Security Compliance Manager 4.0 now available for download!

The Security Compliance Manager (SCM) is a free tool from Microsoft that enables you to quickly configure, and manage the computers in your environment using Group Policy and Microsoft System Center Configuration Manager. This version of SCM supports Windows 10, and Windows Server 2016.

You can easily configure computers running Windows 10 and Windows Server 2016 based on Microsoft Recommended Security Baselines and industry best practices.

You can download SCM 4.0 here.

Updates include:

  • Support for existing Windows 10 version 1511 security baselines
  • Support for upcoming Windows 10 version 1607, and Windows Server 2016
  • Bug fixes for ‘Compare’ and ‘Simple View’ features in SCM

The latest version of SCM offers all the same great features as before, plus bug fixes, and added support for upcoming baselines. SCM 4.0 provides a single location for creating, managing, analyzing, and customizing baselines to secure your environment quicker and more efficiently. In addition to the latest software releases, you can also configure previous additions of Windows client, Server, and Microsoft Office.

SCM provides DCM 2007 configuration packs that allow you to manage configuration drifts using Microsoft System Center Configuration Manager. Microsoft’s Operations Management Suite also supports monitoring for Security Baselines in your Server environments.

Comments (36)

  1. dhedges01 says:

    When will SCM support 2012/CurrentBranch Compliance Settings/Baselines? Several improvements (creating DWORDS!) have been made that are much more Admin and resource friendly than scripting every last registry key that’s needed.

    [Aaron Margosis] I’m sorry, but I don’t understand what you mean. Can you describe the problem in more detail and what you’d like SCM to do differently? Thanks.
    1. Sorry for the late reply (never saw a notification for this). In ConfigMgr 2012 and Higher we can do more things such as directly creating DWords, enabling 64-Bit redirection and of course using PowerShell as opposed to VBScript.

      I’ve noticed on several systems that the CPU spikes when trying to run some of the CI’s generated by the older DCM07 style policies and was hopeful that some improvements could be made there.

  2. Great… You should update the link..

    [Aaron Margosis] Thanks – we’ll look into that one.
  3. So where can I get the SCM CAB for 1507 ?

    [Aaron Margosis] That description was in error and has been corrected. There’s an SCM CAB file for v1511 but none for v1507. Because of the bugs that had existed in SCM and the internal SCM authoring tool prior to the new change, the v1511 CAB doesn’t include representations for the two new Advanced Auditing settings introduced in Windows 10. Although not in SCM CAB form, you can get full representations of the v1507 and v1511 baselines through these links:
    Security baseline for Windows 10 (v1507, build 10240, TH1, LTSB) — UPDATE
    Security baseline for Windows 10 (v1511, “Threshold 2”) — FINAL
  4. Xiao says:

    The LocalGPO tool is no longer available?

    [Aaron Margosis] No, it’s not. See LGPO.exe – Local Group Policy Object Utility, v1.0.
  5. Awesome News. Thank you for informing us. It will be good to see an official download page with system requirements from Microsoft Download Center. Will the Solution Accelerators page for SCM going to be updated on what has been improved? (

    Will the new SCM 4.0 support intergation with SQL Server remotely instead of local SQLExpress database?

    [Aaron Margosis] We’re working on getting that Solution Accelerators page updated.

    We had limited resourcing to get SCM updated. We tried newer versions of SQL Express but lots of things broke and we didn’t have the resources to chase them all down, so we had to stick with 2008. We definitely couldn’t reengineer it to work with a remote database system.

  6. Jason Fossen says:

    Very nice, thanks! Looking forward to future SCM updates in 2017 too that include security baselines written as PowerShell Desired State Configuration (DSC) scripts.

  7. Jason Fossen says:

    Btw, it would be good if Microsoft would put out an official statement about whether there will be a new version of EMET. Is EMET dead?

    [Aaron Margosis] Stay tuned, Jason! (That’s all I can say right now.)
  8. Brad says:

    Thanks for continuing to invest in this awesome tool.

  9. In case you need this (and/or Group Policy training), with tips and best practices come to

  10. This installer is bundled with SQL Server Express 2008 which throws up a notification during installation on Windows 10 Enterprise (1511) that it isn’t compatible. Why not include a more recent version of SQL Express?

    [Aaron Margosis] We wanted to, but we had very limited resources to get SCM updated. Too many things broke and we didn’t have time/resources to address them in this release, so unfortunately we had to stick with 2008. We hope to publish exact instructions to install SCM with a minimum of hassle. Our apologies for the inconvenience.
    1. Stephen Looney says:

      Good luck uninstalling SQL 2008 once it installs on Windows 10. Looks like I will be doing a manual uninstall registry edit… This is a big FAIL

  11. Patrick says:

    Any word on timelines for Windows 10 v1607 baselines?

    [Aaron Margosis] When they’re ready! 🙂
    1. SwissMat says:

      Are you currently in charge assembling them? What do you except that they could be ready? Days, weeks, months?

      [Aaron Margosis] We anticipate their being released by the time v1607 is designated CBB (Current Branch for Business). More info about branches here.
  12. When can we expect to see a baseline for Office 2016?

    [Aaron Margosis] We have no current plans AT THIS TIME to release Office baselines.
    1. SwissMat says:

      The missing Office 2016 SEC-BSLN is a big pain for our migration project. And I guess that we’re not allone.
      Please consider creating a refreshed security baseline for Office 2016 ProPlus and let us know when this could happen or at least inform about the next possible moment to recheck for availability.

  13. Coentjo says:

    Unfortunatelly when I edit a 2012 R2 baseline I still get the ‘0 setting available’ message. Based on what I read in id did some further investigation.

    When selecting the ‘Settings -> Add’ button the following is executed:
    exec dbo.GetSettings @ProductId=’FFB630E8-B52D-40AA-B61E-9A5783599AFD’

    This should return all settings for Windows 2012 R2 but it returns 0 rows.
    When I look into the dbo.GetSettings stored procedure I can see that the following statement is executed
    (SELECT SettingId FROM PrePopulatedProductAndCceIDForSetting WHERE ProductID = @ProductId)

    With the product code for Windows 2012 R2 this returns 0 rows. It seems that the PrePopulatedProductAndCceIDForSetting table contains nothing for Windows 2012 R2.

    Could this please be fixed? With the current contents of this table I can not create a custom Baseline for Windows 2012 R2 which greatly decreases the usage of SCM

    Best regards,

    1. MWhite says:

      @Coen – It looks like TheHawk posted the following SQL statement on the site you referenced:

      “It seems the problem is that table PrePopulatedProductAndCceIDForSetting doesn’t contain any GPO settings for W2K12 R2.
      To have at least the settings available which are part of the baselines, you can run this SQL statement
      use [XTrans]
      INSERT INTO PrePopulatedProductAndCceIDForSetting (SettingID,ProductID,”CCE-ID”,ArrayOfOptionIdAndCceId)
      (SELECT TOP 1 [CCE-ID] FROM Setting ts LEFT JOIN [CCE-ID_50] c ON ts.ProductID=c.ProductID AND ts.SettingID=c.SettingID
      WHERE ts.ProductID=s.ProductID AND ts.OriginalSettingID=s.OriginalSettingID AND [CCE-ID] IS NOT NULL
      ) AS [CCE-ID],

      FROM [Setting] s
      WHERE ProductID=’ffb630e8-b52d-40aa-b61e-9a5783599afd’ AND StartingFromProductID!=’00000000-0000-0000-0000-000000000000′
      Afterwards you can associate your baseline with W2K12 R2 and add new settings to it.”

      I applied it and it seems to resolve the issue – you can also apply the same statement for Windows 8.1, Windows 10 version 1511, and IE 11 by changing the WHERE ProductID=’ffb630e8-b52d-40aa-b61e-9a5783599afd’ statement accordingly.

      1. Angie Stahl says:

        This tool is still broken despite some of the suggested fixes listed here. Running the SQL code below does seem to expose the settings for the new baselines however if you attempt to add a individual setting from one of the baselines (i.e. Device Guard – Windows 10 1511) the actual settings cannot be found. – Any idea when MS is going to address this and provided a fixed tool?

        1. Coen van Dijk says:

          It is still not fixed. The tools is almost useless for Windows 2012 and newer releaes

          I tried creating a support case but was not able to do so since SCM is not officially supported 8-(

      2. Todd Mote says:

        I made the changes suggested by @TheHawk on that page and it allowed some things that could not be associated before with 2012 R2 work. So how do you get around this with other settings? I have imported some group policies that I would like to export them to an SCCM DCM cab, but can’t get past this associate issue. LAPS is a good example, I’d like to be able to check compliance that LAPS is enabled. It’s a very small GPO, only 4 settings, but I can’t associate it with anything to export it because of the ‘0 settings…’ issue. Same applies to firewall rules and restricted groups. Things that compliance people are actually interested in. The association seems to set the applicability of the rules once it get into SCCM and up until the fix by @TheHawk most of what I needed worked with 2008 R2 SP1, then I would change the applicability to the appropriate OS once in SCCM. Do I neeeeed to associate it just to get it out of SCM into SCCM? Is the association doing something else that’s not exposed?

  14. Donald Morgan Jr says:

    3 things:
    1. The localgpo tool is missing.
    2. Installing this on windows 10 pro v1607 worked by installing SQL server 2016 express, and then adding another instance labelled ‘SCM’ for the program to use.
    3. PolicyAnalyzer would be a great tool to include along with localgpo.

    [Aaron Margosis] LocalGPO has been replaced with LGPO.exe.
    1. Carlos Maia says:

      Where is the LGPO.EXE tool? When the installation of SCM 4.0 is completed there is no LGPO.EXE anywhere…

      [Aaron Margosis] It’s not included in the SCM install. You can download it from this blog post. (One benefit is that LGPO.exe can be updated independently from SCM.)
  15. Stephen Looney says:

    Windows 10 is listed as a supported OS on the official download page, but when you look at you see that SQL 2008/2008 R2 is not supported on Windows 10. How can there be such a large discrepancy in published requirements?

  16. kron says:

    When will this be supported to run on Windows 10 – now it just throws an error on the SQL 2008 express installation!

  17. r4ravi says:

    how to map it with SCCM ?

  18. James says:

    Why does the latest version of SCM still attempt to install SQL Express 2008? Isn’t that version unsupported?

    [Aaron Margosis] It’s still in extended support until July 2019. IIRC, you might get a warning on install, but if you bring it up to the latest service pack level, it should work fine.
  19. Ronak Sheth says:

    As SCM 4 had stopped it’s support to localGPO and has introduce LGPO.exe v1. How do we create GPO Pack for remote deployment using LGPO.exe?

    [Aaron Margosis] Create a backup using LGPO.exe /b, and apply the backup to the target system with LGPO.exe /g.
  20. uday says:

    I am using windows 10, I tried to install this application so many times on different machines running on windows 10 and I always get same error below

    Microsoft Security Compliance Manager Setup
    0 The Microsoft Security Compliance Manager Setup Wizard failed while
    installing SQL Server Express Edition
    The SQL Server installer requires a reboot to complete the installation of
    SQL Server Express.
    Please restart your computer and run the Microsoft Security
    Compliance Manager Setup Wizard again to complete the installation.

    1. Nicholas Eckermann says:

      I had to do it as a local admin to get it to work correctly

  21. bella hunt says:

    great news.Thank you for this update.

  22. Amnon Feiner says:

    is there a way to bulk import group policies int SCM? I could find any cmdlets for it.

    [Aaron Margosis] No.
  23. Kenny Abrahamsen says:

    Is SCM a good tool to use for validating things like custom registry entries, service run states (auto, manual, disabled), NTFS permissions. We use this in our compliance verification. I’m trying to piece together these abilities into a requirements document.
    We import the SCAP CAB file into SCCM.
    The custom baselines are good, but I’m wondering how I can add my own policy requirements.

  24. WBrady65 says:

    I’ve tried installing this on Windows 10 to an existing SQL Express 2012 instance and the msi install failed with a 1603 (meaning it could be anything) error. I also tried to install this on Win 7 using the included SQL Express install and it fails with a “Unknown error (0x84b30001)” during the SQL Express install. Any suggestions?

  25. laura says:

    when exporting the files from SCM > SCCM it imports some baselines but when deploying to machines it all errors – help!

Skip to main content