How to Set Up Windows Server 2022 Group Policy Central Store

What Are Microsoft Security Baselines

Microsoft Security Baselines — formally known as the Microsoft Security Compliance Toolkit (MSCT) baselines or formerly the Microsoft Security Compliance Manager (SCM) baselines — are collections of Group Policy Object (GPO) settings that Microsoft recommends as a starting point for securing Windows Server deployments. These baselines are developed by Microsoft’s security engineering team in collaboration with NIST, CIS, DISA, and other standards bodies, and are updated with each major Windows release.

For Windows Server 2022, Microsoft publishes two primary baselines: the Windows Server 2022 Member Server baseline, intended for non-domain-controller servers joined to a domain, and the Windows Server 2022 Domain Controller baseline, which includes additional settings specific to AD DS roles. Both are available as downloadable GPO backup archives from the Microsoft Security Compliance Toolkit download page.

Security baselines are not meant to be applied verbatim to all environments. They represent a broadly applicable starting point that must be reviewed, tested, and customized for your specific organizational requirements. Some baseline settings may conflict with application requirements or operational needs. Understanding each policy setting and its security rationale is more valuable than blindly applying the baseline.

Downloading the Microsoft Security Compliance Toolkit

The Microsoft Security Compliance Toolkit (MSCT) contains the baseline GPO backups, policy documentation spreadsheets, and supporting tools. Download it from the official Microsoft Security Compliance Toolkit page. The toolkit package for Windows Server 2022 typically contains:

– A ZIP archive containing GPO backup folders for the Member Server baseline and DC baseline
– A Policy Rules (.PolicyRules) file for use with Policy Analyzer
– An Excel spreadsheet listing every policy setting with rationale documentation
– The LGPO.exe tool for importing/exporting Local Group Policy Objects

Download the Security Compliance Toolkit and extract it to a working directory. On a test server or management workstation, extract the package:

# On the management workstation where MSCT has been downloaded and extracted
$ToolkitPath = "C:MSCTWindows-Server-2022-Security-Baseline"

# List the contents to understand the structure
Get-ChildItem -Path $ToolkitPath -Recurse -Depth 2 | Select-Object FullName

The toolkit also includes the Local Group Policy Object (LGPO) tool, LGPO.exe, which is a Microsoft-provided command-line utility for managing Local Group Policy on standalone (non-domain) machines and for importing GPO backup archives. This is essential for applying baselines to workgroup servers or for testing baselines without modifying domain-level GPOs.

Using LGPO.exe to Import Baselines

LGPO.exe is the primary tool for applying baseline GPO settings to Local Group Policy on a single machine. It can also be used to import GPO backup archives into domain GPOs via a domain-joined machine. LGPO.exe must be run as Administrator.

# Apply the Member Server baseline using LGPO.exe
# Replace path with actual path to the extracted baseline GPO backup folder
$LGPOPath = "C:MSCTToolsLGPO.exe"
$BaselineGPOPath = "C:MSCTWindows-Server-2022-Security-BaselineGPOs{GUID-OF-MEMBER-SERVER-BASELINE}"

# Import the GPO backup to Local Group Policy
# The /g parameter imports a full GPO backup directory
& $LGPOPath /g "$BaselineGPOPath"

Write-Host "Baseline applied via LGPO.exe"

# Alternatively, import from LGPO.txt format (useful for scripted deployments)
# First export current policy to review it:
& $LGPOPath /parse /q /m "$BaselineGPOPathMachineregistry.pol" > "C:MSCTcurrent_machine_policy.txt"

When applying the baseline to a domain-joined server, it is preferable to import the baseline into a GPO in the Group Policy Management Console rather than applying it via LGPO.exe to Local Policy. Domain GPO settings take precedence over Local Policy and provide centralized management. To import a GPO backup into a domain GPO:

# Import a GPO backup into a new GPO in the domain
# Run on a domain controller or management workstation with GPMC installed

Import-Module GroupPolicy

# Create a new GPO to hold the baseline
$NewGPO = New-GPO -Name "WS2022 Member Server Security Baseline" -Comment "Based on MSCT v22H2"

# Import the settings from the GPO backup
Import-GPO -BackupGpoName "MSFT Windows Server 2022 - Member Server" `
           -Path "C:MSCTWindows-Server-2022-Security-BaselineGPOs" `
           -TargetGuid $NewGPO.Id `
           -Domain (Get-ADDomain).DNSRoot

Write-Host "Baseline imported to GPO: $($NewGPO.DisplayName)"

Key Policy Settings in the Windows Server 2022 Baseline

The baseline covers hundreds of policy settings across multiple categories. Understanding the most security-critical settings helps you evaluate what to keep, modify, or exclude when customizing for your environment.

Password Policies (Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy): The baseline sets minimum password length to 14 characters, enforces password complexity, sets maximum password age to 60 days, and requires password history of 24 previous passwords. It also enables the “Password must meet complexity requirements” policy which enforces uppercase, lowercase, digit, and special character requirements.

Account Lockout Policies: The baseline configures account lockout threshold at 10 invalid attempts (some organizations prefer 5), lockout duration of 15 minutes, and lockout observation window of 15 minutes. Adjust these for your organization’s risk tolerance.

Audit Policies: The baseline enables comprehensive advanced audit policies including logon events, account management, object access, privilege use, process tracking, policy changes, and system events for both success and failure. These are applied via the Advanced Audit Policy Configuration section in the GPO.

User Rights Assignments: The baseline restricts dangerous user rights. Notably, it removes the “Act as part of the operating system” right from all accounts except well-known service accounts, restricts “Debug programs” to Administrators only, prevents the “Deny log on locally” for service accounts, and restricts “Access this computer from the network” to only Administrators and Authenticated Users.

Security Options: Notable settings include: requiring CTRL+ALT+DEL for logon (disabled in Server Core), not displaying last username on logon screen, disabling anonymous enumeration of SAM accounts and shares, requiring NTLMv2 session security, and enabling UAC in Secure Desktop mode.

Windows Firewall Settings: The baseline enables Windows Defender Firewall on all profiles with the default inbound action set to Block and outbound action to Allow. It enables firewall logging and sets maximum log file size.

Defender Antivirus: The baseline configures Windows Defender with cloud-delivered protection enabled, automatic sample submission, real-time protection, potentially unwanted application (PUA) protection enabled, and network protection in block mode.

Testing the Baseline in an Audit Environment

Never apply a security baseline directly to production servers without first testing it in an isolated environment. The proper testing workflow is:

First, create an isolated test environment that mirrors your production configuration — same server roles, same applications, same network topology where possible. Apply the baseline to test servers using LGPO.exe or a domain GPO linked only to a test OU. Run your complete application test suite against the hardened test servers to identify any compatibility issues caused by the baseline settings.

Document every setting that caused an application issue and evaluate whether the security benefit justifies the operational impact. For each conflicting setting, decide whether to: accept the application breakage and fix the application, keep the security setting and work around the application issue, modify the setting to a less restrictive value, or create a compensating control and exempt the application from the specific setting.

# Verify GPO is applied correctly after linking to test OU
# Run on target test server
gpupdate /force
gpresult /R

# Get detailed applied policy report
gpresult /H "C:GPOReport.html" /F
Start "C:GPOReport.html"

Using Policy Analyzer for Baseline Comparison

Policy Analyzer is a free Microsoft tool included in the Security Compliance Toolkit that enables side-by-side comparison of multiple GPOs, and comparison of a GPO against the current effective policy on a machine. It is invaluable for identifying deviations from the baseline and for reviewing changes before deployment.

# Policy Analyzer is a GUI tool - launch it from the toolkit directory
# C:MSCTToolsPolicyAnalyzerPolicyAnalyzer.exe

# It can also be used from the command line to generate comparison reports
# Load a .PolicyRules file from the MSCT baseline
# File > Add > Files from GPO(s) to compare baseline GPO vs current policy

# Export comparison to a CSV for scripted analysis
# (File > Export > Export to Excel)

In Policy Analyzer, load the .PolicyRules file from the Windows Server 2022 baseline and compare it against a GPO backup you’ve taken from a production server. Any settings that differ will be highlighted, allowing you to systematically close gaps between your current configuration and the recommended baseline. Policy Analyzer also detects duplicate settings across overlapping GPOs, which can help identify policy conflicts in complex GPO inheritance scenarios.

Customizing the Baseline for Organizational Requirements

After testing, you will likely need to customize the baseline. Common customizations include:

Adjusting password policies: Organizations using privileged access workstations (PAWs) with MFA may choose to set longer maximum password age or use long passphrases. Organizations using password managers may standardize on 20+ character passwords with no complexity requirements.

Application-specific service accounts: Legacy applications often require specific user rights that the baseline restricts. Create a separate GPO with the exceptions and apply it at a lower OU level to override only the specific settings that must be changed for that application server.

Structure your GPO inheritance to separate baseline settings from exceptions:

# Recommended GPO structure for baseline management:
#
# Domain Level:
#   - Default Domain Policy (password policies only)
#
# OU: Servers
#   - WS2022 Member Server Security Baseline (MSCT baseline)
#
# OU: ServersWebServers
#   - WebServer Exceptions GPO (overrides specific baseline settings)
#
# OU: ServersSQLServers
#   - SQLServer Exceptions GPO (SQL-specific exceptions)
#
# Use GPO "Block Inheritance" sparingly - prefer targeted exception GPOs

# Verify effective policy on a specific setting from PowerShell
# Example: check effective audit policy
auditpol /get /subcategory:"Logon" /r

Version-Controlling GPOs

GPOs should be treated as code and version-controlled. Backup all GPOs regularly and store backups in a Git repository alongside change documentation. Use the GroupPolicy PowerShell module for automated backups:

Import-Module GroupPolicy

# Backup all GPOs to a dated directory
$BackupDate = Get-Date -Format "yyyy-MM-dd"
$BackupPath = "C:GPOBackups$BackupDate"
New-Item -ItemType Directory -Path $BackupPath -Force | Out-Null

Get-GPO -All | ForEach-Object {
    $GPOName = $_.DisplayName -replace '[^w-_]', '_'
    $DestPath = Join-Path $BackupPath $GPOName
    New-Item -ItemType Directory -Path $DestPath -Force | Out-Null
    Backup-GPO -Name $_.DisplayName -Path $DestPath
    Write-Host "Backed up: $($_.DisplayName)"
}

Write-Host "All GPOs backed up to $BackupPath"

# Then commit this directory to a Git repository
# git -C "C:GPOBackups" add .
# git -C "C:GPOBackups" commit -m "GPO backup $BackupDate"
# git -C "C:GPOBackups" push origin main

Maintaining a version-controlled GPO backup allows you to track exactly which policy settings changed between dates, roll back to a previous baseline if a change causes problems, and perform code review on proposed GPO changes before they are applied to production. Combined with the Microsoft Security Compliance Toolkit baseline as your starting point and documented exceptions for organizational requirements, this approach gives you a defensible, auditable security posture for all Windows Server 2022 deployments.