Security Compliance Manager (SCM) retired; new tools and procedures


Microsoft reluctantly announces the retirement of the Security Compliance Manager (SCM) tool. At the same time, we are reaffirming our commitment to delivering robust and useful security guidance for Windows, and tools to manage that guidance.

Microsoft first released the Security Compliance Manager (SCM) in 2010. It was a mammoth program that combined GPO-based security configuration recommendations; Threats & Countermeasures text for each setting; automatic downloading of new baselines as they are published; creating and editing custom baselines; comparing baselines; and importing and exporting, including export to GPO backup, SCCM DCM, SCAP v1.0, and Excel. However, the program’s design is incredibly complex, with an entirely separate (and incredibly complex) authoring tool to create and edit baselines in SCM’s proprietary format. The SCM tool itself needed to be updated for every Windows release, to be able to represent baselines for newer operating systems correctly even when SCM was installed on an earlier Windows version. Otherwise, baselines would not accurately represent new advanced auditing policies or new security entities such as “Local account” and “NT SERVICE” accounts, and couldn’t recognize operating system versions correctly for import and export. In addition, SCM is designed for GPO management and would require a massive overhaul to be able to handle Desired State Configuration (DSC) or Mobile Device Management (MDM). In short, SCM has become too inflexible and unwieldy to continue investing in it, particularly with other alternatives at hand. We will continue to publish security baselines, but not in the .cab file format used by SCM.

Beginning with the baselines for Windows 8.1, Windows Server 2012R2, and Internet Explorer 11, we have been publishing baselines through this blog site in lightweight .zip files containing GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. We will continue to deliver security configuration guidance in that format. The GPO backups can be imported directly into Active Directory Group Policy along with corresponding WMI filters to apply policies to the correct machines. To take the place of SCM’s offline GPO-editing abilities, consider standing up an otherwise non-functional domain controller, importing Group Policy (.ADMX) templates as needed. To compare GPOs or to export to Excel, take a look at Policy Analyzer, which has much richer abilities in both areas than SCM had. We had previously retired the LocalGPO.wsf tool that had shipped with SCM and replaced it with the more-functional LGPO. Note that both tools have recently been updated and are now part of the new “Security Compliance Toolkit” which you can download here.

We recognize that the new tool set does not currently include support for DCM or SCAP and we will try to fill that gap. Meanwhile, though, the PowerShell-based Desired State Configuration (DSC) is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs to DSC and to validate system configuration. Examples:

Continue monitoring this blog site for additional announcements (https://blogs.technet.microsoft.com/secguide/).


Comments (14)

  1. Michael says:

    Fill the gap to DCM ASAP PLEASE!

  2. Jason Fossen says:

    Thank you for the work you’ve put into SCM, LGPO and many other tools at Microsoft!

  3. Seb says:

    SCM was useful to comment or tag a setting : I have guides or documents where several settings are tagged by a number, then I build baselines from those guides with SCM, and I can track the settings by the tags. I save the baselines in SCM cab format, so tags are kept along the settings.
    I wonder if there is a way to keep those comments or tags for each setting, because they are lost with the GPO Backup format. And Excel can’t import/save a baseline (or GPO backup) with setting/value/tag.
    Any idea ?

  4. Dave says:

    Thanks for the news regarding SCM, as I had been wondering about the lack of updates. It was a great tool, and will be sorely missed especially because each baseline came with so many resources. I.e. the Server 2016 baseline for SCM comes with attachments, guides, CCE references, as well as three different policy examples (depending on your need: Domain, Domain Controller, Member Server). Sure, some of that comes in the new baselines, but not all of it. Sigh.

    Given the other changes regarding depreciation/changing of existing Group Policies in newer ADMX/ADML files, and the subsequent impact on the Central Store, Group Policy management has become significantly harder to manage.

  5. Coen van Dijk says:

    Please fix the DCM gap asap. I need to prove to our internal and external auditors that our servers are compliant to the baselines. With powershell dsc there is no way to this from a central location / tool. This prove is very important for us!

    Also SCM was allready not supported for some time (i tried rasing a support case a couple of months ago).

  6. James Gibbons says:

    THis is sad sad sad, I’m sure Aaron Margosis was not happy about this, as he put so much work into the last version of SCM4.0 and the PolicyAnalyzer, I was just using scm4.0 and am confused as to what is replacing it, just DSC and baselines? We still use group policy, as DSC has been having more problems in our environment than Group Policy did. We are planning on implementing DSC again, but it does not seem capable of handling everything necessary in our corporate enterprise. Hopefully I will be wrong.

    [Aaron Margosis] Not sad at all. The GPO backups and reports, and smaller and lighter-weight tools such as Policy Analyzer and LGPO.exe cover quite a bit of what SCM did, and in several ways they do a better job. We hope to publish other small, light-weight toolery in the near future as well. Stay tuned!
  7. Mohammad Rabbani says:

    Hi Aaron
    Can we still use Microsoft Security Compliance Manager 4.0 for Server 2016? In a meeting today, one of our Systems Admin guy advised that SCM is back! If it is supported for Server 2016 then why not for Server 2012 R2?

    [Aaron Margosis] You can still run SCM if you want. We aren’t publishing new baselines through SCM anymore, though.
    I don’t know what your sysadmin guy meant that “SCM is back.” The content of this blog post is still accurate and current.
  8. Karim says:

    FYI, SCM is still a part of the exam and training for Exam 70-744: Securing Windows Server 2016

    [Aaron Margosis] Thanks for the alert — I’ll follow up on that.
  9. Kevin says:

    In your opinion, what is the best tool to WRITE security templates? The mmc does not cover nearly enough things. I always have Powershell scripts to harden the rest of what the standard Microsoft tools can’t cover.

    [Aaron Margosis] The Security Templates MMC snap-in is what I use. What does it not cover?
  10. Sebastian says:

    As long as Policy Analyzer doesn’t support non-English operatingsystems this leaves a part of your customer base in a pinch.

    [Aaron Margosis] Policy Analyzer has not been localized, but it should work on non-English versions of Windows, and will in many cases use resources in the user’s language. What problems are you seeing?
  11. Coen van Dijk says:

    Where can I find the baseline(s) for Windows 2008 R2? We still have a lot of these servers 8-(

    [Aaron Margosis] You can still download the Security Compliance Manager here, and it still contains the older baselines. We’re just not going to add any more baselines to its set.
  12. christian says:

    i have noticed that a draft security baseline for Windows 1703 was posted. If SCM is now EOL, where do we find the final recommended version of the Security baseline for 1703?

  13. Mikael Grath says:

    One thing that was very important, for me at least, was the vulnerability and impact texts.
    They gave a short descriptive answer about why it’s configured the way it is in a common and easy way. It’s especially usefull when the customers are asking why specific setting is configured the way it is. The ability so answer with something more than just, well, Microsoft says so is important. New settings that are published now, are being mentioned in the blogposts but thats hard to keep track of, especially after a while.

    So one ask would be to at least have a short vulnerability description somehow, somewhere.

    Keep up the good work!

  14. i says:

    there should be an active effort to remove old documentation or at least update them with current information. please take this page down ‘Security Compliance Manager (SCM)’ https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

    [Aaron Margosis] We’re not updating SCM nor its content anymore, but SCM is still the repository for older baselines, and contains the “threats and countermeasures” text for many of the settings.
Skip to main content