With the Security Configuration Wizard (SCW), you can create, edit, and apply a security policy. You can also roll back the last security policy that you applied if it does not function as expected.

SCW includes a command-line tool, Scwcmd, that you can use to perform various tasks. For more information, see http://go.microsoft.com/fwlink/?LinkId=92612.

Creating a new security policy

You can create a security policy that configures services, Windows Firewall with Advanced Security, audit policy settings, and specific registry settings. The security policy is an .xml file that can be edited and applied with SCW. The policy can be made into a Group Policy object (GPO) by using the Scwcmd command-line tool. Once you have started SCW, you do not need to complete all sections in the same session. To skip sections, select the Skip this section check box at the beginning of each uncompleted section, save the policy, and use SCW to edit the policy later. If you select the Skip this section check box after configuring part of a section, your changes are not saved or applied. Settings in skipped sections remain undefined until you edit the security policy and configure those settings.

Editing an existing security policy

You can edit a security policy that you have already created with SCW. You must click Edit an existing security policy before you can browse to the location of the security policy that you want to edit. The policy that you edit can be stored locally or on a network. You can use SCW to edit policies with an .xml file name extension. Security templates with an .inf extension cannot be edited with SCW.

Manually editing the security policy is not supported. You must use SCW to edit a security policy that you have created with SCW.

Applying an existing security policy

Once you create a security policy with SCW, you can apply it to a test server or to your production environment. You can use the Scwcmd command-line tool to apply the same policy to multiple servers. You can use the scwcmd transform command to create GPOs. Only security policies in .xml format can be applied with SCW.

If the selected server is a member of an Active Directory domain, then the domain-based GPO security policy generally overrides registry settings that were set directly through SCW. To prevent this, you can create a GPO by using scwcmd transform and apply the GPO through Active Directory Domain Services (AD DS).

For more information about the registry values configured with SCW, see Registry Settings.


It is highly recommended that you test a newly created or modified security policy before applying it to your production environment. Testing minimizes the possibility that the new policy might cause unexpected behavior, such as compatibility issues, in your production environment.

Rolling back the last applied security policy

If you applied a security policy with SCW that causes decreased functionality for a server or other undesirable results, you can roll back the security policy so that it is no longer applied to the server. However, if the policy is edited in Local Security Policy after you apply it, the changes cannot be rolled back and will remain in their current configuration.

For services and registry values, the process of rolling back restores settings that were changed during the configuration process. For Windows Firewall with Advanced Security, the process of rolling back removes any SCW policy that is currently in place and applies the previous policy that was in place at configuration time.