MemberServer-Baseline" `
           -Target "OU=Member Servers,DC=contoso,DC=com" `
           -Order 2

# Document exceptions: generate a report of both GPOs' settings
Get-GPOReport -Name "MSFT-WS2025-Delta-Exceptions" -ReportType Html `
    -Path "C:SCTReportsDeltaGPO-Report.html"

Get-GPOReport -Name "MSFT-WS2025-MemberServer-Baseline" -ReportType Html `
    -Path "C:SCTReportsBaselineGPO-Report.html"

Write-Host "GPO reports saved to C:SCTReports"

Step 7: Validate Baseline Compliance

After applying the baseline and any delta exceptions, validate that the intended settings are active using a combination of auditpol, registry reads, and RSoP (Resultant Set of Policy):

# Generate Resultant Set of Policy report
gpresult /H "C:SCTReportsRSoP-Report.html" /F
Start-Process "C:SCTReportsRSoP-Report.html"

# Check specific security settings
$lsaPath = "HKLM:SYSTEMCurrentControlSetControlLsa"
$settings = @{
    "LmCompatibilityLevel"       = (Get-ItemPropertyValue $lsaPath "LmCompatibilityLevel")
    "NoLMHash"                   = (Get-ItemPropertyValue $lsaPath "NoLMHash")
    "RestrictAnonymousSAM"       = (Get-ItemPropertyValue $lsaPath "RestrictAnonymousSAM")
    "RestrictAnonymous"          = (Get-ItemPropertyValue $lsaPath "RestrictAnonymous")
}

$settings.GetEnumerator() | Sort-Object Name | Format-Table Name, Value -AutoSize

# Verify audit policy subcategories
auditpol /get /category:* | Where-Object { $_ -match "Logon|Credential|Object Access" }

Conclusion

The Microsoft Security Compliance Toolkit transforms what would otherwise be a labor-intensive manual hardening exercise into a systematic, repeatable process. By importing the Windows Server 2025 Security Baseline via LGPO.exe, using Policy Analyzer to identify configuration gaps, and maintaining a delta GPO for organization-specific exceptions, you build a defensible security posture that aligns with Microsoft’s own guidance. Make reviewing and updating the SCT baseline part of your quarterly patching cycle — Microsoft publishes updated baselines alongside major Windows releases and significant threat landscape changes, ensuring your configurations stay current against evolving attack techniques.