How to Set Up Windows Server 2022 Container Networking

What Is the Microsoft Security Compliance Toolkit?

The Microsoft Security Compliance Toolkit (SCT) is a free collection of tools and security baseline documents published by Microsoft to help organizations implement and verify security configurations on Windows operating systems, server roles, and Microsoft applications. Unlike third-party benchmarks, the SCT baselines are developed by the same engineers who build Windows and Office, which means they reflect Microsoft’s own security recommendations for their software and are kept current with each major release. The toolkit is available from the Microsoft Download Center and is updated whenever significant security posture changes are warranted.

For Windows Server 2022, the SCT provides Group Policy Object (GPO) backups that encode the Microsoft security baseline settings, a Policy Analyzer tool for comparing configurations, and LGPO.exe for applying baselines to machines without Active Directory. This guide covers how to download and use each component, how to apply baselines to a test environment, how to compare your current policy against the baseline, and how to deploy approved baselines to production.

Downloading the Security Compliance Toolkit

The SCT is distributed as a set of per-product ZIP archives. To download it:

1. Navigate to the Microsoft Download Center and search for “Microsoft Security Compliance Toolkit”.
2. Select the download page for the current version (the toolkit is updated periodically — check for the most recent release).
3. Choose the relevant packages. For a Windows Server 2022 deployment you typically need:
   • Windows Server 2022 Security Baseline — GPO backups, ADMX files, and documentation
   • LGPO.exe — standalone tool for applying local GPO settings
   • Policy Analyzer — GUI tool for comparing policy configurations
   • Microsoft Edge Chromium Security Baseline — if Edge is deployed on the server
   • Microsoft Defender Antivirus Security Baseline — for Defender AV configuration

Extract each ZIP to a working directory, for example C:SCT. The Windows Server 2022 baseline package will contain a GP Reports folder with HTML documentation of every setting, a GPOs folder with importable GPO backups, and an ADMX folder with custom administrative templates needed by some baseline settings.

# Example directory structure after extraction
C:SCT
  Windows Server 2022 Security Baseline
    Documentation
      Windows Server 2022 Security Baseline.xlsx
    GP Reports
      MSFT Windows Server 2022 - Domain Controller.htm
      MSFT Windows Server 2022 - Member Server.htm
    GPOs
      {GUID-DC}               # Domain Controller GPO backup
      {GUID-MS}               # Member Server GPO backup
    ADMX
      *.admx
      en-US*.adml
  LGPO
    LGPO.exe
  PolicyAnalyzer
    PolicyAnalyzer.exe
    *.dll

Copying ADMX Templates to the Central Store

Some SCT baseline settings use custom ADMX templates that are not included in the standard Windows ADMX set. Before importing the GPOs to Active Directory, copy these templates to the Central Store on your domain’s SYSVOL share so that GPMC can read the policy definitions correctly.

# Create Central Store if it doesn't exist
$domain = (Get-ADDomain).DNSRoot
$centralStore = "\$domainSYSVOL$domainPoliciesPolicyDefinitions"

if (-not (Test-Path $centralStore)) {
    New-Item -Path $centralStore -ItemType Directory
    New-Item -Path "$centralStoreen-US" -ItemType Directory
}

# Copy ADMX files from SCT package
Copy-Item "C:SCTWindows Server 2022 Security BaselineADMX*.admx" `
          -Destination $centralStore -Force

Copy-Item "C:SCTWindows Server 2022 Security BaselineADMXen-US*.adml" `
          -Destination "$centralStoreen-US" -Force

Importing Baselines to a Test Environment

Before deploying any baseline to production, test it thoroughly in a representative lab environment. Create a test OU containing at least one server of each role type and import the GPO backups into that OU.

# Import Windows Server 2022 Member Server baseline
Import-Module GroupPolicy

$testGPO = New-GPO -Name "TEST - MSFT WS2022 Member Server Baseline"

# The GPO backup folder name is the GUID-named subfolder inside GPOs
# You can find the correct folder by reading backup.xml inside each GUID folder
Import-GPO -BackupGpoName "MSFT Windows Server 2022 - Member Server" `
           -TargetName "TEST - MSFT WS2022 Member Server Baseline" `
           -Path "C:SCTWindows Server 2022 Security BaselineGPOs" `
           -CreateIfNeeded

# Link to test OU
New-GPLink -Name "TEST - MSFT WS2022 Member Server Baseline" `
           -Target "OU=TestServers,DC=corp,DC=example,DC=com" `
           -LinkEnabled Yes

After linking, force a Group Policy update on the test server and verify that the settings have applied without breaking required functionality. Pay particular attention to application compatibility for LOB applications — the baseline may disable legacy authentication protocols or enforce TLS versions that older applications do not support.

# Force GP update on a remote test server
Invoke-GPUpdate -Computer "TestServer01" -Force -RandomDelayInMinutes 0

Policy Analyzer: Comparing Current Policy vs Baseline

Policy Analyzer is a GUI tool that allows you to import GPO backups and compare them against each other or against a live machine’s current policy state. It is invaluable for identifying settings that differ between your current environment and the Microsoft baseline, or for auditing policy drift over time.

To compare a server’s current effective policy against the SCT baseline:

1. Open PolicyAnalyzer.exe from C:SCTPolicyAnalyzer.
2. Click Add and select Import from GPO Backup Folder. Browse to C:SCTWindows Server 2022 Security BaselineGPOs and select the Member Server backup.
3. Click Add again and select Import from Local Policy to capture the current machine’s settings.
4. Select both entries in the list and click Compare Selected Policy Sets.

Policy Analyzer will display a color-coded comparison grid. Settings highlighted in yellow differ between the two configurations. Clicking any row shows the exact values from each source side by side. This view immediately shows you which settings need to be changed on the target server to align with the baseline, and which baseline settings you have intentionally deviated from (and need to document as exceptions).

Policy Analyzer can also export the comparison to an Excel spreadsheet for documentation purposes:

# PolicyAnalyzer supports command-line export
PolicyAnalyzer.exe /export:C:Reportspolicy-comparison.csv `
                   /baseline:"C:SCTWindows Server 2022 Security BaselineGPOs" `
                   /compare:LocalPolicy

LGPO.exe: Applying Baselines to Standalone Machines

For servers that are not domain-joined — for example, DMZ servers, cloud VMs in workgroup configuration, or servers in isolated networks — LGPO.exe allows you to apply GPO backups directly to the Local Group Policy store. This achieves the same security configuration as a domain GPO without requiring Active Directory.

# Apply the Member Server baseline to a standalone machine
# Run from an elevated command prompt

cd C:SCTLGPO

# Apply the GPO backup to local policy
LGPO.exe /g "C:SCTWindows Server 2022 Security BaselineGPOs{GUID-MS}"

LGPO.exe can also export the current local policy to a backup folder, which enables you to capture the current state before applying changes and restore it if needed:

# Export current local policy before applying baseline
LGPO.exe /b C:BackupsLocalPolicy_Before_SCT

# Apply baseline
LGPO.exe /g "C:SCTWindows Server 2022 Security BaselineGPOs{GUID-MS}"

# If you need to roll back
LGPO.exe /g "C:BackupsLocalPolicy_Before_SCT"

LGPO.exe also accepts text-format policy files (/t flag) and registry-export format (/r flag), giving you flexibility for scripted deployments or custom setting overlays applied on top of the baseline.

Windows Defender Firewall GPO Baseline

The SCT includes a separate Defender Firewall baseline that configures the firewall state, default behavior, and logging settings for all three profiles (Domain, Private, Public). It does not define individual inbound or outbound rules because those are role-specific — instead, it establishes the framework that role-specific rules layer on top of.

# Import and apply the Firewall baseline
Import-GPO -BackupGpoName "MSFT Windows Defender Firewall" `
           -TargetName "PROD - MSFT Firewall Baseline" `
           -Path "C:SCTWindows Defender Firewall Security BaselineGPOs" `
           -CreateIfNeeded

New-GPLink -Name "PROD - MSFT Firewall Baseline" `
           -Target "OU=Servers,DC=corp,DC=example,DC=com" `
           -LinkEnabled Yes

After applying the Firewall baseline, you must add role-specific rules as a separate GPO linked at a lower level in the OU hierarchy. For example, a web server OU would have an additional GPO that opens TCP 80 and 443 inbound. The Firewall baseline GPO blocks everything by default; the role GPO then re-opens only the ports needed for that specific server role.

Microsoft Edge and Defender AV Baselines

The SCT also includes baselines for Microsoft Edge (Chromium) and Microsoft Defender Antivirus. The Edge baseline configures browser security settings such as SmartScreen enforcement, certificate error override prevention, and built-in password manager disablement (useful in managed enterprise environments where a different password manager is deployed). The Defender AV baseline configures scan schedules, cloud-delivered protection levels, PUA (Potentially Unwanted Application) protection, and real-time protection behaviour.

# Import Defender AV baseline
Import-GPO -BackupGpoName "MSFT Defender Antivirus" `
           -TargetName "PROD - MSFT Defender AV Baseline" `
           -Path "C:SCTMicrosoft Defender Antivirus Security BaselineGPOs" `
           -CreateIfNeeded

# Import Edge baseline
Import-GPO -BackupGpoName "MSFT Edge v112 - Computer" `
           -TargetName "PROD - MSFT Edge Baseline" `
           -Path "C:SCTMicrosoft Edge Security BaselineGPOs" `
           -CreateIfNeeded

Note that the Edge baseline requires its own set of ADMX templates (the Edge ADMX files) to be installed in the Central Store separately from the Windows ADMX files. These can be downloaded from the Microsoft Edge Enterprise landing page.

Applying Baselines to Production

The recommended production deployment workflow is:

1. Test — Apply the GPO backup to the test OU and validate that all required server roles and applications function correctly for at least one full change cycle (one sprint, or two weeks minimum).
2. Identify exceptions — Use Policy Analyzer to document which settings you need to deviate from and why. Record these in your change management system.
3. Create override GPOs — For necessary exceptions, create a separate GPO that overrides only the specific settings you cannot apply, rather than modifying the baseline GPO. This keeps the baseline GPO clean and makes future updates easier to apply.
4. Stage rollout — Apply to non-critical servers first, then gradually to business-critical systems.
5. Update on release — When Microsoft releases an updated baseline, import the new GPO backup to the test OU and repeat the process before updating production.

# GPO precedence: linked at lower OU level = higher precedence
# Structure:
# Domain GPO: PROD - MSFT WS2022 Member Server Baseline  (low precedence)
# OU GPO:     PROD - WebServer Role Rules                 (overrides baseline for web servers)
# Sub-OU GPO: PROD - Application-Specific Exception       (highest precedence)

# Verify final effective policy on a server
gpresult /h C:Reports$(hostname)-gpresult.html /f
Start-Process "C:Reports$(hostname)-gpresult.html"

Documenting Compliance Exceptions

No real-world environment implements a baseline at 100% without exceptions. Common legitimate exceptions include: retaining SMBv1 for legacy NAS devices, maintaining Remote Registry for monitoring agents, keeping older TLS versions for business-critical applications that cannot be updated, or relaxing password age requirements for service accounts managed by a privileged access management (PAM) solution.

Each exception must be documented with the following information: the specific policy setting being deviated from, the reason for the exception, the risk accepted by not applying the setting, any compensating controls in place, an owner responsible for the exception, and an expiry date for review. Store this documentation in your GRC (governance, risk, and compliance) platform or in a version-controlled repository alongside your infrastructure-as-code configuration. Review exceptions at each security baseline update cycle and eliminate them where the underlying incompatibility has been resolved.

By combining the SCT baselines with Policy Analyzer comparisons, LGPO.exe for standalone machines, and a structured exception management process, you can maintain a consistent, auditable, and reproducible security configuration across your entire Windows Server 2022 fleet.