About the Security Content Automation Protocol (SCAP) extensions

Applies to: System Center Configuration Manager (Current Branch)

The SCAP extensions for Configuration Manager help you analyze and assess your network environment for compliance with the Security Content Automation Protocol (SCAP). SCAP is defined and maintained by the National Institute of Standards and Technology (NIST). For more information, see the SCAP Project Overview.


This version of the tool is a pre-release feature that's only available in version 1806. This version isn't certified by NIST.

If you require a certified tool, or are using another version of Configuration Manager current branch, use the following version of the SCAP extensions:

The SCAP extensions for Configuration Manager use the compliance settings feature to first scan the computers in your environment. It then documents their level of compliance with the United States Government Configuration Baseline (USGCB).

The extensions enable Configuration Manager to consume SCAP data streams, assess systems for compliance, and generate report results in SCAP format. Your organization can use your existing Configuration Manager infrastructure to help ensure computers you manage meet this federal compliance requirement. Also use Configuration Manager to generate the USGCB reports required by NIST and the Office of Management and Budget (OMB).

This article provides information to help you install, configure, and run the SCAP extensions in your Configuration Manager infrastructure.

What's new

This version of the SCEP extensions for Configuration Manager includes and supports the following features:

  • A Configuration Manager console extension, which supports converting SCAP content to compliance settings baselines.

  • SCAP version 1.2, which includes the following components:

    • Extensible Configuration Checklist Description Format (XCCDF) version 1.2
    • Open Vulnerability and Assessment Language (OVAL) versions up to 5.10
    • generating Asset Reporting Format (ARF) 1.1 reports
    • Common Platform Enumeration (CPE) 2.3
    • Common Vulnerabilities and Exposures (CVE)
    • Common Configuration Enumeration (CCE) version 5
    • USGCB Internet Explorer 8, USGCB Windows 7, and USGCB Windows 7 Firewall
  • Backward-compatible with SCAP versions 1.1 and 1.0.

  • A console wizard to import SCAP 1.2/1.1/1.0 and OVAL content for conversion to configuration baselines.

    • Allows selection of SCAP source data streams, and XCCDF benchmarks and profiles for conversion.
  • A console wizard to export configuration evaluation result to SCAP-formated XML report.

    • Displays the source file, SCAP data stream, XCCDF benchmark, and XCCDF profile used to generate the baseline.
    • Generate the Cyberscope Lightweight Asset Summary Results (LASR) report.
  • Generate SCAP reports based on configuration baseline deployment. This component includes a new dashboard to visualize the client compliance as well as XCCDF rule compliance. The dashboard supports drilling through to more detailed reports where you can search and filter.

  • Improved performance of several types of configuration items converted from OVAL tests, which allows faster evaluation.

  • Fixes several issues found in Windows 10 DISA v1r3 content.


  • OVAL ID: An identifier for a specific OVAL definition that conforms to the format for OVAL IDs.

  • SCAP result data stream: A bundle of SCAP components, along with the mappings of references between SCAP components, that hold output (result) content.

  • SCAP source data stream: A bundle of SCAP components, along with the mappings of references between SCAP components, that hold input (source) content.

Deployment process

Here's a summary of the overall deployment process:

Prepare the infrastructure

Software requirements

To install, configure, and run the SCAP extensions for Configuration Manager, you need a computer with the following software:

In addition to the computer running the SCAP extensions, you also need the following items:

The computers that you want to assess for SCAP compliance need the following software and configurations:

  • The Configuration Manager client.

  • Windows PowerShell 2.0 or higher.

  • The Configuration Manager PowerShell execution policy set to Bypass. For more information, see the PowerShell execution policy article.

  • One of the following operating systems:

    • Windows 7 SP1, 32-bit or 64-bit
    • Windows 10, 32-bit or 64-bit
    • Windows Server 2012 R2

Hardware Requirements

For more information about the minimum system requirements for Configuration Manager, see Planning for hardware configurations for Configuration Manager.

Accessibility features

The SCAP extensions for Configuration Manager include Windows command-line tools. These tools can take advantage of the accessibility features and tools in Windows.

The SCAP extensions also make use of accessibility features in Configuration Manager. For more information, see Accessibility features in Configuration Manager.

For more information about Microsoft accessibility products and services, see the Microsoft Accessibility website.

Next step