STIG Compliance with SCAP and DCM in Configmgr

In this post, I demonstrate how to use System Center Configuration Manager to evaluate clients for STIG compliance.

The process at a high level is:

      1. Download the corresponding STIG compliance SCAP files.
      2. Convert the downloaded files into a CAB file for import.
      3. Import the CAB file into Configmgr
      4. Deploy the Configuration Baseline to the corresponding device collection
      5. Evaluate the compliance reporting from the clients
      6. Export the compliance data to SCAP format

Important information

For SCAP 1.0 – 1.2, If you don’t specify the benchmark/profile, then scaptodcm.exe will generate a DCM cab for each benchmark in the content file. Fun.

If you specify multiple values for a single variable in an external variable file, then the scaptodcm.exe tool will treat the values as an array.

The settings you may see in the screenshots are NOT worthy of a production site, my clients and site servers have very aggressive schedules because I don’t have the same concerns when running in production. DO NOT use my schedule settings.

Don’t confuse the two executables: scaptodcm.exe and dcmtoscap.exe, they both have different jobs.

When converting the compliance data to a results file, if the clients evaluated multiple datastream \ benchmark \ profiles use the -select parameter to specify the same datastream \ benchmark \ profile which was run on the client.

SCAP 3.0 extensions must be installed on your Configmgr server.

At the bottom you find two tables, one that defines the command line parameters and the other lists the relevant log files if you need to troubleshoot.


Download the appropriate SCAP files

1.  Download the SCAP content from:

Windows 2012 and 2012 R2 DC STG Benchmark - ver 2, Re16 Windows 2012 and 2012 R2 MS STIG Benchmark - ver 2, Re16 10/28/2016 10/28/2016 130 KB 128 KB

2.  Extract the ZIP file to a folder for conversion. I just created a subfolder under the directory where scaptodcm.exe lives to keep things simple. You should choose the location that makes sense to you.

Program Files (x86) SCAP Extensions 2012 Name U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP U Windows 2012 2012 R2 MS V2R6 STIG SCAP U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP U Windows 2012 2012 R2 MS V2R6 STIG SCAP Benchmark-cpe-dicticnary.xml Benchmark-cpe-cval.xml Benchmark-cval.xml Benchmark-xccdf.xml Date modified g/15/2016 4:44 PM g/15/2016 4:44 PM g/15/2016 4:44 PM g/15/2016 4:44 PM Search 2012 Type XML Document XML Document XML Document XML Document Size 860

Idea In this example, we will import the Windows 2012 and 2012 R2 MS STIG Benchmark – Ver 2, Rel.6

3.  After extracting the zip file, from a command prompt with administrative permissions run the appropriate command line to convert the SCAP data stream file and XDCCF benchmark profile to a DCM .CAB file, assuming you are also using a SCAP 1.0 or 1.1 file.

In this example the file is SCAP 1.1 so the parameter -xccdf is required.

Below is an example command line of each type of content, 1.0/1.1, 1.2, and Oval. See my note above regarding the -select parameter.

SCAP 1.0/1.1 Content: scaptodcm.exe –xccdf scap_gov.nist_Test-Win10_xccdf.xml –cpe scap_gov.nist_Test-Win10_cpe.xml –out <folder> –select XCCDFBenchmarkID \ ProfileID

SCAP 1.2 Content: scaptodcm.exe –scap scap_gov.nist_USTCB-ie11.xml –out <folder> –select SCAPDataStreamID \ BenchMarkID \ ProfileID

SCAP OVAL Content: scaptodcm.exe –oval OvalFile.xml –variable OvalExternalVariableFile.xml –out <folder>

The conversion process may take a minute or more depending on the XML file.

Administrator: usage for SCAP 1.2: ScapToDcm. exe -scap ScapDataStreamFi1e [ -out OutputDirectory] [-select ScapDataStreamID/XccdfBenchma rkID/XccdfProfi1eID] [ -log LogFi1eName] [ -batch 588] Usage for SCAP 1.1/1. ø: ScapToDcm.exe -xccdf XccdfFi1e -cpe CPEFi1e [ -out OutputDirectory] [-select XccdfBenchmarkID/Xcc dfProfi1eID] [ -log LogFi1eName] [ -batch 588] Usage for OVAL: ScapToDcm.exe -oval OvalFi1e [ -variable OvalExterna1Variab1eFi1e] [ -out OutputDirectory] [ -log LogFi1eNa e] [ -batch 588] H: \Program Files (x86)\SCAP Extensions>scaptodcm.exe -xccdf . \ 2812\U R2 MS V2R6_STIG SCAP_1-1_Benc hmark-xccdf .xml -cpe . R2 MS V2R6_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xm1 -out . \ 2812 Try to create log file: H: \Program Files (x86)\SCAP Extensions\ScapToDcm. log alidate the schema of XCCDF file H: \Program Files (x86)\SCAP MS V2R6 STIG SC P 1-1 Benchmark-xccdf .xml Successfully validate the schema of XCCDF file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SCAP 1-1 Benchmark-xccdf .xml Process XCCDF benchmark in file H: \Program Files Windows _ 2812 _ and _ 2812 R2 ms V2R6 STIG SCA? 1-1 Benchmark-xccdf .xml Process Process Process Process Process Process Process Process Process Process Process Process XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF Benchmark Windows 2812 ms STIG Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: MAC MAC- 1 MAC- 1 MAC- 2 MAC- 2 MAC- 2 MAC- 3 MAC- 3 MAC- 3 Classified-l - mission Critical Classified Public- I - mission Critical Public Sensitive- I - mission Critical Sensitive Classified-ll - mission Support Classified Public- II - mission Support Public Sensitive- II - mission Support Sensitive Classified-lll - Administrative Classified Public- III - Administrative Public Sensitive- III - Administrative Sensitive Disable Slow Rules-Disab1e Slow Rules 1 only Load file H: \Program Files Windows _ 2812 _ and _ 2812 R2 ms V2R6 STIG 1 for check content U Windows 2812 and 2812 R2 MS V2R6 STIG SCAP 1-1 Benchmark-oval .xml Process OVAL definitions in file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SC P 1-1 Benchmark-oval .xml Process OVAL: U Windows 2812 and 2812 R2 ms V2R6 STIG SCA? 1-1 Benchmark-oval .xml Successfully finished process OVAL: U R2 MS V2R6_STIG_SCAP_1-1_Benchmark-ova1 .xml Process CPE dictionary in file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SCAP 1 -1_Benchmark- cpe- dictionary . xml Load file H: \Program Files (x86)\SCAP R2 MS V2R6_STIG_SCAP_1-1_Benchmark-cpe-ova l.xml for check content R2 MS V2R6_STIG_SCAP_1-1_Benchmark-cpe-ova1 .xml Process OVAL definitions in file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SC P_l -1_Benchmark- cpe-oval . xml Process OVAL: U Windows _ 2812 _ and _ 2812 R2 ms .xml Successfully finished process OVAL: U R2 MS V2R6 STIG SCAP_1-1_Benchmark-cpe-ova1 .xml CCDF Benchmark: [Windows _ 2812 ms STIG] Version : update: Timestamp : Status: Status date: Title: Description : [2] [1/1/8881] [accepted] [18/28/2816] [Windows Server 2812 / 2812 R2 member Server Security Technical Implementation Guide] [The Windows Server 2812 / 2812 R2 member Server Security Technical Implementation Guide (STIG) is publ ished as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisio ns to this document should be sent via e-mail to the following address: . mil.] XCCDF Profile: XCCDF Profile: XCCDF Profile: [MAC-1 Classified] [MAC-l_public] fmAC-1 Sensitive I

Once the conversion is completed the CAB file should be located in the directory specified in the command line with the -out parameter.

Next is to import the file in Configmgr for deployment, evaluation, and compliance reporting.

Import the Compliance Settings CAB files Configmgr

The next step in the process is to use the Configuration Manager Console to import the Compliance Settings-compliant .cab files into Configuration Manager. When you import the .cab files you created earlier in this process, one or more configuration items and configuration baselines are created in the Configuration Manager database. Later in the process, you can assign each of the configuration baselines to a computer collection in Configuration Manager.

To import the Compliance Settings CAB files into Configmgr

1.  In the Configuration Manager Console, navigate to Assets and Compliance > Compliance Settings > Configuration Baselines.

2.  In the menu bar, click the blue arrow Import Configuration Data.

3.  To begin the import process click the Add button.

4.  Browse to the directory that we specified earlier with the scaptodcm.exe tool -out <path\file>, and select the CAB file that was created. 

Click Yes in the Configuration Manager Security Warning dialog box.

Configuration Manager The publisher of Windows 2012_MS file could not be verfied. Are you sure that you want to import this file?

You should now see the CAB file listed in the Select Files page similar to this.

Machine generated alternative text: Import Configuration Data Wizard Select Files Select Files Summary Progress Confirmation Specify the files from which to import configuration items and configuration baselines Import configuration tams and configuration baselines from best-practices Configuration Packs and from other configuration data sources Files that contain configuration tams or configuration baselines Fitter Wndows 2012 MS STG cab Date Modified 12/20/201630732PM 41274 KB Create a new copy of the mported configuration baselines and configuration tams Previous Next

You could add more than one CAB file here, if you created or had multiple CAB files to import simply repeat the steps 3 and 4.

5.  Click the Next button.

This will start the verification process for the import, this can take several minutes and depends on the number of Configuration Items being imported.

Machine generated alternative text: Verifying Configuration Data Please watt while Configuration Manager verifies the selected files f there are many configuration tams and configuration baselines in tha fila this process might taka soma time to finish

6.  Once the verification is finished you will be at the Summary page which will list all the Configuration Items being imported.

Machine generated alternative text: Import Configuration Data Wizard Summary Select Files Summary Progress Confirmation Confirm the configuration data to be imported: The wizard will import the following configuration data - Configuration isms (408) oval mil disa fso windowstst 449300 oval mil disafso windowstst 461000 oval mil disafso windowstst 443102 oval mil disa fso windowstst 465500 oval mil disafso windowstst 460401 oval mil disa fso windowstst 473600 oval mil disa fso windowstst 487707 oval mil disa fso windowstst 442300 oval mil disa fso windowstst 450500 oval mil disa fso windowstst 454000 oval mil disa fso windowstst 469200 oval mil disafso windowstst 461800 oval mil disa fso windowstst 497300 oval mil disafso windowstst 468601 default default default default default default default default default default default default default default To change these settings. click Previous To apply the settings. click Previous Next

7.  Click the Next button and this will start the import into Configmgr. This may also take a few minutes.

Import Configuration Data Wizard Confirmation Select Files Summary Progress Completing the Import Configuration Data Wizard You have successfully completed the hport Configuration Data Wizard with the following details Configuration isms (408) oval mil disa fso windowstst 449300 oval mil disafso windowstst 461000 oval mil disafso windowstst 443102 oval mil disa fso windowstst 465500 oval mil disafso windowstst 460401 oval mil disa fso windowstst 473600 oval mil disa fso windowstst 487707 oval mil disa fso windowstst 442300 oval mil disa fso windowstst 450500 oval mil disa fso windowstst 454000 oval mil disa fso windowstst 469200 oval mil disafso windowstst 461800 oval mil disa fso windowstst 497300 oval mil disafso windowstst 468601 To close this wizard click Close Previous default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) Next Summary

8.  Click the close button to exit the import wizard.

The new configuration baseline appears in the information pane of the Configuration Manager Console.

Configuration Baselines 16 items Search Name Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Gu de Status Enabled Deployed User Setting Date Modified 12/20/2016 3:12 PM Compliance Count Noncompliance Count Failure Count Modified By CORP\anth...

The name of the configuration baseline is taken from the display name section of the XCCDF/Datastream XML and is constructed using the following convention:

ABC[XYZ], where ABC is the XCCDF Benchmark ID, and XYZ is the XCCDF Profile ID (if a profile is selected).


Assign configuration baselines to the computer collections

Prior to assigning the configuration baseline to a collection of computers ensure that you have the appropriate collections created that targets the type of clients you want to assess.

Continuing with the same STIG benchmark as earlier I am going to target my Windows Server 2012 clients and Windows 2012 R2 clients, but excluding my domain controllers since they have a different set of compliance checks.

Machine generated alternative text: SRV 2012 Servers Query Statement Properties General Criteria Joins You can specify criteria to nam»v the query and the results that are Criteria : S"stem ResourceO eratin S' •Stem Name and Vereion is like System Resource Operating System Name and Version IS like 2%" System Resource Operating System Name and Version is like 3%" Computer System Domain Role is less than 4 Show Query Language

After creating the appropriate computer collections for the clients that you want to assess for compliance, you are ready to assign the Configuration Baselines that you imported. 

Here is the WQL syntax for my collection, which includes, Server 2012, Server 2012 R2, but excludes my domain controllers.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like “%Server%” and SMS_R_System.OperatingSystemNameandVersion like “%6.2%” or SMS_R_System.OperatingSystemNameandVersion like “%6.3%” and SMS_G_System_COMPUTER_SYSTEM.DomainRole < 4

The key in this query to exclude domain controllers is the “SMS_G_System_COMPUTER_SYSTEM.DomainRole < 4

DomainRole 4 = LM_Workstation, LM_Server, SQLServer, Backup_Domain_Controller, Timesource, NT, DFS

DomainRole 5 = LM_Workstation, LM_Server, SQLServer, Primary_Domain_Controller, Timesource, NT, DFS

DomainRole 3 = LM_Workstation, LM_Server, NT, Server_NT

DomainRole 1 = LM_Workstation, LM_Server, SQLServer, NT, Potential_Browser, Backup_Browser

NT indicates a workstation

Server_NT indicates a member server

Notice the PDC and BDC do not have either of these designations however.

SQL_Server, Timesource, DFS are all options and you may not see them in the roles description.

To see the descriptions and their ID number stored in the db you can this query

SELECT TOP (1000) [ResourceID],[Description0],[Domain0],[DomainRole0],[Manufacturer0],[Model0],[Name0],[NumberOfProcessors0],[Roles0],[Status0],[SystemType0],[UserName0]


Note: Change the MSC to your site code to run the query.

To assign a configuration baseline to a computer collection

1.  In the Configuration Manager Console, go to Assets and ComplianceCompliance SettingsConfiguration Baselines.

2.  In the navigation pane, click <configuration_baseline>, where <configuration_baseline> is the name of the configuration baseline that you want to assign to a computer collection.

Configuration Baselines 16 items Search Name Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Gu de Status Enabled Deployed User Setting Date Modified 12/20/2016 3:12 PM Compliance Count Noncompliance Count Failure Count Modified By CORP\anth...

3.  In the menu bar, click the green arrow Deploy. (Notice a theme?)

4.  In the Deploy Configuration Baseline Dialog click the Browse button and select the collection you want to target.

Deploy Configuration Baselines Select the configuration baselines that you want to deploy to a collection Available configuration baselines Fittar„ WS2012R2 Member Server Security Comp A Copy of Offce2013 Computer Security WS2012R2 Domain Security Compliance v Z] Remediate noncompliant rules when supported Add > < Remove Z] Allow remediation outside the maintenance window Z] Generate an alert When compliance is below Data and time Z] Generate System Center Operations Manager alert Select the collection for this configuration baseline deployment S RV Al Wndows Servers Specify the compliance evaluation schedule for this configuration baseline @ Simple schedule Run every C) Custom schedule No custom schedule defined Selected configuration baselines Fittar„ Windows Server 2012 / 2012 R2 Member Customiza„

DO NOT select Remediation, this particular Baseline of Configuration Items does not contain any remediation, which will cause problems with your baseline if you select remediation.

FYI:  Both the Configuration Baseline, and the Configuration Items it contains, must be configured for remediation for remediation to work.

You will need to use your discretion on the alerts, and the schedule. I have mine set to 4 hours – but mine is a lab. The default client settings is every 7 days.

FYI:  If you have multiple baselines deployed (or just one) you can use Send Schedule tool in the Configmgr Toolkit to view a clients scheduled time to run evaluations. You can also use it to trigger the evaluation.

If you are going to target multiple collections you will need to repeat this process. If however you wanted to deploy multiple Configuration Baselines to the same collection you could select and add them without having to repeat this process.

Verify that the compliance data has been collected

Before exporting the compliance data back to SCAP format, we need to verify that the data has been collected. After you assign a Configuration Baseline to a computer collection, the client on each computer in that collection evaluates its settings and automatically gathers the compliance information. The client will then deliver that information to its management point, then the MP will deliver the information to the primary site where the client is assigned. Finally, the compliance information is stored in the Configuration Manager database.

From the client side you can see if the baseline has been downloaded by the client by viewing the Configurations tab in the Configmgr client properties.

Machine generated alternative text: Configuration Manager Properties Assigned configuration baselines Nama Windo',vs Server Last Evaluatin *ppb'

It will also indicate if the baseline has run, and what the results were, if you select the View Report you will get a report that shows pass / fail for each CI. You can see this client has run the baseline and is non-compliant.

Machine generated alternative text: Configuration Manager Properties Confi gurations Assigned configuration baselines Nama "indo',vs Server Revision Last EvaluatL Compliance Noncompliant *ppb'

Verify that the compliance data has been collected

There are a couple options in the Configmgr console to check and see if the data has been loaded into the database yet. Under the Monitoring tab > Deployments you can see the compliance percentage.

Machine generated alternative text: Icon Software Windows Server 2012 / 2012 R2... Collection SRV 2012 and 201 2R2 Purpose Requ ired Action Monitor Feature Typ Baseline Compliance %

You can also view the count of compliant and non-compliant clients, as well as failures under Assets and Compliance > Compliance Settings > Configuration Baselines.

Machine generated alternative text: Icon Name Windows Server 20121m Status Enabled Deployed Yes User Setting Date Mod fled 12/22/2016m Compliance Count Noncompliance Count Failure Count Modified By CORP\anthony

Both of these are still at zero…and it has been a while since the client completed its evaluation. I list the relevant log files below for troubleshooting but we don’t need those. If you are viewing the baseline in the console by selecting the Configuration Baselines node, look to the left of the green Deploy arrow we used earlier in the menu bar. The summarization has not run yet. You can see the schedule using the Schedule Summarization button (default is 2 hours), and even force it to run now by clicking the Run Summarization button.

Machine generated alternative text: Show Mem bers 'Schedule Summarization Run Su mmanzation Disa ble View Xml Definition Export Baseline Copy Refresh Delete Deploy Deployment

I forced mine to run and now I have the non-compliant results from my client showing in the console.

Machine generated alternative text: Compliance Count Noncompliance Count

Export compliance results to SCAP

The next task in the process is to export the Compliance Settings compliance data to SCAP format, which is an ARF report file in XML \ human-readable format.

Exporting the compliance data to an XCCDF \ DataStream ARF results file

1.  On your Configmgr server where you installed the SCAP extensions, click Start > All Programs > SCAP Extensions > SCAP Extensions.  Or you can open a command prompt and navigate to the folder.

2.  At the command prompt, enter the correct command line and press ENTER.

Note: The exe is dcmtoscap.exe not scaptodcm.exe like we used when creating the CAB file.

FYI:  If it helps to make sense of the naming of the file, in Configmgr 2007 Configuration Baselines and Configuration Items were part of the Desired Configuration Management feature, or DCM. Trust me, I wrote the chapter on it in the 2007 R2 book.

Machine generated alternative text: D: \Program Files (x86) \ SCAP Extensions>dcmtoscap.exe -xccdf . \ 2812\U R2 ms V2R6_STIG_SCAP_1-1_Benc hmark-xccdf .xml -cpe . \ 2812\U R2 ms V2R6 STIG_SCAP_1-1_Benchmark-cpe-dictionary.xm1 -server cm-cb. -database Cm I•ISC -collection msc88814 -out . \output_

Here is my command line if you want to copy-n-pate it.

dcmtoscap.exe -xccdf .\2012\U_Windows_2012_and_2012_R2_MS_V2R6_STIG_SCAP_1-1_Benchmark-xccdf.xml -cpe .\2012\U_Windows_2012_and_2012_R2_MS_V2R6_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml -server -database CM_MSC -collection MSC00014 -out .\output

Below are the command line parameters for each type.

For SCAP 1.0/1.1 content

dcmtoscap.exe –xccdf <xccdf.xml> –cpe <cpe.xml> –server <CMSiteServerMachineName> –database <CMSiteDatebaseName> –collection <deviceCollectionID> OR -machine <host name> -select <xccdfBenchmark \ profile> -out <outputResultFolder>

For SCAP 1.2 content (such as the latest USGCB content):

dcmtoscap.exe –scap <scapdatastreamfile.xml> –server <CMSiteServerMachineName> –database <CMSiteDatebaseName> –collection <deviceCollectionID> OR -machine <host name> -select <datastream \ xccdfBenchmark \ profile> -out <outputResultFolder>

For single OVAL file with external variables

dcmtoscap.exe –oval <singleOvalFile.xml> [-variable <externalVariableFile.xml>] –server <CMSiteServerMachineName> –database <CMSiteDatebaseName> –collection <deviceCollectionID> -out <outputResultFolder>

And if all goes well you should end up with something like this for your output.  

Machine generated alternative text: U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP 1-1 U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP 1-1 U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP 1-1 Z] Windows 2012 MS STIG 16777221 ORC2012R2.txt Windows 2012 MS STIG 16777221 ORC2012R2xmI Benchmark-cpe-oval.xml-default 16777221 ORC2012R2.xmI Benchmark-ovalxml-default 16777221 ORC2012R2xml Benchmark-oval.xml-notapplicable 16777221 ORC2012R2.xmI 12/23/2016 2:53 AM 12/23/2016 2:53 AM 12/23/2016 2:53 AM 12/23/2016 2:53 AM 12/23/2016 AM XML Document XML Document XML Document Text Document XML Document 277 G 281 G 206 KB

And then we are done.  

Next will be how to use the Baseline Configurations and check for compliance against VM’s running in Azure.  Then, I will conclude with custom remediation when clients fail evaluation.

Command line parameters for SCAP extensions

ParameterUsage Required

server [SQLServer\SQLInstance]

Specify the name of Configmgr site database server and the SQL instance.


database [SQLDatabase]

Specify the name of the Configuration Manager site database.


collection [collection id]

Specify the collection id to generate the SCAP report.

Yes (when -machine is not specified)

machine [machine name]

Specify the computer name to generate the SCAP report.

Yes (when -collection is not specified)

-organization [organization name]

Specify the organization name, which would be displayed in report. It can be separated by ‘;’ to specify a multi-line organization name.


-type [thin / full / fullnosc]

Specify the OVAL result type: thin result or full result or full result without system characteristic.

No (if not specified, then the default value is full)


Specify the cpe-dictionary file

Yes (for SCAP 1.0 \ 1.1)

scap [scap data stream file]

Specify the SCAP data stream file.

Yes (for SCAP 1.2 data stream, mutually exclusive with -xccdf and -oval \ -variable)

xccdf [xccdf file]

Specify the XCCDF file.

Yes (for SCAP 1.0 \ 1.1 XCCDF, mutually exclusive with -scap and -oval \ -variable)

oval [oval file]

Specify the OVAL file.

Yes (for standalone OVAL file, mutually exclusive with -xccdf and -scap

-variable [oval external variable file]

Specify the OVAL external variable file.

No (optional for standalone OVAL file when there is an external OVAL variable file, mutually exclusive with -xccdf and -scap)

select [xccdf benchmark \ profile]

Select XCCDF benchmark, profile from either the SCAP data stream or XCCDF file.

Yes (for SCAP 1.0 \ 1.1 and 1.2. A selection must be made to generate a report to match the corresponding DCM baseline in Configuration Manager database)

-out [output directory]

Specify where to output the Compliance Settings cab file.

No (if not specified, then the output only lists the content without conversion)

-log [log file]

Specify the log file.

No (if not specified, then the log is written to SCAPToDCM.log \ DCMtoSCAP.log file)

-help / -?

Print out tool usage.





Log Files

These are the relevant log files for troubleshooting the deployment and evaluation of Configuration Baselines

Log nameDescription
CIAgent.logRecords details about the process of remediation and compliance for compliance settings, software updates, and application management.
CIDownloader.logRecords details about configuration item definition downloads
CITaskManager.logRecords information about configuration item task scheduling.
DCMAgent.logRecords high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications.
DCMReporting.logRecords information about reporting policy platform results into state messages for configuration items.
DcmWmiProvider.logRecords information about reading configuration item sync lets from Windows Management Instrumentation (WMI).
PolicyAgent.logRecords requests for policies made by using the Data Transfer service.
Scheduler.logRecords activities of scheduled tasks for all client operations.
StatusAgent.logRecords status messages that are created by the client components.
DataTransferService.logRecords all BITS communication for policy or package access.
PolicyEvaluator.logRecords details about the evaluation of policies on client computers, including policies from software updates.








Configmgr SQL Server Sizing and Optimization


6/19/2017 – Docs. com is being retired.  Here is the link on OneDrive.

Update: Link for calculator updated.  Any problems email, tweet, or comment.  Thanks for letting me know.

Update II: Link updated after continued issues downloading and editing by some.  I moved the file to for sharing. does require you to sign in to download using an O365 account, Facebook account, / / account.  I have also added it to Dropbox if you really don’t want to sign in to download the calculator, you can get it here.  I will be testing out the collection features and posting other files to, creating an article with every doc isn’t always feasible.  Any problems, just leave a comment, email, tweet, so on.

Several weeks ago I wrote a post about sizing for Configmgr and a few days later I was discussing it with two friends and MVPs when they pointed out that my information about using a single file for the Configmgr data file was incorrect.  I had gotten this information from another friend who works with SQL so I shared that info with them and they told me I (and he were) WRONG!  It is a good thing my wife never reads my blog because if she saw that I had admitted publicly, in writing, that I was wrong, it would probably be printed up as wallpaper and used in every room in our house with a large all weather banner hanging from our roof for added effect.

So I have been doing a lot of reading on SQL over the last several weeks and I have updated my Configmgr database sizing worksheet quite a bit.  Including tabs regarding disk configuration and server memory calculations.  For most people, this information will be nothing more than interesting, for others like me who architect, build, and remediate Configmgr this can be quite handy.

There is quite a bit of information I learned that isn’t included in this worksheet and I will briefly mention some of them below should you want to do your own research into them, or just send me an email and I will be happy to answer any questions and share my research notes, stored in OneNote of course.

And if you find any errors, please let me know.

Optimize for Ad Hoc Workloads – True
Set the “AUTO_CLOSE” option to OFF
Rebuild Indexes CMMonitor maintenance db via Steve Thompson
Update Statistics Scheduled Tasks or Auto
Adjust Power Savings Plan to MAX
HBA Drivers and Queue Depth
Virtualized SQL requires additional consideration over physical
Exclude SQL processes, folders, and files from AV just like Inbox folders
Enable instant file initialization
NIC performance and tweaks for RSS / vRSS, VMQ
WSUS and SUP db need love too
Performance Counters
SQLServer:Buffer Manager -> Buffer cache hit ratio(>90-95%)
SQLServer:Buffer Manager ->Free pages(>640)
SQLServer:Buffer Manager ->Lazy writes/sec (<20)
SQLServer:Buffer Manager ->Page life expectancy (>300)
SQLServer:Buffer Manager ->Page reads/sec (<90)
SQLServer:Buffer Manager ->Page writes/sec (<90)
SQLServer:Memory Manager -> Target Server Memory (KB) (Target >= Total)
SQLServer:Memory Manager -> Total Server Memory (KB) (Target >= Total)

Configmgr Sizing Worksheets

Hierarchy Planning Worksheet v2.2

DB Sizing Worksheet v2.2

Several years ago Kent A. and someone else put out a couple spreadsheets on database sizing and server sizing for Configmgr.  I used them off and on for a few years and over time I have revised them based on the newer SQL server best practices (SQL 2012 R2+).

In the days of SQL 2008 and earlier, the common db practice was to have multiple files for the configmgr database files (MDF & NDF files), while the TempDB was configured to use a single file (MDF file).  And all databse transaction log files (LDF Files) were configured to use single files alongside each database.

TempDB or tempdb database: Is a globally used file available and is used for holding temporary objects such as local and global tables, stored procedures, table variables, row versions, and query results. The tempdb is temporary, it gets recreated at each reboot or SQL service start.  It is literally empty at each start, all data is purged and the db cannot be backed up.  The tempdb.mdf is the data file, templog.ldf is the log file for the tempdb.  The tempdb autogrowth setting can cause serious performance issues if the size of the db is too small and it is constantly growing the db.  A common practice when running a SQL server in an Azure VM is to put the temdb files on the D drive since the drive is non-persistent during reboots.

The best practice for SQL 2012 R2 and beyond is to use a single database file for the Configmgr database and multiple files for the TempDB files (MDF & NDF files).  The transaction log files (LDF files) are still configured for a single file as before.  My buddy Steve Thompson points this out in a recent post where he discusses the proper tempdb creation practices.  Steve is also a former SQL MVP, now a Configmgr MVP so he knows both well.

The topic of using a CAS or multiple primaries for a customer came up on a discussion list today and when I replied I had screen shots of my sql sizing spreadsheet and my site sizing spreadsheet and a few people asked me for copies of them.  They can be downloaded now and as they get updated I will do my best to make the new versions available.

Any questions please let me know.

P.S. SQL should always be local.

Troubleshooting DRS in Configmgr

In this article, I will attempt to peel back some of the mystery that goes on with replication in Configmgr and provide some additional help when it comes to resolving replication issues, and they will occur.

The Basics of Replication in Configmgr

Configmgr underwent a shift several years ago as Microsoft tried to fix that backlog issue that customers often times encountered with the file based replication style.  The hierarchy architecture was flattened and replication went from files to SQL, for the most part at least.  This is well covered on TechNet so I will spare you the details.

There are some additional basics of replication that should be stated for completeness of the topic.

Configmgr does not use the built-in SQL replication it uses components of SQL and manages the replication of data on its own.  The easiest way I can state this is, the product team coded their own replication into the product, it does not use the built in features of Microsoft SQL Replication.

There are mainly two types of data replication between sites, Global data and Site data.  Global data is replicated from the CAS downward, while site data is the opposite.

Global data includes data such as collection rules.

Site data includes things like collection results and client data.

Each data type contains several replication groups that logically groups data from different tables together.  These replication groups are classified as global and site replication groups.

select * from vReplicationData is a query to display all replication groups.

If you want to see what replication groups are included as part of global or site data, simply modify the previous query by specifying the type of data, similar to these.

select * from vReplicationData where Replicationpattern = ‘global

select * from vReplicationData where Replicationpattern = ‘site

Want to see what data is part of that replication group from the output of the previous two queries?  The first column of the output should be ID, simply select the matching ID from the replication group you want to investigate and use the following query.  Replace 30 with the ID number you are interested in.

select * from vArticleData where ReplicationID = 30

ID 1 – 14 is global data, 15 is cloud data, 16 – 30 is for site data, 31 – 33 is for secondary site replication data, beyond 33 is typically more site data replication groups.

RepGroups-Global and Cloud 1-15RepGroups-Sites 17-30RepGroups-SecondarySitesRepGroups-34 plus

Since we are almost to the real meat of what data is being sent why not look and see what tables are included in a group?  And what better to look at than HWINV data?  This query will return the list of tables that is being replicated as part of any of the replication groups with Hardware_Inventory in the name of the group.

select ArticleName from ArticleData where ReplicationID in (select ID from vReplicationData where ReplicationGroup like ‘Hardware_Inventory%’)

UPDATE: A friend was gracious enough to send me an email regarding the previous query and how to better see what data is in a replication group I recommend using his below.  He is easily one of the foremost experts on DRS and how to troubleshoot replication.  He and his team have one of the largest implementations of SCCM globally and it is magnificently run.  Just from an efficiency standpoint, his query is much better and more elegant. 

“HINV replication groups vary by install and by how much you extend the mof.  I don’t think any 2 groups look alike or contain the same data.

To see what data is in each I use this:”

SELECT Rep.ReplicationGroup,


       App.ArticleName, App.ReplicationID

FROM vArticleData AS App

INNER JOIN v_ReplicationData AS Rep ON App.ReplicationID = Rep.ID

ORDER BY Rep.ReplicationGroup, App.ArticleName


Another important aspect of DRS is the SQL Service Broker (SSB) which handles incoming and outgoing messages, guaranteeing their delivery by allowing them to use an asynchronous queue to store the messages in.  If this cannot function the flow of data into and out of SQL replication will stop.

Site Data Processing – An Example

When a client runs its scheduled hardware inventory it stores the output of the WMI data in an XML file. Then the client copies that XML file up to its management point (MP).  Assuming the MP is not a primary site server, the MP message handler processes the clients XML file and it gets converted into a MIF file.  Then the MP File Dispatch Manager takes the MIF file and uploads into the clients primary site servers dataldr inbox folder.  The MIF file is then read by the data loader component and the data is inserted in the SQL database.

Technically, there are more than two types of data being replicated, but technically Configmgr can also use the built-in SQL replication too, technically.

Additional info from TechNet:

Plan for Database Replication Thresholds

How to Monitor Database Replication Links and Replication Status

Procedures for Monitoring Database Replication

Advanced Troubleshooting of Replication in Configmgr

When the Data Replication Service (DRS) stops working it can be a nightmare.  If replication breaks and you cannot fix it within a certain amount of time you will lose data and if you have to re-initialize your replication it generate gigs and gigs of network traffic across the wire as you replicate all that data to each site server, again.  Below are some additional tips to help when troubleshooting DRS when the Replication Link Analyzer (RLA) doesn’t do the trick.

Running RLA in a script or from the cmd prompt:

%path%\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManager.ReplicationLinkAnalyzer.Wizard.exe <source site server FQDN> <destination site server FQDN>

From TechNet: About the Replication Link Analyzer

 If RLA fails any remediation actions while it is running, the log files contain more detail than the XML file.  Also, ensure that it was able to restart the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.

Verbose Logging

The first step is to get more information from the log files, this is accomplished the same way as all other logs in CM, by modifying the amount of logging through registry keys.  There are two different log types we are going to use, your standard text based log files you typically view with notepad, splunk, or cmtrace, while the other type of log files are viewed in SQL because they are SQL managed components of Configmgr and the logging is stored in SQL tables not like the .log files for the majority of Configmgr’s components.  You can add this to the long list of reasons why SQL should be ON BOX and CM admins should have sysadmin forever on their SQL instance(s).  Moving on.

Replication Configuration Monitor Log

Rcmctrl.log – Replication Configuration Monitoring (RCM) log file that shows an overview of sync status, site status and stored procs used.

Rcmctrl Regkey:  HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components\SMS_REPLICATION_CONFIGURATION_MONITOR\Verbose logging

Default is Value 0

DWORD Value 0 = Errors and key messages
DWORD Value 1 = Errors, key messages, and more general information*
DWORD Value 2 = Everything (Verbose)*

*Make sure you return this back to 0 after you have resolved your DRS issues.

By default the two replication groups that record messages to the Rcmctrl.log are Site Control Data and Configuration Data, if you see errors with another replication group you can include it in the logging by adding it to the following registry key.


*Make sure you return this back to the default after you have resolved your DRS issues. The default is: Site Control Data,Configuration Data

SQL Components Logging

vLogs (stored in SQL views) – Because some components of RCM are running in SQL Server hosted managed code, each of these components is provided a table in CM SQL db to record log messages to.  Logging is recorded in: vDrsReceivedMessages, vDrsReceivedHistory, vDrsSendHistory, vDrsSentMessages, vDrsSyncHistory, and vDrsSyncMessages


Default is Value 1

DWORD Value 0 = Errors and critical information only
DWORD Value 1 = Errors, critical information, warnings, and general information
DWORD Value 2 = Everything (Verbose)*

*Make sure you return this back to 1 after you have resolved your DRS issues.

Now that additional details are being logged here are two queries to run that will display details of the vLogs information.  If you cannot determine the source of the problem using this information I have listed below some additional queries and troubleshooting information.

Query the SQL vLog

Now we are ready to query the vLog and get extra details.   A word of caution first, I recommend that you use the first query that only returns the first 1000 messages, by running the query and not limiting it you risk making things worse by adding additional pressure to your SQL db when it may already be in a degraded state and using the maximum amount of resources it has available.

This query returns the last thousand messages which have been logged, ordered by the time they were written into the database.

select Top 1000 * from vLogs order by LogTime desc

This query does not limit the messages returned and may cause your server to fall over!  This is your second and final warning.

select * from vLogs where LogTime > GETDATE()-1 and ProcedureName <> ‘spDRSSendChangesForGroup’ ORDER BY LogTime DESC

spdiagDRS (stored procedure) – This stored procedure provides an overview of the state of DRS replication at the site including status, messages in queue, messages processed, messages sent, conflicts, current link status, last sync for each replication group, and versions.  This storedproc will give you most of the SQL related information you will need for a lot of replication troubleshooting, or at least point you in the best direction to look deeper.

exec spdiagdrs


Replication and Troubleshooting Certificates

Often times when the basics of DRS troubleshooting have not gotten to root cause and I get contacted it ends up being issues related to certificates.  A couple common issues are that the certificates do not match or are missing.  Another issue can be from changing the account that SQL is running under, if install and use the SYSTEM account to start the SQL services and later on change the accounts to a service account or domain account it will break because the new account does not have the rights to read the original master key used to generate and validate the certs.

“Connection handshake failed.  Error 15581 occurred while initializing the private key corresponding to the certificate….State 88” or

“Service Broker login attempt failed with error: ‘Connection handshake failed.  The certificate used by the peer is invalid…State 89

Let’s next verify we are headed down the correct rabbit hole by first running the following query.  Withing the results of this query, the transmission_status column should display any errors that are related to network communications, such as firewalls blocking replication or authentication errors.

select * from sys.transmission_queue

In the case of Error 15581 you should see the following or something similar.

“Service Broker login attempt failed with error: ‘Connection handshake failed. An error occurred while receiving data: ‘10054(An existing connection was forcibly closed by the remote host.)'”

To resolve this you have two options, delete the current master key and generate a new master key in SQL or assign the new account full control to the MachineKeys folder.  Giving the new account full control to all and the child objects as well is the faster and easier solution.  If you want to go the route of generating a new key you will need to use the storedproc spCreateAndBackupSQLCert to build the new key and copy the certs to all of the site servers participating in replication.  You can see more on how to accomplish the second method below but it also provides some good information on additional troubleshooting certs.

exec spCreateAndBackupSQLCert

Query to display certificates


select * from vSMS_SC_SiteDefinition_Properties where name=’SQLServerSSBCertificateThumbprint’

use master

select name, cert_serial_number  from sys.certificates

Here you can see the output from my CAS and it’s child primary site server.  The first example is the CAS server row 9 shows the endpoint cert from the child primary site (MSC).  Notice the thumbprints in row 8 and 9 show they have properly exchanged the correct certificate versions as the serial numbers in the second column match.

SQL Command to view certificates-CAS-01

SQL Command to view certificates-PRI-01

You should see the same certificate thumbprint listed in this registry key.  If not that is a problem and see the script below on exporting and import certificates.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SQL Server\SSBCerticateThubmprint

Script to Export or Import Certificates

This will make a backup of your endpoint certificate locally to the root of the C drive.

use Master

backup certificate configmgrendpointcert to file = C:\CM-EndPoint.CER

Some of the certificates you may not have the rights to export, but you should be able to export the ConfigMgrEndpointCert(s) and the following certificates:





In this example I am inserting the certificate exported from my CAS (CAS) server to my primary site server (MSC).

use CM_MSC

exec dbo.spCreateSSBLogin @EndPointLogin=’ConfigMgrEndPointLoginCAS’, @DestSiteCode=’CAS‘, @DestSiteCertFile=’C:\CM-EndPoint.CER’, @EndPointName=’ConfigMgrEndpoint’

Useful SQL Queries

If you are still not able to determine the source of your replication issues here are a few SQL queries that may help isolate the problem.

Query to find a LockID of locked resources

select * from SEDO_LockState where LockStateID = 1

Query to list DRS Conflicts

select * from DrsConflictInfo

SQL Query for Replication Data Conflict-CAS-01

SQL Query for Replication Data Conflict-CAS-cont-01

Query for the link status

select * from RCM_ReplicationLinkStatus

SQL Query for Link Status-CAS-01

Query for Service Broker status

select * from sys.tcp_endpoints where type_desc = ‘SERVICE_BROKER’

SQL Routes

select * from sys.routes

Query to view the first 1000 messages in the DRS queue

select top 1000 *, casted_message_body =
case message_type_name when ‘X’
then cast(message_body AS NVARCHAR(MAX))
else message_body
from [CM_CAS].[dbo].[ConfigMgrDRSQueue] with(NOLOCK)

Query for all sites replication status

select * from ServerData

There is so many things that can go wrong with replication and it is such a large topic it is difficult to cover it.  Hopefully this information, while a little disorganized, is helpful in your troubleshooting efforts of replication.  One final piece of advice, if you have to reinitialize your replication make sure you fully understand how much data is going to be sent before you do it.  Feel free to contact me if you have questions.





(c) 2015  All rights reserved.  You may not copy and post more than a single paragraph without written authorization from the author.  You may not copy and paste this article on any other blog or website without written authorization from the author.

Configmgr vNext Visio Shapes

I have been using these shapes for my architecture designs after getting tired of using shapes that based on Vista.  These are more modern shapes and includes two variations for servers and alternative shapes for most roles in Configmgr to fit different styles.  I have included some other miscellaneous shapes and shapes for containers, BranchCache, PeerCache, Nano server and others.  In total, there are about 125 different shapes.

Configmgr vNext Shapes


Also on TechNet here

Package Creation Internals in Configmgr

In this article, I will describe in depth how a package and program is created.  Why the older package and program process and not the newer application model?  The application method may come next, but mostly I wrote this to share the information with a peer and because it is more depth than most articles I see on the subject.  I will describe the process from the time the Configmgr admin creates the package in the console up until the time when the newly created package a program(s) are distributed, distribution of a package warrants its own article at this depth.  Specifically I will show how the different Configmgr components are involved, what logs are written to, what you should see in the logs, as well as some additional details like the inboxes, files created for processing and additional details that are not typically discussed.  If you are new to Configmgr, this is not a good article to start with as I assume there is some basic understanding of Configmgr terminology and its process.

Read morePackage Creation Internals in Configmgr

10 Things You Must Know Before Your Next Windows Deployment

This is the first article in a series of articles on Windows 10 deployment and management.  In this first article, I will cover some of the basics for a refresher or if Windows 10 is your first time deploying an OS.  I will also cover what has changed or updated recently as well as what is new.  This series will get progressively deeper into deployment and then I will cover management of your newly deployed Windows 10 computers and devices starting with the basics again followed by deeper technical articles.  With Windows 10 being available on July 29th and the paradigm shift in Windows and Windows deployment my intention is to provide enough information to enable others with the ability to confidently deploy and manage Windows 10 before the 29th of July.


Series of articles:

  1. What is new in Windows deployment
  2. Options for deploying Windows 10
  3. How-to successfully deploy Windows 10
  4. What is new in Windows systems management
  5. Options for managing Windows 10
  6. How-to manage Windows 10

Read more10 Things You Must Know Before Your Next Windows Deployment