secedit commands

• Applies to:

  ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016, ✅ Windows 11, ✅ Windows 10, ✅ Azure Local, versions 23H2 and 22H2

Configures and analyzes system security by comparing your current security configuration against specified security templates.

Note

The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.

Syntax

secedit /analyze
secedit /configure
secedit /export
secedit /generaterollback
secedit /import
secedit /validate

Parameters

Parameter	Description
secedit /analyze	Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in.
secedit /configure	Allows you to configure a system with security settings stored in a database.
secedit /export	Allows you to export security settings stored in a database.
secedit /generaterollback	Allows you to generate a rollback template with respect to a configuration template.
secedit /import	Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.
secedit /validate	Allows you to validate the syntax of a security template.

Remarks

• If there is no filepath specified, all filenames will default to the current directory.

• Your analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in to the MMC.

• If your security templates are created by using the Security Template snap-in, and if you run the Security Configuration and Analysis snap-in against those templates, the following files are created:

  File	Description
  scesrv.log	Location: %windir%\security\logs Created by: Operating system File type: Text Refresh rate: Overwritten when secedit analyze, secedit configure, secedit export or secedit import is run. Content: Contains the results of the analysis grouped by policy type.
  user-selected name.sdb	Location: %windir%\<user account>\Documents\Security\Database Created by: Running the Security Configuration and Analysis snap-in File type: Proprietary Refresh rate: Updated whenever a new security template is created. Content: Local security policies and user-created security templates.
  user-selected name.log	Location: User-defined, but defaults to %windir%\<user account>\Documents\Security\Logs Created by: Running the secedit analyze or secedit configure commands, or by using the Security Configuration and Analysis snap-in. File type: Text Refresh rate: Overwritten when secedit analyze or secedit configure is run, or by using the Security Configuration and Analysis snap-in. Content: Log file name, date and time, and the results of the analysis or investigation.
  user-selected name.inf	Location: %windir%\*<user account>\Documents\Security\Templates Created by: Running the Security Template snap-in. File type: Text Refresh rate: Overwritten each time the security template is updated. Content: Contains the set up information for the template for each policy selected using the snap-in.

Related links

• Command-Line Syntax Key