Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2000, Windows Server 2012, Windows 8

Allows you to generate a rollback template for a specified configuration template. For examples of how this command can be used, see Examples.


Secedit /generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback template file name> [log <log file name>] [/quiet]






Specifies the path and file name of a database that contains the stored configuration against which the analysis will be performed.

If file name specifies a database that has not had a security template (as represented by the configuration file) associated with it, the /cfg <configuration file name> command-line option must also be specified.



Specifies the path and file name for the security template that will be imported into the database for analysis.

This /cfg option is only valid when used with the /db <database file name> parameter. If this is not specified, the analysis is performed against any configuration already stored in the database.



Specifies a security template into which the rollback information is written. Security templates are created using the Security Templates snap-in. Rollback files can be created with this command.



Specifies the path and file name of the log file for the process.



Suppresses screen and log output. You can still view analysis results by using the Security Configuration and Analysis snap-in to the Microsoft Management Console (MMC).


If the path for the log file is not provided, the default log file, (systemroot\Users \UserAccount\My Documents\Security\Logs\DatabaseName.log) is used.

Beginning with Windows Server 2008, Secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Gpupdate.

The successful running of this command will state “The task has completed successfully.” and logs only the mismatches between the stated security template and security policy configuration. It lists these mismatches in the scesrv.log.

If an existing rollback template is specified, this command will overwrite it. You can create a new rollback template with this command. No additional parameters are needed for either condition.


After creating the security template using the Security Configuration and Analysis snap-in, SecTmplContoso.inf, create the rollback configuration file to save the original settings. Write out the action to the FY11 log file.

Secedit /generaterollback /db C:\Security\FY11\SecDbContoso.sdb /cfg sectmplcontoso.inf /rbk sectmplcontosoRBK.inf /log C:\Security\FY11\SecAnalysisContosoFY11.log

Additional references