Security Compliance Manager (SCM) retired; new tools and procedures

Microsoft reluctantly announces the retirement of the Security Compliance Manager (SCM) tool. At the same time, we are reaffirming our commitment to delivering robust and useful security guidance for Windows, and tools to manage that guidance.

Microsoft first released the Security Compliance Manager (SCM) in 2010. It was a mammoth program that combined GPO-based security configuration recommendations; Threats & Countermeasures text for each setting; automatic downloading of new baselines as they are published; creating and editing custom baselines; comparing baselines; and importing and exporting, including export to GPO backup, SCCM DCM, SCAP v1.0, and Excel. However, the program’s design is incredibly complex, with an entirely separate (and incredibly complex) authoring tool to create and edit baselines in SCM’s proprietary format. The SCM tool itself needed to be updated for every Windows release, to be able to represent baselines for newer operating systems correctly even when SCM was installed on an earlier Windows version. Otherwise, baselines would not accurately represent new advanced auditing policies or new security entities such as “Local account” and “NT SERVICE” accounts, and couldn’t recognize operating system versions correctly for import and export. In addition, SCM is designed for GPO management and would require a massive overhaul to be able to handle Desired State Configuration (DSC) or Mobile Device Management (MDM). In short, SCM has become too inflexible and unwieldy to continue investing in it, particularly with other alternatives at hand. We will continue to publish security baselines, but not in the .cab file format used by SCM.

Beginning with the baselines for Windows 8.1, Windows Server 2012R2, and Internet Explorer 11, we have been publishing baselines through this blog site in lightweight .zip files containing GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. We will continue to deliver security configuration guidance in that format. The GPO backups can be imported directly into Active Directory Group Policy along with corresponding WMI filters to apply policies to the correct machines. To take the place of SCM’s offline GPO-editing abilities, consider standing up an otherwise non-functional domain controller, importing Group Policy (.ADMX) templates as needed. To compare GPOs or to export to Excel, take a look at Policy Analyzer, which has much richer abilities in both areas than SCM had. We had previously retired the LocalGPO.wsf tool that had shipped with SCM and replaced it with the more-functional LGPO. Note that both tools have recently been updated and are now part of the new “Security Compliance Toolkit” which you can download here.

We recognize that the new tool set does not currently include support for DCM or SCAP and we will try to fill that gap. Meanwhile, though, the PowerShell-based Desired State Configuration (DSC) is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs to DSC and to validate system configuration. Examples:

• BaselineManagement module: https://github.com/Microsoft/BaselineManagement
• DSC Environment Analyzer (DSCEA) announcement: https://blogs.technet.microsoft.com/ralphkyttle/2017/03/21/introducing-dscea/
• DSCEA repository: https://github.com/Microsoft/DSCEA

Continue monitoring this blog site for additional announcements (https://blogs.technet.microsoft.com/secguide/).

Comments

• Anonymous
  June 15, 2017
  Fill the gap to DCM ASAP PLEASE!
• Anonymous
  June 15, 2017
  Thank you for the work you've put into SCM, LGPO and many other tools at Microsoft!
• Anonymous
  June 22, 2017
  SCM was useful to comment or tag a setting : I have guides or documents where several settings are tagged by a number, then I build baselines from those guides with SCM, and I can track the settings by the tags. I save the baselines in SCM cab format, so tags are kept along the settings.I wonder if there is a way to keep those comments or tags for each setting, because they are lost with the GPO Backup format. And Excel can't import/save a baseline (or GPO backup) with setting/value/tag.Any idea ?
• Anonymous
  June 23, 2017
  Thanks for the news regarding SCM, as I had been wondering about the lack of updates. It was a great tool, and will be sorely missed especially because each baseline came with so many resources. I.e. the Server 2016 baseline for SCM comes with attachments, guides, CCE references, as well as three different policy examples (depending on your need: Domain, Domain Controller, Member Server). Sure, some of that comes in the new baselines, but not all of it. Sigh.Given the other changes regarding depreciation/changing of existing Group Policies in newer ADMX/ADML files, and the subsequent impact on the Central Store, Group Policy management has become significantly harder to manage.
• Anonymous
  June 27, 2017
  Please fix the DCM gap asap. I need to prove to our internal and external auditors that our servers are compliant to the baselines. With powershell dsc there is no way to this from a central location / tool. This prove is very important for us!Also SCM was allready not supported for some time (i tried rasing a support case a couple of months ago).
• Anonymous
  July 07, 2017
  THis is sad sad sad, I'm sure Aaron Margosis was not happy about this, as he put so much work into the last version of SCM4.0 and the PolicyAnalyzer, I was just using scm4.0 and am confused as to what is replacing it, just DSC and baselines? We still use group policy, as DSC has been having more problems in our environment than Group Policy did. We are planning on implementing DSC again, but it does not seem capable of handling everything necessary in our corporate enterprise. Hopefully I will be wrong.[Aaron Margosis] Not sad at all. The GPO backups and reports, and smaller and lighter-weight tools such as Policy Analyzer and LGPO.exe cover quite a bit of what SCM did, and in several ways they do a better job. We hope to publish other small, light-weight toolery in the near future as well. Stay tuned!
• Anonymous
  July 12, 2017
  Hi AaronCan we still use Microsoft Security Compliance Manager 4.0 for Server 2016? In a meeting today, one of our Systems Admin guy advised that SCM is back! If it is supported for Server 2016 then why not for Server 2012 R2?[Aaron Margosis] You can still run SCM if you want. We aren't publishing new baselines through SCM anymore, though.I don't know what your sysadmin guy meant that "SCM is back." The content of this blog post is still accurate and current.
• Anonymous
  July 13, 2017
  FYI, SCM is still a part of the exam and training for Exam 70-744: Securing Windows Server 2016[Aaron Margosis] Thanks for the alert -- I'll follow up on that.
• Anonymous
  July 18, 2017
  In your opinion, what is the best tool to WRITE security templates? The mmc does not cover nearly enough things. I always have Powershell scripts to harden the rest of what the standard Microsoft tools can't cover.[Aaron Margosis] The Security Templates MMC snap-in is what I use. What does it not cover?
• Anonymous
  July 28, 2017
  As long as Policy Analyzer doesn't support non-English operatingsystems this leaves a part of your customer base in a pinch.[Aaron Margosis] Policy Analyzer has not been localized, but it should work on non-English versions of Windows, and will in many cases use resources in the user's language. What problems are you seeing?
• Anonymous
  August 09, 2017
  Where can I find the baseline(s) for Windows 2008 R2? We still have a lot of these servers 8-([Aaron Margosis] You can still download the Security Compliance Manager here, and it still contains the older baselines. We're just not going to add any more baselines to its set.
• Anonymous
  August 11, 2017
  i have noticed that a draft security baseline for Windows 1703 was posted. If SCM is now EOL, where do we find the final recommended version of the Security baseline for 1703?[Aaron Margosis] https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/
• Anonymous
  October 12, 2017
  One thing that was very important, for me at least, was the vulnerability and impact texts.They gave a short descriptive answer about why it's configured the way it is in a common and easy way. It's especially usefull when the customers are asking why specific setting is configured the way it is. The ability so answer with something more than just, well, Microsoft says so is important. New settings that are published now, are being mentioned in the blogposts but thats hard to keep track of, especially after a while.So one ask would be to at least have a short vulnerability description somehow, somewhere.Keep up the good work!
• Anonymous
  October 20, 2017
  there should be an active effort to remove old documentation or at least update them with current information. please take this page down 'Security Compliance Manager (SCM)' https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx[Aaron Margosis] We're not updating SCM nor its content anymore, but SCM is still the repository for older baselines, and contains the "threats and countermeasures" text for many of the settings.
• Anonymous
  October 23, 2017
  I just stood up SCCM and want to create Configuration Baselines for Windows 1703. How do I generate the SCCM cab files from the new tools? Thanks!
• Anonymous
  November 13, 2017
  I think this a better link to start looking for the PS DSC modules https://www.powershellgallery.com/packages/BaselineManagement/2.6.2000[Aaron Margosis] This is what we're working with, actually.
• Anonymous
  July 19, 2018
  can SCM be used to set Audit Policy settings e.g. what AuditPol would normally do ?Thanks[Aaron Margosis] SCM (Security Compliance Manager) cannot, but LGPO.exe in the SCT (Security Compliance Toolkit) can.