Install and configure the SCAP extensions for Configuration Manager
Applies to: System Center Configuration Manager (Current Branch)
After preparing the infrastructure, you're ready to install and configure the SCAP extensions for Configuration Manager on the computer from which you want to run this process.
Install SCAP extensions
The installation file is located at the following path in the installation directory on the Configuration Manager site server:
Copy ConfigMgrExtensionsforSCAP.msi to the computer with the Configuration Manager console where you want to run this process.
In Windows Explorer, go to the folder where you copied ConfigMgrExtensionsforSCAP.msi. Double-click the file to open it and start the SCAP extensions for Configuration Manager installation wizard.
Review the license agreement. Click I accept the terms in the License Agreement and then click Install.
When the installation is complete, click Finish to close the installation wizard.
The installation wizard installs the SCAP extensions in the Configuration Manager console install folder. By default the console install folder is
C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole.
Download and install the SCAP data stream files
Before you can run the SCAP extensions, you must download the SCAP data stream files from the National Vulnerability Database (NVD) download page. Then copy them into the folder where you installed the SCAP extensions.
Depending on your environment, you may not need all the SCAP data stream files listed on the download page.
Install the SCAP data streams
Visit the NVD Web site to identify the SCAP data streams that are required by your organization. The SCAP data streams published by NIST are organized into multiple bundles, which are also called checklists.
Download the SCAP data streams from the NVD Web site, which are stored in compressed files with a .zip file name extension or marked as DataStream XML file.
There are many SCAP data stream files with the .xml extension that you can download from the NVD. However, only .xml files that include XCCDF (SCAP1.0 and 1.1)/DataStream (SCAP1.2) content are appropriate for use with the SCAP extensions.
Extract the SCAP data streams .zip files/DataStream XML file that you downloaded into the same folder where you installed the SCAP extensions.
Manually convert and import the SCAP data stream files
After getting the SCAP data streams, you're ready to import and convert the data streams to configuration baselines. The SCAP data streams published by NIST are organized into multiple bundles. Follow NIST's instructions to verify which bundles to use in your environment. For example, there's a separate bundle for each version of Windows, another version-specific bundle for the firewall configuration, and a bundle for Internet Explorer. Use the following procedures to accomplish this task.
This section describes the manual process to convert and import the data stream files with the Configuration Manager console. To automate this process, see the next section to Automatically convert and import the SCAP data stream files.
Click Import SCAP Content wizard in the ribbon from the configuration baseline group.
Select the SCAP content option.
Select the SCAP data stream file, XCCDF, and CPE dictionary file or Oval content file.
If SCAP 1.2 select the data stream. Then select the benchmark and profile for SCAP 1.x. Click Next to convert the content.
This page of the wizard displays the command line you would use with the ScapToDcm.exe tool to automate the same process.
Confirm the configuration data to be imported.
Click Next to import the configuration data.
Automatically convert and import the SCAP data stream files
Import with the command-line tool
After getting the SCAP data streams, you can use the Microsoft.Sces.ScapToDcm.exe tool to convert the SCAP data streams into compliance settings-compliant .cab files. Then import the .cab files into Configuration Manager. The Microsoft.Sces.ScapToDcm.exe tool converts the SCAP data streams into configuration items and configuration baselines that you can use in Configuration Manager. The Microsoft.Sces.ScapToDcm.exe tool converts the SCAP data streams into XML manifests. It then packages the XML manifests into a .cab file that you can import into Configuration Manager.
Step 4 of the manual process in the previous section shows the page of the wizard that displays the command line you would use with the ScapToDcm.exe tool to automate the same process.
Use Microsoft.Sces.ScapToDcm.exe to convert SCAP data streams into .cab files
At the command prompt, go to AdminConsole\Bin folder, and run Microsoft.Sces.ScapToDcm.exe. This tool generates a compliance settings-compliant .cab file, and imports it to the Configuration Manager site.
Your account must have read/write permissions for the output folder.
Usage for SCAP 1.0/1.1 content (XCCDF XML file, such as USGCB and DISA content):
Microsoft.Sces.ScapToDcm.exe –xccdf <xccdf.xml> -cpe <cpe.xml> -out <outputFolder> [-select benchmark/profile] [-log LogFileName]
If you don't specify the benchmark/profile by using the
–select parameter, then the tool generates a .cab file for each benchmark in the content file.
Usage for SCAP 1.2 content (DataStream XML file, such as the latest USGCB content):
Microsoft.Sces.ScapToDcm.exe –scap <scapdatastreamfile.xml> -out <outputFolder> [-select datastream/benchmark/profile] [-log LogFileName]
If you don't specify the datastream/benchmark/profile by using the
–select parameter, then the tool generates a .cab file for each benchmark in the content file.
Usage for single OVAL file with external variables:
Microsoft.Sces.ScapToDcm.exe –oval <singleOvalFile.xml> [-variable <externalVariableFile.xml>] -out <outputFolder> [-log LogFileName]
If there are multiple values for one variable in the external variable file, then the Microsoft.Sces.ScapToDcm.exe tool treats the values as an array for this variable.
Microsoft.Sces.ScapToDcm.exe command-line parameters
||Specify the SCAP data stream file||Yes (for SCAP 1.2 data stream, mutually exclusive with –xccdf and –oval / -variable)|
||Specify the XCCDF file||Yes (for SCAP 1.0/1.1 XCCDF, mutually exclusive with –scap and –oval / -variable)|
||Specify the CPE file||Yes (for SCAP 1.0/1.1 XCCDF, mutually exclusive with –scap and –oval / -variable)|
||Specify the OVAL file||Yes (for standalone OVAL file, mutually exclusive with –xccdf and -scap)|
||Specify the OVAL external variable file||No (Optional for standalone OVAL file when there's an external OVAL variable file, mutually exclusive with –xccdf and -scap)|
||Select XCCDF benchmark, profile from either the SCAP data stream or XCCDF file||No (This parameter isn't required but recommended. If not specified, then the tool generates a cab for all the profiles in all embedded DataStream/benchmarks)|
||Specify where to output the DCM cab file||No (If not specified, then the tool only lists the content without conversion)|
||Specify the log file||No (If not specified, then the log is written to Microsoft.Sces.ScapToDcm.log file)|
||Print out tool usage||No|
SCAP 1.2 content:
Microsoft.Sces.ScapToDcm.exe –scap scap_gov.nist_USTCB-ie8.xml –out .\mytestfolder –select mySCAPDataStreamID/myBenchMarkID/myProfileID
SCAP 1.0/1.1 content:
Microsoft.Sces.ScapToDcm.exe–xccdf scap_gov.nist_Test-WinXP_xccdf.xml –cpe scap_gov.nist_Test-WinXP_cpe.xml –out .\mytestfolder –select XCCDFBenchmarkID/MyProfileID
SCAP OVAL content:
Microsoft.Sces.ScapToDcm.exe –oval myOvalFile.xml –variable myOvalExternalVariableFile.xml –out .\mytestfolder
Sample output from Microsoft.Sces.ScapToDcm.exe
Compliance Settings compliant cab file created: Validate the schema of SCAP data stream file C:\24SCAP\BVT_Test_Data_Stream.xml Successfully validate the schema of SCAP data stream file C:\24SCAP\BVT_Test_Data_Stream.xml Process XCCDF Benchmark xccdf_tst.bvt_benchmark_Windows-F Process XCCDF Profile: xccdf_tst.bvt_profile_version_184.108.40.206-BVT Profile #1 Process OVAL: scap_tst.bvt_comp_Windows-F-oval.xml Successfully finished process OVAL: scap_tst.bvt_comp_Windows-F-oval.xml Process OVAL: scap_tst.bvt_comp_Windows-F-cpe-oval.xml Successfully finished process OVAL: scap_tst.bvt_comp_Windows-F-cpe-oval.xml Process SCAP data stream: scap_tst.bvt_datastream_Windows-F.zip SCAP Data Stream: [scap_tst.bvt_datastream_Windows-F.zip] Version: [1.2] Timestamp: [2/24/2012] Use-case: [CONFIGURATION] CPE Dictionary: [scap_tst.bvt_comp_Windows-F-cpe-dictionary.xml] OVAL: [Windows-F-cpe-oval.xml] Product name: [National Institute of Standards and Technology] Product version:  Schema version: [5.3] Timestamp: [2/24/2012] XCCDF Benchmark: [xccdf_tst.bvt_benchmark_Windows-F] Version: [v220.127.116.11] Update: [http://usgcb.nist.gov] Timestamp: [2/24/2012] Status: [accepted] Status date: [2/24/2012] Title: [Ohh New BVT for SCAP 1.2] Description: [My description] XCCDF Profile: [xccdf_tst.bvt_profile_version_18.104.22.168] OVAL: [Windows-F-oval.xml] Product name: [scaptool] Product version:  Schema version: [5.4] Timestamp: [2/24/2012] Start SCAP to DCM conversion... Processing SCAP data stream: scap_tst.bvt_datastream_Windows-F.zip Processing CPE dictionary: scap_tst.bvt_comp_Windows-F-cpe-dictionary.xml … Generating CI baseline cab file: C:\28\bbt\xccdf_tst.bvt_benchmark_Windows-F[xccdf_tst.bvt_profile_version_22.214.171.124].cab Successfully generated CI baseline cab file: C:\28\bbt\xccdf_tst.bvt_benchmark_Windows-F[xccdf_tst.bvt_profile_version_126.96.36.199].cab Successfully converted XCCDF profile: xccdf_tst.bvt_profile_version_188.8.131.52 into DCM baseline xccdf_tst.bvt_benchmark_Windows-F[xccdf_tst.bvt_profile_version_184.108.40.206].cab
Import the .cab file
The next step in the process is to use the Configuration Manager console to import the compliance settings-compliant .cab files into Configuration Manager. When you import the .cab files you created earlier in this process, one or more configuration items and configuration baselines are created in the Configuration Manager database. Later in the process you can deploy the configuration baselines to device collections. For more information, see Import configuration data.
The location of the .cab file that you previously created is the folder specified by the
–output parameter of the Microsoft.Sces.ScapToDcm.exe tool.
Repeat this process for each .cab file that you created earlier in the process. There's a .cab file for each selected profile in the XCCDF/DataStreamXML file that you downloaded from the NVD web site. You can process these files by running the Microsoft.Sces.ScapToDcm.exe tool.
The imported configuration baseline is read-only, its status is Enabled, and its deployed state No. The Date Modified property shows the time that you imported the baseline. The name of the configuration baseline comes from the display name section of the XCCDF/Datastream XML. The name is constructed using the convention
ABC[XYZ], where ABC is the XCCDF Benchmark ID, and XYZ is the XCCDF Profile ID (if a profile is selected).