Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
New tool: Policy Analyzer
Published Jun 18 2019 01:15 PM 199K Views
Former Employee
First published on TechNet on Jan 22, 2016
Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Policy Analyzer lets you treat a set of GPOs as a single unit.  This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.  It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.

For example, the US Government Configuration Baseline (USGCB) for Windows 7 includes seven different GPOs.  Policy Analyzer can treat them as a single set, and show all the differences between them and the Microsoft recommended baselines for Windows 10 and Internet Explorer 11 with a single comparison.  You can also use it to verify changes that were made to your production GPOs.

The following screenshot shows two baselines compared with each other and to corresponding registry values on the local system. The lower pane displays the Group Policy setting, location, and other information associated with the selected row. Conflicting settings are highlighted in yellow; absent settings are shown as a grey cell. Policy Analyzer also offers options to display only rows containing conflicts or other differences.


The following screenshot shows Policy Analyzer’s Excel output. Policy Analyzer sorts results primarily by the Group Policy path and setting name columns, which are the leftmost columns.


Policy Analyzer is a lightweight standalone application that doesn’t require installation, and doesn’t require administrative rights (except for the “local policy” feature).

The downloadable attachment to this blog post contains Policy Analyzer, its full documentation and sample GPO sets taken from the Microsoft security configuration baselines.

[Updated 3 February 2016: download now includes representations of all Windows, IE, and Office GPOs published in the Security Compliance Manager.]

[Update: the latest version of Policy Analyzer is here .]
21 Comments
Copper Contributor

It would be very helpful add the policy name retrieved when you specify a root folder for GP within the File Name field when you click on Import, it would speed up the import process, imagine you have to deal with hundreds of policies....

Copper Contributor

Hi this tool seems like it'd be really useful but I'm having an issue where it's not importing all the backed up GPOs. I got the backups using PowerShell's Backup-GPO. I've tested the backups with Group Policy Management and it sees them all fine. At a loss what to try next, it's no good to me if I can't get all my policies in it to compare.

Copper Contributor

Did you check which policies have not been imported and which settings they contains, reason why I'm asking is because some settings, such as wifi networks or AppLocker are not visible within PolicyAnalyzer, other reason could be if permission are not enough on that specific policy.

Iron Contributor

Dear @Intune_Support_Team do you know if there is a plan to get something like "Policy Analyzer" but with Graph API support for comparing intune / Microsoft endpoint manager policies? Thank you!

Hi @Sergg, have you seen our GraphAPI docs for the deviceConfiguration resource type? We also have several Intune Device Configuration Policy script samples to retrieve, create, delete or update data within your Intune tenant. Hope this helps!

Copper Contributor

does it analyse now the " GP preferences"?  sometimes settings are configured using GPpreferences instead of GPPolicies

i cannot find release notes information and the instruction PDF inside the .ZIP still dates back 2016.

i think it is a great tool to compare and cleanup GPOs, but without including the GP preferences, it is half a tool, like a hammer without a handle.

Copper Contributor

@sbonnat time being it does not include policy preferences, nor other settings e.g. wifi or applocker, I agree including the full spectrum you can push via policy it would be a complete tool, but still it's very useful on scenarios where you have dozens of policies with settings that overlap or not organized very well and find rapidly where that particular one is located.

Copper Contributor

@Intune_Support_Team @Aaron Margosis 

When we use Policy Analyser is it possible to use result to modify and correct GPO ?

Copper Contributor

@LeaIT  It's a read and compare tool, you can't edit or write new policies within the tool, you have to adapt the GP from gpedit or any other tool made for editing them.

 

 

Copper Contributor

How we will get the Policy name for which the conflict has occurred. It would be very tedious task for those who have large number of group policy in place.  

Iron Contributor

@Amitsinghrajput - one way is to import all your policies at once into a single policy set, then view that one set, and View | Show only Conflicts.

Copper Contributor

Is there a getting started guide or video for the Policy Analyzer? I have just downloaded the Security Compliance toolkit and Window 10 21H1 Security Baseline. Simply want to compare the baseline with our deployed policies. "Policy Analyzer.pdf" is a technical reference but not instructional.

Copper Contributor

@Steve_Pogue  I'm having similar challenge as well. Microsoft should create simple guide. 

Copper Contributor

Hi. Aaron.

@Aaron Margosis 

Thank you for putting so much effort in this tool.

Unfortunately it is only an interactive tool and cannot simply be used for automation. It does not have an interface that can be used to automatically create the .policyrule files or to compare them. Of course, ones the .policyrule files are created you can write a script to do so. But the GUI does include all those features but cannot be used in a command line.

It would be so cool if that could be implemented. Or make it open source so the community can use the algorithms to read the various setting details as the GUI does.

Thank you for considering to open source the tool or to implement a command line version or an API.

 

Copper Contributor

Hello @Aaron Margosis 

I am trying to run policy analyzer v4.0.2004.13001 and click on add to import GPOs'. Now it ask me to import it to a policy file. After that nothing happens. Please provide step-by-step instructions on how to use this new tool. Even the GUI shown in the screenshot differs from the original. Please help.

Iron Contributor

@Soumya1575 - this page is an old article about the original release. This page is more up to date. The Policy Analyzer download includes a PDF that should explain usage comprehensively.

Copper Contributor

Very interesting Tool.

 

How can we export all the tables if Excel is not installed ?

 

Thanks you very much

Iron Contributor

@jasmin leroux - best workaround is to copy the .PolicyRules file to a system that has Excel and the necessary ADMX/ADML files.

Copper Contributor

Thank you very much Aaron,
Again great tool.

 

Have a nice day,

jasmin

Copper Contributor

I wonder what means:

 

[[[create key]]] and [[[delete]]]

 

 

 

TweedleMB_0-1680266138438.png

 

Iron Contributor

[[[create key]]] indicates that there's a command in the registry.pol to create the named key but not to create any values in it.

[[[delete]]] indicates that there's a command in the registry.pol to delete the specified value.

Version history
Last update:
‎Jun 18 2019 01:15 PM
Updated by: