Security Compliance Manager (SCM) retired; new tools and procedures

Microsoft reluctantly announces the retirement of the Security Compliance Manager (SCM) tool. At the same time, we are reaffirming our commitment to delivering robust and useful security guidance for Windows, and tools to manage that guidance.

Microsoft first released the Security Compliance Manager (SCM) in 2010. It was a mammoth program that combined GPO-based security configuration recommendations; Threats & Countermeasures text for each setting; automatic downloading of new baselines as they are published; creating and editing custom baselines; comparing baselines; and importing and exporting, including export to GPO backup, SCCM DCM, SCAP v1.0, and Excel. However, the program’s design is incredibly complex, with an entirely separate (and incredibly complex) authoring tool to create and edit baselines in SCM’s proprietary format. The SCM tool itself needed to be updated for every Windows release, to be able to represent baselines for newer operating systems correctly even when SCM was installed on an earlier Windows version. Otherwise, baselines would not accurately represent new advanced auditing policies or new security entities such as “Local account” and “NT SERVICE” accounts, and couldn’t recognize operating system versions correctly for import and export. In addition, SCM is designed for GPO management and would require a massive overhaul to be able to handle Desired State Configuration (DSC) or Mobile Device Management (MDM). In short, SCM has become too inflexible and unwieldy to continue investing in it, particularly with other alternatives at hand. We will continue to publish security baselines, but not in the .cab file format used by SCM.

Beginning with the baselines for Windows 8.1, Windows Server 2012R2, and Internet Explorer 11, we have been publishing baselines through this blog site in lightweight .zip files containing GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. We will continue to deliver security configuration guidance in that format. The GPO backups can be imported directly into Active Directory Group Policy along with corresponding WMI filters to apply policies to the correct machines. To take the place of SCM’s offline GPO-editing abilities, consider standing up an otherwise non-functional domain controller, importing Group Policy (.ADMX) templates as needed. To compare GPOs or to export to Excel, take a look at Policy Analyzer, which has much richer abilities in both areas than SCM had. We had previously retired the LocalGPO.wsf tool that had shipped with SCM and replaced it with the more-functional LGPO. Note that both tools have recently been updated and are now part of the new “Security Compliance Toolkit” which you can download here.

We recognize that the new tool set does not currently include support for DCM or SCAP and we will try to fill that gap. Meanwhile, though, the PowerShell-based Desired State Configuration (DSC) is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs to DSC and to validate system configuration. Examples:

Continue monitoring this blog site for additional announcements (https://blogs.technet.microsoft.com/secguide/).