Microsoft Security Compliance Manager - compare baseline to multiple GPOs?

Posted on 2014-08-05
Last Modified: 2014-08-06
is there a way to merge multiple GPO's into one backup?
I have a baseline from Microsoft that I'm trying to compare to backups of my Group Policy, but the problem is, in my Group Policy, I may have both User & Computer policies applied. Where-as the  baseline is only User policies, or only computer policies . So the comparison isn't fair or is skewed, hard to understand.

I'm using this program and it has a Compare option I think only if you can Import GPOs.
I don't think it will compare a baseline to all GPO's live in your environment?
Microsoft Security Compliance Manager
Question by:garryshape
    LVL 60

    Accepted Solution

    in the past, you can compared based on XML such as using xmldiff or using AGPM but that can be more strenuous and not straightforward to understand. However, using SCM which is ideally more for 1 to 1 comparison, you can import the two GPO in SCM and compare them. You'll see below and can also export the result in an Excel file.
    Settings that differ
    Settings that match
    Settings only in First baseline
    Settings only in Second baseline
    other then that, to compare with "merged" GPOs which I see it as 1 -N comparison using SCM, I am just not confident on accuracy.

    however, there are other tool such as that may help in your use case as it claimed to allows quickly compare up to 4 Group Policy Object and also allow you to compare multiple LIVE GPO’s

    GPO Compare -

    Author Comment

    Cool thanks for the info.

    What about SCOM or SCCM? Would either of those be capable of achieving this?
    LVL 60

    Assisted Solution

    they are delivery channel to "facilitate" push down of GPO and I dont really want to depend on them to differentiate/compare and "assume" they can which I am not certain or confident in. they probably good in getting the different or latest Windows update or Software update point mgmt but to create/compare/obtain latest GPO, that will be new and not to talk about admin or yourself is the one who determine the "new" GPO.

    Group Policies are great and the Windows Update Group Policies have some great functionality; unfortunately, none of them actually do anything to Software Updates in ConfigMgr. Without FCS, the most you should set in relation to Windows Updates is the Configure Automatic Updates policy to Disabled and forcing the Automatic Updates service to Automatic.

    Author Comment

    Ok so here's where I'm at.

    I've exported the GPO's that I downloaded from the website I'm trying to use for compliance/checking.
    That website and download is here:

    I imported those into Microsoft Security Compliance Manager, then from Compliance Manager, I used the Export feature to the type "SCCM DCM 2007 (.cab)".

    Then in SCCM 2012, I created a Configuration baseline, importing these .cabs.
    That appears to have worked.

    Only challenge is, I get Discovery Error on one of them:
    • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
    • Network security: Force logoff when logon hours expire

    Since there's no corresponding registry entry for this setting, I cannot seem to get SCCM to evaluate it against the collections I run a compliance report against using the Configuration Baseline as long as it includes that rule. It will error out and I'll never get a "completed" summarization.

    If I remove that rule from the Configuration base line collection item, it will carry out just fine.
    LVL 60

    Assisted Solution

    The steps should be alright and the error seems to be as under "Unexpected Compliance Results in Desired Configuration Management" e.g. "Non existing registry hive" @

    can also check out Unexpected Data in Desired Configuration Management Reports in
    that registry seems to be more for local policy as compared to domain policy per se. We may also want to try configure a new setting or browse to an existing setting on a reference computer, configure string for "Hive" that you want to search in - can check out step 4 in

    You can click Browse to browse to a registry location on the computer or on a remote computer. To browse a remote computer, you must have administrator rights on the remote computer and the remote computer must be running the remote registry service.

    or even to certain extend set compliance rule to (Step 5)

    Report noncompliance if this setting instance is not found – The configuration item reports noncompliance if this setting is not found on client computers.

    Remediate noncompliant rules when supported – Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Configuration Manager can automatically remediate the following rule types: e.g. Registry value – The registry value is remediated if it is noncompliant, and created if it does not exist.

    Author Closing Comment

    way cool thanks for so much advice/help here.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now