How to Configure Microsoft Security Compliance Toolkit on Windows Server 2012 R2

How to Configure Microsoft Security Compliance Toolkit on Windows Server 2012 R2

The Microsoft Security Compliance Toolkit (SCT) is a free collection of tools from Microsoft designed to help administrators implement, manage, and validate security baselines for Windows operating systems and Microsoft applications. For Windows Server 2012 R2, the SCT provides pre-built, tested Group Policy Object baselines aligned with Microsoft’s security recommendations, a Policy Analyzer tool for comparing multiple GPOs and identifying deviations, and the Local Group Policy Object (LocalGPO) tool for applying baselines to non-domain-joined machines. This guide covers installing and using the full SCT workflow—from baseline download through Policy Analyzer compliance reports.

Prerequisites

• Windows Server 2012 R2 management server or workstation with GPMC installed
• Active Directory domain (for GPO-based deployment) or local administrator access (for LocalGPO deployment)
• PowerShell 4.0 or later
• Microsoft .NET Framework 4.5 or later for Policy Analyzer
• Downloaded SCT package from the Microsoft Download Center

Step 1: Download and Extract the Security Compliance Toolkit

Download the Windows Server 2012 R2 Security Baseline from the Microsoft Security Compliance Toolkit page. The download includes the baseline GPO backups, documentation, and tooling:

# Create working directory
New-Item -Path "C:SCT" -ItemType Directory -Force

# After downloading the SCT ZIP from Microsoft:
# https://www.microsoft.com/en-us/download/details.aspx?id=55319
Expand-Archive -Path "C:DownloadsSCT-WS2012R2-Baseline.zip" -DestinationPath "C:SCTWS2012R2" -Force

# List contents
Get-ChildItem "C:SCTWS2012R2" -Recurse | Select-Object FullName | Format-List

The extraction creates the following structure:

• C:SCTWS2012R2Documentation — Excel mapping of settings to NIST/CIS controls
• C:SCTWS2012R2GPOs — Importable GPO backup folders
• C:SCTWS2012R2GP Reports — HTML reports of all policy settings
• C:SCTWS2012R2Templates — ADMX and ADML administrative template files
• C:SCTWS2012R2Tools — PolicyAnalyzer.exe, LocalGPO.exe

Step 2: Install Administrative Templates

Copy the custom ADMX templates from the SCT to the Group Policy Central Store so all GPO editors can access the settings:

$domain = (Get-ADDomain).DNSRoot
$centralStore = "\$domainSYSVOL$domainPoliciesPolicyDefinitions"

# Create central store if it doesn't exist
if (-not (Test-Path $centralStore)) {
    New-Item -Path $centralStore -ItemType Directory
    New-Item -Path "$centralStoreen-US" -ItemType Directory
}

# Copy ADMX templates
Copy-Item "C:SCTWS2012R2Templates*.admx" $centralStore -Force -ErrorAction SilentlyContinue
Copy-Item "C:SCTWS2012R2Templatesen-US*.adml" "$centralStoreen-US" -Force -ErrorAction SilentlyContinue

Write-Host "ADMX templates copied to central store: $centralStore"

Step 3: Import Baseline GPOs

Import the pre-built baseline GPOs from the SCT package into your domain:

Import-Module GroupPolicy

# List available GPO backups in the SCT package
Get-ChildItem "C:SCTWS2012R2GPOs" -Directory | Select-Object Name

# Import the Member Server baseline
Import-GPO `
    -BackupGpoName "MSFT Windows Server 2012 R2 - Member Server" `
    -Path "C:SCTWS2012R2GPOs" `
    -TargetName "SCT-WS2012R2-MemberServer" `
    -CreateIfNeeded

# Import the Domain Controller baseline (apply to DC OU only)
Import-GPO `
    -BackupGpoName "MSFT Windows Server 2012 R2 - Domain Controller" `
    -Path "C:SCTWS2012R2GPOs" `
    -TargetName "SCT-WS2012R2-DomainController" `
    -CreateIfNeeded

# Import IE11 baseline (if Internet Explorer is used on servers)
Import-GPO `
    -BackupGpoName "MSFT IE 11" `
    -Path "C:SCTWS2012R2GPOs" `
    -TargetName "SCT-IE11" `
    -CreateIfNeeded

Write-Host "SCT baselines imported successfully"

Step 4: Use Policy Analyzer to Compare Baselines

Policy Analyzer is the most powerful tool in the SCT. It compares two or more GPO backups side-by-side and highlights differences. Run C:SCTWS2012R2ToolsPolicyAnalyzer.exe.

To compare your current production policy against the SCT baseline:

# Export your current production GPO to a backup folder for comparison
Backup-GPO -Name "Your-Current-Server-Policy" -Path "C:SCTComparisonCurrentPolicy"

# Now open PolicyAnalyzer.exe:
# 1. Click "Add" → browse to C:SCTWS2012R2GPOsMSFT Windows Server 2012 R2 - Member Server
# 2. Click "Add" again → browse to C:SCTComparisonCurrentPolicy
# 3. Click "View/Compare"
# Yellow rows = settings that differ between the two policies
# Red rows = settings missing from one policy

# PolicyAnalyzer can also export the comparison as an Excel file:
# File → Export to Excel

Step 5: Apply Baseline to Non-Domain Servers Using LocalGPO

For servers that are not domain-joined (DMZ servers, isolated environments), use the LocalGPO tool to apply the baseline directly to the local policy:

# Copy the LocalGPO tool and the GPO backup to the target server
# Then run on the target server:

# LocalGPO.exe usage:
# LocalGPO.exe /Path:"C:SCTWS2012R2GPOsMSFT Windows Server 2012 R2 - Member Server" /Computer

# Apply the computer policy settings from the baseline:
Set-Location "C:SCTWS2012R2Tools"
.LocalGPO.exe /Path:"C:SCTWS2012R2GPOsMSFT Windows Server 2012 R2 - Member Server" /Computer

# Verify the local policy was updated
gpresult /r /scope computer

Step 6: Generate a GPO Report from the Baseline

Generate HTML and XML reports of the imported SCT baseline GPO for compliance documentation:

New-Item -Path "C:SCTReports" -ItemType Directory -Force

# Generate HTML report
Get-GPOReport -Name "SCT-WS2012R2-MemberServer" `
    -ReportType HTML `
    -Path "C:SCTReportsSCT-MemberServer-Baseline.html"

# Generate XML report (machine-parseable for compliance tools)
Get-GPOReport -Name "SCT-WS2012R2-MemberServer" `
    -ReportType Xml `
    -Path "C:SCTReportsSCT-MemberServer-Baseline.xml"

Write-Host "GPO reports generated in C:SCTReports"
Invoke-Item "C:SCTReportsSCT-MemberServer-Baseline.html"

Step 7: Deploy the Baseline to a Test OU

# Create a test OU for baseline validation
New-ADOrganizationalUnit -Name "SCT-Baseline-Test" `
    -Path "OU=Servers,DC=corp,DC=example,DC=com"

# Move a test server to the OU
Move-ADObject `
    -Identity "CN=TESTSERVER01,OU=Servers,DC=corp,DC=example,DC=com" `
    -TargetPath "OU=SCT-Baseline-Test,OU=Servers,DC=corp,DC=example,DC=com"

# Link the SCT GPO to the test OU
New-GPLink -Name "SCT-WS2012R2-MemberServer" `
    -Target "OU=SCT-Baseline-Test,OU=Servers,DC=corp,DC=example,DC=com" `
    -LinkEnabled Yes

# Refresh policy on the test server and review impact
Invoke-GPUpdate -Computer "TESTSERVER01" -Force
Invoke-Command -ComputerName "TESTSERVER01" -ScriptBlock { gpresult /r /scope computer }

Step 8: Automate Drift Detection

Schedule a weekly drift detection job that compares the effective policy on each production server against the approved SCT baseline and emails a report of any deviations:

$driftScript = @'
$servers = Get-ADComputer -Filter * -SearchBase "OU=Servers,DC=corp,DC=example,DC=com" |
    Select-Object -ExpandProperty Name

$results = @()
foreach ($server in $servers) {
    try {
        $effectivePolicy = Invoke-Command -ComputerName $server -ScriptBlock {
            secedit /export /cfg C:TempCurrentPolicy.cfg /areas SECURITYPOLICY 2>&1
            Get-Content C:TempCurrentPolicy.cfg
        } -ErrorAction Stop

        $results += [PSCustomObject]@{
            Server = $server
            Status = "OK"
            PolicyLines = $effectivePolicy.Count
        }
    } catch {
        $results += [PSCustomObject]@{ Server = $server; Status = "ERROR: $_"; PolicyLines = 0 }
    }
}

$results | Export-Csv "C:SCTReportsDriftReport-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Drift report: C:SCTReportsDriftReport-$(Get-Date -Format 'yyyyMMdd').csv"
'@

$driftScript | Out-File "C:SCTScriptsCheck-PolicyDrift.ps1"

# Schedule weekly drift check
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 06:00
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
    -Argument "-NonInteractive -File C:SCTScriptsCheck-PolicyDrift.ps1"
Register-ScheduledTask -TaskName "SCT-DriftDetection" -Trigger $trigger -Action $action `
    -RunLevel Highest -User "SYSTEM"

Write-Host "Drift detection scheduled"

Summary

The Microsoft Security Compliance Toolkit provides a complete workflow for implementing, managing, and auditing security baselines on Windows Server 2012 R2. By downloading and importing the pre-built GPO baselines, installing the ADMX templates in the central store, using Policy Analyzer to identify gaps between your current configuration and the Microsoft benchmark, applying the baseline to a test OU before production rollout, generating HTML compliance reports for auditors, and scheduling automated drift detection, you have established a structured, repeatable security baseline management process. The SCT is the recommended starting point for any Windows Server security hardening project—it provides a professionally validated, well-documented foundation that you can customize to meet your specific compliance requirements.