Get Support

What is the Microsoft Security Compliance Manager (SCM)?

The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.

More information about this change can be found on the Microsoft Security Guidance blog.

Where can I get an older version of a Windows baseline?

Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.

What file formats are supported by the new SCT?

The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.

Does SCT support Desired State Configuration (DSC) file format?

Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.

Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?

No. A potential alternative is Desired State Configuration (DSC), a feature of the Windows Management Framework. A tool that supports conversion of GPO backups to DSC format can be found here.

Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?

No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.


Version Matrix

Client Versions

Name Build Baseline Release Date Security Tools
Windows 10 1709 (RS3)

1703 (RS2)

1607 (RS1)

1511 (TH2)

1507 (TH1)

October 2017

August 2017

October 2016

January 2016

January 2016

SCT 1.0
Windows 8.1 9600 (April Update) October 2013 SCM 4.0
Windows 8 9200 October 2012 SCM 4.0
Windows 7 7601 (SP1) October 2009 SCM 4.0
Vista 6002 (SP2) January 2007 SCM 4.0
Windows XP 2600 (SP3) October 2001 SCM 4.0


Server Versions

Name Build Baseline Release Date Security Tools
Windows Server 2016 SecGuide October 2016 SCT 1.0
Windows Server 2012 R2 SecGuide August 2014 SCT 1.0
Windows Server 2012 Technet 2012 SCM 4.0
Windows Server 2008 R2 SP1 2009 SCM 4.0
Windows Server 2008 SP2 2008 SCM 4.0
Windows Server 2003 R2 Technet 2003 SCM 4.0
Windows Server 2003 Technet 2003 SCM 4.0


Microsoft Products

Name Details Security Tools
Internet Explorer 11 SecGuide SCT 1.0
Internet Explorer 10 Technet SCM 4.0
Internet Explorer 9 Technet SCM 4.0
Internet Explorer 8 Technet SCM 4.0
Exchange Server 2010 Technet SCM 4.0
Exchange Server 2007 Technet SCM 4.0
Microsoft Office 2010 Technet SCM 4.0
Microsoft Office 2007 SP2 Technet SCM 4.0


Note

Browser baselines are built-in to new OS versions starting with Windows 10

See also

Windows Security Baselines