Security Compliance Manager 4.0 now available for download!

  • Article

The Security Compliance Manager (SCM) is a free tool from Microsoft that enables you to quickly configure, and manage the computers in your environment using Group Policy and Microsoft System Center Configuration Manager. This version of SCM supports Windows 10, and Windows Server 2016.

You can easily configure computers running Windows 10 and Windows Server 2016 based on Microsoft Recommended Security Baselines and industry best practices.

You can download SCM 4.0 here.

Updates include:

  • Support for existing Windows 10 version 1511 security baselines
  • Support for upcoming Windows 10 version 1607, and Windows Server 2016
  • Bug fixes for ‘Compare’ and ‘Simple View’ features in SCM

The latest version of SCM offers all the same great features as before, plus bug fixes, and added support for upcoming baselines. SCM 4.0 provides a single location for creating, managing, analyzing, and customizing baselines to secure your environment quicker and more efficiently. In addition to the latest software releases, you can also configure previous additions of Windows client, Server, and Microsoft Office.

SCM provides DCM 2007 configuration packs that allow you to manage configuration drifts using Microsoft System Center Configuration Manager. Microsoft’s Operations Management Suite also supports monitoring for Security Baselines in your Server environments.

Comments

  • Anonymous
    July 28, 2016
    When will SCM support 2012/CurrentBranch Compliance Settings/Baselines? Several improvements (creating DWORDS!) have been made that are much more Admin and resource friendly than scripting every last registry key that's needed.[Aaron Margosis] I'm sorry, but I don't understand what you mean. Can you describe the problem in more detail and what you'd like SCM to do differently? Thanks.
    • Anonymous
      September 19, 2016
      Sorry for the late reply (never saw a notification for this). In ConfigMgr 2012 and Higher we can do more things such as directly creating DWords, enabling 64-Bit redirection and of course using PowerShell as opposed to VBScript.I've noticed on several systems that the CPU spikes when trying to run some of the CI's generated by the older DCM07 style policies and was hopeful that some improvements could be made there.
  • Anonymous
    July 28, 2016
    Great... You should update the www.microsoft.com/scm link..[Aaron Margosis] Thanks - we'll look into that one.
  • Anonymous
    July 28, 2016
    So where can I get the SCM CAB for 1507 ?[Aaron Margosis] That description was in error and has been corrected. There's an SCM CAB file for v1511 but none for v1507. Because of the bugs that had existed in SCM and the internal SCM authoring tool prior to the new change, the v1511 CAB doesn't include representations for the two new Advanced Auditing settings introduced in Windows 10. Although not in SCM CAB form, you can get full representations of the v1507 and v1511 baselines through these links:Security baseline for Windows 10 (v1507, build 10240, TH1, LTSB) — UPDATESecurity baseline for Windows 10 (v1511, "Threshold 2") — FINAL
  • Anonymous
    July 28, 2016
    The LocalGPO tool is no longer available?[Aaron Margosis] No, it's not. See LGPO.exe – Local Group Policy Object Utility, v1.0.
  • Anonymous
    July 28, 2016
    Awesome News. Thank you for informing us. It will be good to see an official download page with system requirements from Microsoft Download Center. Will the Solution Accelerators page for SCM going to be updated on what has been improved? (https://technet.microsoft.com/en-nz/solutionaccelerators/cc835245.aspx)Will the new SCM 4.0 support intergation with SQL Server remotely instead of local SQLExpress database?[Aaron Margosis] We're working on getting that Solution Accelerators page updated.We had limited resourcing to get SCM updated. We tried newer versions of SQL Express but lots of things broke and we didn't have the resources to chase them all down, so we had to stick with 2008. We definitely couldn't reengineer it to work with a remote database system.
  • Anonymous
    July 29, 2016
    Very nice, thanks! Looking forward to future SCM updates in 2017 too that include security baselines written as PowerShell Desired State Configuration (DSC) scripts.
  • Anonymous
    July 29, 2016
    Btw, it would be good if Microsoft would put out an official statement about whether there will be a new version of EMET. Is EMET dead?[Aaron Margosis] Stay tuned, Jason! (That's all I can say right now.)
  • Anonymous
    July 29, 2016
    Thanks for continuing to invest in this awesome tool.
  • Anonymous
    July 29, 2016
    In case you need this (and/or Group Policy training), with tips and best practices come to GPanswers.com/training.
  • Anonymous
    July 30, 2016
    This installer is bundled with SQL Server Express 2008 which throws up a notification during installation on Windows 10 Enterprise (1511) that it isn't compatible. Why not include a more recent version of SQL Express?[Aaron Margosis] We wanted to, but we had very limited resources to get SCM updated. Too many things broke and we didn't have time/resources to address them in this release, so unfortunately we had to stick with 2008. We hope to publish exact instructions to install SCM with a minimum of hassle. Our apologies for the inconvenience.
    • Anonymous
      September 01, 2016
      Good luck uninstalling SQL 2008 once it installs on Windows 10. Looks like I will be doing a manual uninstall registry edit... This is a big FAIL
      • Anonymous
        June 07, 2017
        If you install a more recent version of SQL server prior to the SCM 4.0 installation, you can avoid SQL 2008 Express altogether.
  • Anonymous
    August 02, 2016
    Any word on timelines for Windows 10 v1607 baselines?[Aaron Margosis] When they're ready! :-)
    • Anonymous
      August 17, 2016
      Are you currently in charge assembling them? What do you except that they could be ready? Days, weeks, months?[Aaron Margosis] We anticipate their being released by the time v1607 is designated CBB (Current Branch for Business). More info about branches here.
      • Anonymous
        July 18, 2017
        Any input from Aaron Margosis would be appreciated here...We used to be able to duplicate a baseline, clear out its settings, and add in settings as we pleased. This is excellent for STIG, CIS, and custom baselines that are based off of this.However, starting around the Windows Server 2012 R2 timeframe, this ability has been lost. When a baseline is duplicated, it no longer lets you add settings, and reads "0 Setting(s)". I am having difficulty understanding the primary purpose of this tool. I thought it was to work with baselines and then use the LGPO tool to harden servers and workstations. Clearly this is not what this tool is supposed to be used for any longer; if I cannot create baselines for it, it is useless.My questions are:- What are other people even using this for?- What does Aaron and his team even use it for?- Why does Microsoft not care about the customers that have been readily using this tool?- Why does this question thread consistently get ignored by Microsoft wherever I have seen it on Technet?[Aaron Margosis] SCM retired: https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/
  • Anonymous
    August 02, 2016
    When can we expect to see a baseline for Office 2016?[Aaron Margosis] We have no current plans AT THIS TIME to release Office baselines.
    • Anonymous
      August 17, 2016
      The missing Office 2016 SEC-BSLN is a big pain for our migration project. And I guess that we're not allone.Please consider creating a refreshed security baseline for Office 2016 ProPlus and let us know when this could happen or at least inform about the next possible moment to recheck for availability.
  • Anonymous
    August 14, 2016
    The comment has been removed
    • Anonymous
      September 19, 2016
      @Coen - It looks like TheHawk posted the following SQL statement on the site you referenced: "It seems the problem is that table PrePopulatedProductAndCceIDForSetting doesn’t contain any GPO settings for W2K12 R2.To have at least the settings available which are part of the baselines, you can run this SQL statementuse [XTrans]INSERT INTO PrePopulatedProductAndCceIDForSetting (SettingID,ProductID,”CCE-ID”,ArrayOfOptionIdAndCceId)SELECT DISTINCTs.[OriginalSettingID],s.StartingFromProductID,(SELECT TOP 1 [CCE-ID] FROM Setting ts LEFT JOIN [CCE-ID_50] c ON ts.ProductID=c.ProductID AND ts.SettingID=c.SettingIDWHERE ts.ProductID=s.ProductID AND ts.OriginalSettingID=s.OriginalSettingID AND [CCE-ID] IS NOT NULLORDER BY [CCE-ID] DESC) AS [CCE-ID],''FROM [Setting] sWHERE ProductID=’ffb630e8-b52d-40aa-b61e-9a5783599afd’ AND StartingFromProductID!=’00000000-0000-0000-0000-000000000000′Afterwards you can associate your baseline with W2K12 R2 and add new settings to it."I applied it and it seems to resolve the issue - you can also apply the same statement for Windows 8.1, Windows 10 version 1511, and IE 11 by changing the WHERE ProductID='ffb630e8-b52d-40aa-b61e-9a5783599afd' statement accordingly.
      • Anonymous
        October 04, 2016
        This tool is still broken despite some of the suggested fixes listed here. Running the SQL code below does seem to expose the settings for the new baselines however if you attempt to add a individual setting from one of the baselines (i.e. Device Guard - Windows 10 1511) the actual settings cannot be found. - Any idea when MS is going to address this and provided a fixed tool?
      • Anonymous
        October 24, 2016
        I made the changes suggested by @TheHawk on that page and it allowed some things that could not be associated before with 2012 R2 work. So how do you get around this with other settings? I have imported some group policies that I would like to export them to an SCCM DCM cab, but can't get past this associate issue. LAPS is a good example, I'd like to be able to check compliance that LAPS is enabled. It's a very small GPO, only 4 settings, but I can't associate it with anything to export it because of the '0 settings...' issue. Same applies to firewall rules and restricted groups. Things that compliance people are actually interested in. The association seems to set the applicability of the rules once it get into SCCM and up until the fix by @TheHawk most of what I needed worked with 2008 R2 SP1, then I would change the applicability to the appropriate OS once in SCCM. Do I neeeeed to associate it just to get it out of SCM into SCCM? Is the association doing something else that's not exposed?
  • Anonymous
    August 17, 2016
    3 things:1. The localgpo tool is missing.2. Installing this on windows 10 pro v1607 worked by installing SQL server 2016 express, and then adding another instance labelled 'SCM' for the program to use.3. PolicyAnalyzer would be a great tool to include along with localgpo.[Aaron Margosis] LocalGPO has been replaced with LGPO.exe.
    • Anonymous
      August 21, 2016
      Where is the LGPO.EXE tool? When the installation of SCM 4.0 is completed there is no LGPO.EXE anywhere...[Aaron Margosis] It's not included in the SCM install. You can download it from this blog post. (One benefit is that LGPO.exe can be updated independently from SCM.)
  • Anonymous
    September 01, 2016
    Windows 10 is listed as a supported OS on the official download page, but when you look at https://support.microsoft.com/en-us/kb/2681562 you see that SQL 2008/2008 R2 is not supported on Windows 10. How can there be such a large discrepancy in published requirements?
  • Anonymous
    September 06, 2016
    When will this be supported to run on Windows 10 - now it just throws an error on the SQL 2008 express installation!
  • Anonymous
    September 07, 2016
    how to map it with SCCM ?
  • Anonymous
    September 28, 2016
    Why does the latest version of SCM still attempt to install SQL Express 2008? Isn't that version unsupported?[Aaron Margosis] It's still in extended support until July 2019. IIRC, you might get a warning on install, but if you bring it up to the latest service pack level, it should work fine.
  • Anonymous
    November 04, 2016
    As SCM 4 had stopped it's support to localGPO and has introduce LGPO.exe v1. How do we create GPO Pack for remote deployment using LGPO.exe?[Aaron Margosis] Create a backup using LGPO.exe /b, and apply the backup to the target system with LGPO.exe /g.
  • Anonymous
    November 07, 2016
    I am using windows 10, I tried to install this application so many times on different machines running on windows 10 and I always get same error below"Microsoft Security Compliance Manager Setup0 The Microsoft Security Compliance Manager Setup Wizard failed whileinstalling SQL Server Express EditionThe SQL Server installer requires a reboot to complete the installation ofSQL Server Express.Please restart your computer and run the Microsoft SecurityCompliance Manager Setup Wizard again to complete the installation.OK"
    • Anonymous
      January 26, 2017
      I had to do it as a local admin to get it to work correctly
  • Anonymous
    November 10, 2016
    great news.Thank you for this update.
  • Anonymous
    December 01, 2016
    is there a way to bulk import group policies int SCM? I could find any cmdlets for it.[Aaron Margosis] No.
  • Anonymous
    January 30, 2017
    Is SCM a good tool to use for validating things like custom registry entries, service run states (auto, manual, disabled), NTFS permissions. We use this in our compliance verification. I'm trying to piece together these abilities into a requirements document. We import the SCAP CAB file into SCCM.The custom baselines are good, but I'm wondering how I can add my own policy requirements.
  • Anonymous
    February 01, 2017
    I've tried installing this on Windows 10 to an existing SQL Express 2012 instance and the msi install failed with a 1603 (meaning it could be anything) error. I also tried to install this on Win 7 using the included SQL Express install and it fails with a "Unknown error (0x84b30001)" during the SQL Express install. Any suggestions?
  • Anonymous
    February 16, 2017
    when exporting the files from SCM > SCCM it imports some baselines but when deploying to machines it all errors - help!
  • Anonymous
    June 06, 2017
    Is there a security baseline for Windows 10 v1703 yet?[Aaron Margosis] Draft is available here now: https://blogs.technet.microsoft.com/secguide/2017/06/15/security-baseline-for-windows-10-creators-update-v1703-draft/
  • Anonymous
    July 18, 2017
    (Apologies for this being posted as a reply further down. It was supposed to be a new post. Not sure why that happened since I didn't post it as a reply.)Any input from Aaron Margosis would be appreciated here...We used to be able to duplicate a baseline, clear out its settings, and add in settings as we pleased. This is excellent for STIG, CIS, and custom baselines that are based off of this.However, starting around the Windows Server 2012 R2 timeframe, this ability has been lost. When a baseline is duplicated, it no longer lets you add settings, and reads "0 Setting(s)".I am having difficulty understanding the primary purpose of this tool. I thought it was to work with baselines and then use the LGPO tool to harden servers and workstations. Clearly this is not what this tool is supposed to be used for any longer; if I cannot create baselines for it, it is useless.My questions are:- What are other people even using this for?- What does Aaron and his team even use it for?- Why does Microsoft not care about the customers that have been readily using this tool?- Why does this question thread consistently get ignored by Microsoft wherever I have seen it on Technet?[Aaron Margosis] SCM retired: https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/