SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!


The baselines for Windows 8.1, IE 11 and Server 2012 are now available for download.

You can download these via 2 methods.  The simplest is to open the SCM tool and select the option to "Download Microsoft baselines automatically"


The other option is to download the CAB file manually and import them into the SCM too yourself

8.1 Baseline -

8.1 Attachments -


IE 11 Baseline -

IE 11 Attachments -


Windows Server 2012 R2 Baseline -

Windows Server 2012 R2 Attachments -





Comments (5)
  1. PeterB12345 says:

    CAB files import find but unable to access any settings from these packages as when selected there are no settings available.

  2. Kevin says:

    Same problem as PeterB12345. No settings can be added. These would be useful if we could customize like we can all the other baselines. Otherwise, I have no use for this.

    [Aaron Margosis]  Known issue. Unfortunately there's nothing I can do about it.  The text below is from the Release Notes for the Win8.1 baselines; similar language is in the notes for the other baselines:

    • If the Microsoft Windows 8.1 Security Compliance Baseline is exported to a Group Policy object (GPO) from SCM 3.0, the exported GPO cannot be re-imported into SCM 3.0. Importing the exported GPO will not result in the same information and structure as was originally exported.

  3. 4010Michael says:

    I have the same issue as PeterB and Kevin. I believe that the "known issue" comment by Aaron Margosis is not applicable to this issue. I imported the "IE 11 Baseline –" file listed above. If you select "Add setting" with the source product of "Internet Explorer 11" there are zero settings available. If you change the product to "Internet Explorer 10" you have 1616 settings available to choose from. It would be nice to have the available settings for the IE 11 product in the SCM.

    [Aaron Margosis] It's the same known issue. It applies to all the new baselines.

  4. Edwin Hubley says:

    Can someone define the policy setting(s) in the 2012 R2 Member Server baseline that disables the ability to browse/copy folders on whatever servers have the baseline applied? I have been searching and cannot figure out which setting(s) are disabling. An
    example is two identical VMs using the built-in local administrator account (same pw) cannot have their folder structure viewed or edited after the baseline is applied.

  5. Chad says:

    I was wondering what the recommendation are for Generate Security Audits when you have IIS installed and the install tries to add the AppPoolIdentity to Generate Security Audits. Should I create another GP adding those specific accounts to Generate Security Audits or should I only allow Network and Local Service? Thanks

Comments are closed.

Skip to main content