STIG Compliance with SCAP and DCM in Configmgr

In this post, I demonstrate how to use System Center Configuration Manager to evaluate clients for STIG compliance.

The process at a high level is:

      1. Download the corresponding STIG compliance SCAP files.
      2. Convert the downloaded files into a CAB file for import.
      3. Import the CAB file into Configmgr
      4. Deploy the Configuration Baseline to the corresponding device collection
      5. Evaluate the compliance reporting from the clients
      6. Export the compliance data to SCAP format

Important information

For SCAP 1.0 – 1.2, If you don’t specify the benchmark/profile, then scaptodcm.exe will generate a DCM cab for each benchmark in the content file. Fun.

If you specify multiple values for a single variable in an external variable file, then the scaptodcm.exe tool will treat the values as an array.

The settings you may see in the screenshots are NOT worthy of a production site, my clients and site servers have very aggressive schedules because I don’t have the same concerns when running in production. DO NOT use my schedule settings.

Don’t confuse the two executables: scaptodcm.exe and dcmtoscap.exe, they both have different jobs.

When converting the compliance data to a results file, if the clients evaluated multiple datastream \ benchmark \ profiles use the -select parameter to specify the same datastream \ benchmark \ profile which was run on the client.

SCAP 3.0 extensions must be installed on your Configmgr server.

At the bottom you find two tables, one that defines the command line parameters and the other lists the relevant log files if you need to troubleshoot.


Download the appropriate SCAP files

1.  Download the SCAP content from:

Windows 2012 and 2012 R2 DC STG Benchmark - ver 2, Re16 Windows 2012 and 2012 R2 MS STIG Benchmark - ver 2, Re16 10/28/2016 10/28/2016 130 KB 128 KB

2.  Extract the ZIP file to a folder for conversion. I just created a subfolder under the directory where scaptodcm.exe lives to keep things simple. You should choose the location that makes sense to you.

Program Files (x86) SCAP Extensions 2012 Name U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP U Windows 2012 2012 R2 MS V2R6 STIG SCAP U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP U Windows 2012 2012 R2 MS V2R6 STIG SCAP Benchmark-cpe-dicticnary.xml Benchmark-cpe-cval.xml Benchmark-cval.xml Benchmark-xccdf.xml Date modified g/15/2016 4:44 PM g/15/2016 4:44 PM g/15/2016 4:44 PM g/15/2016 4:44 PM Search 2012 Type XML Document XML Document XML Document XML Document Size 860

Idea In this example, we will import the Windows 2012 and 2012 R2 MS STIG Benchmark – Ver 2, Rel.6

3.  After extracting the zip file, from a command prompt with administrative permissions run the appropriate command line to convert the SCAP data stream file and XDCCF benchmark profile to a DCM .CAB file, assuming you are also using a SCAP 1.0 or 1.1 file.

In this example the file is SCAP 1.1 so the parameter -xccdf is required.

Below is an example command line of each type of content, 1.0/1.1, 1.2, and Oval. See my note above regarding the -select parameter.

SCAP 1.0/1.1 Content: scaptodcm.exe –xccdf scap_gov.nist_Test-Win10_xccdf.xml –cpe scap_gov.nist_Test-Win10_cpe.xml –out <folder> –select XCCDFBenchmarkID \ ProfileID

SCAP 1.2 Content: scaptodcm.exe –scap scap_gov.nist_USTCB-ie11.xml –out <folder> –select SCAPDataStreamID \ BenchMarkID \ ProfileID

SCAP OVAL Content: scaptodcm.exe –oval OvalFile.xml –variable OvalExternalVariableFile.xml –out <folder>

The conversion process may take a minute or more depending on the XML file.

Administrator: usage for SCAP 1.2: ScapToDcm. exe -scap ScapDataStreamFi1e [ -out OutputDirectory] [-select ScapDataStreamID/XccdfBenchma rkID/XccdfProfi1eID] [ -log LogFi1eName] [ -batch 588] Usage for SCAP 1.1/1. ø: ScapToDcm.exe -xccdf XccdfFi1e -cpe CPEFi1e [ -out OutputDirectory] [-select XccdfBenchmarkID/Xcc dfProfi1eID] [ -log LogFi1eName] [ -batch 588] Usage for OVAL: ScapToDcm.exe -oval OvalFi1e [ -variable OvalExterna1Variab1eFi1e] [ -out OutputDirectory] [ -log LogFi1eNa e] [ -batch 588] H: \Program Files (x86)\SCAP Extensions>scaptodcm.exe -xccdf . \ 2812\U R2 MS V2R6_STIG SCAP_1-1_Benc hmark-xccdf .xml -cpe . R2 MS V2R6_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xm1 -out . \ 2812 Try to create log file: H: \Program Files (x86)\SCAP Extensions\ScapToDcm. log alidate the schema of XCCDF file H: \Program Files (x86)\SCAP MS V2R6 STIG SC P 1-1 Benchmark-xccdf .xml Successfully validate the schema of XCCDF file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SCAP 1-1 Benchmark-xccdf .xml Process XCCDF benchmark in file H: \Program Files Windows _ 2812 _ and _ 2812 R2 ms V2R6 STIG SCA? 1-1 Benchmark-xccdf .xml Process Process Process Process Process Process Process Process Process Process Process Process XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF Benchmark Windows 2812 ms STIG Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: Profile: MAC MAC- 1 MAC- 1 MAC- 2 MAC- 2 MAC- 2 MAC- 3 MAC- 3 MAC- 3 Classified-l - mission Critical Classified Public- I - mission Critical Public Sensitive- I - mission Critical Sensitive Classified-ll - mission Support Classified Public- II - mission Support Public Sensitive- II - mission Support Sensitive Classified-lll - Administrative Classified Public- III - Administrative Public Sensitive- III - Administrative Sensitive Disable Slow Rules-Disab1e Slow Rules 1 only Load file H: \Program Files Windows _ 2812 _ and _ 2812 R2 ms V2R6 STIG 1 for check content U Windows 2812 and 2812 R2 MS V2R6 STIG SCAP 1-1 Benchmark-oval .xml Process OVAL definitions in file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SC P 1-1 Benchmark-oval .xml Process OVAL: U Windows 2812 and 2812 R2 ms V2R6 STIG SCA? 1-1 Benchmark-oval .xml Successfully finished process OVAL: U R2 MS V2R6_STIG_SCAP_1-1_Benchmark-ova1 .xml Process CPE dictionary in file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SCAP 1 -1_Benchmark- cpe- dictionary . xml Load file H: \Program Files (x86)\SCAP R2 MS V2R6_STIG_SCAP_1-1_Benchmark-cpe-ova l.xml for check content R2 MS V2R6_STIG_SCAP_1-1_Benchmark-cpe-ova1 .xml Process OVAL definitions in file H: \Program Files (x86)\SCAP R2 MS V2R6 STIG SC P_l -1_Benchmark- cpe-oval . xml Process OVAL: U Windows _ 2812 _ and _ 2812 R2 ms .xml Successfully finished process OVAL: U R2 MS V2R6 STIG SCAP_1-1_Benchmark-cpe-ova1 .xml CCDF Benchmark: [Windows _ 2812 ms STIG] Version : update: Timestamp : Status: Status date: Title: Description : [2] [1/1/8881] [accepted] [18/28/2816] [Windows Server 2812 / 2812 R2 member Server Security Technical Implementation Guide] [The Windows Server 2812 / 2812 R2 member Server Security Technical Implementation Guide (STIG) is publ ished as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisio ns to this document should be sent via e-mail to the following address: . mil.] XCCDF Profile: XCCDF Profile: XCCDF Profile: [MAC-1 Classified] [MAC-l_public] fmAC-1 Sensitive I

Once the conversion is completed the CAB file should be located in the directory specified in the command line with the -out parameter.

Next is to import the file in Configmgr for deployment, evaluation, and compliance reporting.

Import the Compliance Settings CAB files Configmgr

The next step in the process is to use the Configuration Manager Console to import the Compliance Settings-compliant .cab files into Configuration Manager. When you import the .cab files you created earlier in this process, one or more configuration items and configuration baselines are created in the Configuration Manager database. Later in the process, you can assign each of the configuration baselines to a computer collection in Configuration Manager.

To import the Compliance Settings CAB files into Configmgr

1.  In the Configuration Manager Console, navigate to Assets and Compliance > Compliance Settings > Configuration Baselines.

2.  In the menu bar, click the blue arrow Import Configuration Data.

3.  To begin the import process click the Add button.

4.  Browse to the directory that we specified earlier with the scaptodcm.exe tool -out <path\file>, and select the CAB file that was created. 

Click Yes in the Configuration Manager Security Warning dialog box.

Configuration Manager The publisher of Windows 2012_MS file could not be verfied. Are you sure that you want to import this file?

You should now see the CAB file listed in the Select Files page similar to this.

Machine generated alternative text: Import Configuration Data Wizard Select Files Select Files Summary Progress Confirmation Specify the files from which to import configuration items and configuration baselines Import configuration tams and configuration baselines from best-practices Configuration Packs and from other configuration data sources Files that contain configuration tams or configuration baselines Fitter Wndows 2012 MS STG cab Date Modified 12/20/201630732PM 41274 KB Create a new copy of the mported configuration baselines and configuration tams Previous Next

You could add more than one CAB file here, if you created or had multiple CAB files to import simply repeat the steps 3 and 4.

5.  Click the Next button.

This will start the verification process for the import, this can take several minutes and depends on the number of Configuration Items being imported.

Machine generated alternative text: Verifying Configuration Data Please watt while Configuration Manager verifies the selected files f there are many configuration tams and configuration baselines in tha fila this process might taka soma time to finish

6.  Once the verification is finished you will be at the Summary page which will list all the Configuration Items being imported.

Machine generated alternative text: Import Configuration Data Wizard Summary Select Files Summary Progress Confirmation Confirm the configuration data to be imported: The wizard will import the following configuration data - Configuration isms (408) oval mil disa fso windowstst 449300 oval mil disafso windowstst 461000 oval mil disafso windowstst 443102 oval mil disa fso windowstst 465500 oval mil disafso windowstst 460401 oval mil disa fso windowstst 473600 oval mil disa fso windowstst 487707 oval mil disa fso windowstst 442300 oval mil disa fso windowstst 450500 oval mil disa fso windowstst 454000 oval mil disa fso windowstst 469200 oval mil disafso windowstst 461800 oval mil disa fso windowstst 497300 oval mil disafso windowstst 468601 default default default default default default default default default default default default default default To change these settings. click Previous To apply the settings. click Previous Next

7.  Click the Next button and this will start the import into Configmgr. This may also take a few minutes.

Import Configuration Data Wizard Confirmation Select Files Summary Progress Completing the Import Configuration Data Wizard You have successfully completed the hport Configuration Data Wizard with the following details Configuration isms (408) oval mil disa fso windowstst 449300 oval mil disafso windowstst 461000 oval mil disafso windowstst 443102 oval mil disa fso windowstst 465500 oval mil disafso windowstst 460401 oval mil disa fso windowstst 473600 oval mil disa fso windowstst 487707 oval mil disa fso windowstst 442300 oval mil disa fso windowstst 450500 oval mil disa fso windowstst 454000 oval mil disa fso windowstst 469200 oval mil disafso windowstst 461800 oval mil disa fso windowstst 497300 oval mil disafso windowstst 468601 To close this wizard click Close Previous default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) default [Success) Next Summary

8.  Click the close button to exit the import wizard.

The new configuration baseline appears in the information pane of the Configuration Manager Console.

Configuration Baselines 16 items Search Name Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Gu de Status Enabled Deployed User Setting Date Modified 12/20/2016 3:12 PM Compliance Count Noncompliance Count Failure Count Modified By CORP\anth...

The name of the configuration baseline is taken from the display name section of the XCCDF/Datastream XML and is constructed using the following convention:

ABC[XYZ], where ABC is the XCCDF Benchmark ID, and XYZ is the XCCDF Profile ID (if a profile is selected).


Assign configuration baselines to the computer collections

Prior to assigning the configuration baseline to a collection of computers ensure that you have the appropriate collections created that targets the type of clients you want to assess.

Continuing with the same STIG benchmark as earlier I am going to target my Windows Server 2012 clients and Windows 2012 R2 clients, but excluding my domain controllers since they have a different set of compliance checks.

Machine generated alternative text: SRV 2012 Servers Query Statement Properties General Criteria Joins You can specify criteria to nam»v the query and the results that are Criteria : S"stem ResourceO eratin S' •Stem Name and Vereion is like System Resource Operating System Name and Version IS like 2%" System Resource Operating System Name and Version is like 3%" Computer System Domain Role is less than 4 Show Query Language

After creating the appropriate computer collections for the clients that you want to assess for compliance, you are ready to assign the Configuration Baselines that you imported. 

Here is the WQL syntax for my collection, which includes, Server 2012, Server 2012 R2, but excludes my domain controllers.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like “%Server%” and SMS_R_System.OperatingSystemNameandVersion like “%6.2%” or SMS_R_System.OperatingSystemNameandVersion like “%6.3%” and SMS_G_System_COMPUTER_SYSTEM.DomainRole < 4

The key in this query to exclude domain controllers is the “SMS_G_System_COMPUTER_SYSTEM.DomainRole < 4

DomainRole 4 = LM_Workstation, LM_Server, SQLServer, Backup_Domain_Controller, Timesource, NT, DFS

DomainRole 5 = LM_Workstation, LM_Server, SQLServer, Primary_Domain_Controller, Timesource, NT, DFS

DomainRole 3 = LM_Workstation, LM_Server, NT, Server_NT

DomainRole 1 = LM_Workstation, LM_Server, SQLServer, NT, Potential_Browser, Backup_Browser

NT indicates a workstation

Server_NT indicates a member server

Notice the PDC and BDC do not have either of these designations however.

SQL_Server, Timesource, DFS are all options and you may not see them in the roles description.

To see the descriptions and their ID number stored in the db you can this query

SELECT TOP (1000) [ResourceID],[Description0],[Domain0],[DomainRole0],[Manufacturer0],[Model0],[Name0],[NumberOfProcessors0],[Roles0],[Status0],[SystemType0],[UserName0]


Note: Change the MSC to your site code to run the query.

To assign a configuration baseline to a computer collection

1.  In the Configuration Manager Console, go to Assets and ComplianceCompliance SettingsConfiguration Baselines.

2.  In the navigation pane, click <configuration_baseline>, where <configuration_baseline> is the name of the configuration baseline that you want to assign to a computer collection.

Configuration Baselines 16 items Search Name Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Gu de Status Enabled Deployed User Setting Date Modified 12/20/2016 3:12 PM Compliance Count Noncompliance Count Failure Count Modified By CORP\anth...

3.  In the menu bar, click the green arrow Deploy. (Notice a theme?)

4.  In the Deploy Configuration Baseline Dialog click the Browse button and select the collection you want to target.

Deploy Configuration Baselines Select the configuration baselines that you want to deploy to a collection Available configuration baselines Fittar„ WS2012R2 Member Server Security Comp A Copy of Offce2013 Computer Security WS2012R2 Domain Security Compliance v Z] Remediate noncompliant rules when supported Add > < Remove Z] Allow remediation outside the maintenance window Z] Generate an alert When compliance is below Data and time Z] Generate System Center Operations Manager alert Select the collection for this configuration baseline deployment S RV Al Wndows Servers Specify the compliance evaluation schedule for this configuration baseline @ Simple schedule Run every C) Custom schedule No custom schedule defined Selected configuration baselines Fittar„ Windows Server 2012 / 2012 R2 Member Customiza„

DO NOT select Remediation, this particular Baseline of Configuration Items does not contain any remediation, which will cause problems with your baseline if you select remediation.

FYI:  Both the Configuration Baseline, and the Configuration Items it contains, must be configured for remediation for remediation to work.

You will need to use your discretion on the alerts, and the schedule. I have mine set to 4 hours – but mine is a lab. The default client settings is every 7 days.

FYI:  If you have multiple baselines deployed (or just one) you can use Send Schedule tool in the Configmgr Toolkit to view a clients scheduled time to run evaluations. You can also use it to trigger the evaluation.

If you are going to target multiple collections you will need to repeat this process. If however you wanted to deploy multiple Configuration Baselines to the same collection you could select and add them without having to repeat this process.

Verify that the compliance data has been collected

Before exporting the compliance data back to SCAP format, we need to verify that the data has been collected. After you assign a Configuration Baseline to a computer collection, the client on each computer in that collection evaluates its settings and automatically gathers the compliance information. The client will then deliver that information to its management point, then the MP will deliver the information to the primary site where the client is assigned. Finally, the compliance information is stored in the Configuration Manager database.

From the client side you can see if the baseline has been downloaded by the client by viewing the Configurations tab in the Configmgr client properties.

Machine generated alternative text: Configuration Manager Properties Assigned configuration baselines Nama Windo',vs Server Last Evaluatin *ppb'

It will also indicate if the baseline has run, and what the results were, if you select the View Report you will get a report that shows pass / fail for each CI. You can see this client has run the baseline and is non-compliant.

Machine generated alternative text: Configuration Manager Properties Confi gurations Assigned configuration baselines Nama "indo',vs Server Revision Last EvaluatL Compliance Noncompliant *ppb'

Verify that the compliance data has been collected

There are a couple options in the Configmgr console to check and see if the data has been loaded into the database yet. Under the Monitoring tab > Deployments you can see the compliance percentage.

Machine generated alternative text: Icon Software Windows Server 2012 / 2012 R2... Collection SRV 2012 and 201 2R2 Purpose Requ ired Action Monitor Feature Typ Baseline Compliance %

You can also view the count of compliant and non-compliant clients, as well as failures under Assets and Compliance > Compliance Settings > Configuration Baselines.

Machine generated alternative text: Icon Name Windows Server 20121m Status Enabled Deployed Yes User Setting Date Mod fled 12/22/2016m Compliance Count Noncompliance Count Failure Count Modified By CORP\anthony

Both of these are still at zero…and it has been a while since the client completed its evaluation. I list the relevant log files below for troubleshooting but we don’t need those. If you are viewing the baseline in the console by selecting the Configuration Baselines node, look to the left of the green Deploy arrow we used earlier in the menu bar. The summarization has not run yet. You can see the schedule using the Schedule Summarization button (default is 2 hours), and even force it to run now by clicking the Run Summarization button.

Machine generated alternative text: Show Mem bers 'Schedule Summarization Run Su mmanzation Disa ble View Xml Definition Export Baseline Copy Refresh Delete Deploy Deployment

I forced mine to run and now I have the non-compliant results from my client showing in the console.

Machine generated alternative text: Compliance Count Noncompliance Count

Export compliance results to SCAP

The next task in the process is to export the Compliance Settings compliance data to SCAP format, which is an ARF report file in XML \ human-readable format.

Exporting the compliance data to an XCCDF \ DataStream ARF results file

1.  On your Configmgr server where you installed the SCAP extensions, click Start > All Programs > SCAP Extensions > SCAP Extensions.  Or you can open a command prompt and navigate to the folder.

2.  At the command prompt, enter the correct command line and press ENTER.

Note: The exe is dcmtoscap.exe not scaptodcm.exe like we used when creating the CAB file.

FYI:  If it helps to make sense of the naming of the file, in Configmgr 2007 Configuration Baselines and Configuration Items were part of the Desired Configuration Management feature, or DCM. Trust me, I wrote the chapter on it in the 2007 R2 book.

Machine generated alternative text: D: \Program Files (x86) \ SCAP Extensions>dcmtoscap.exe -xccdf . \ 2812\U R2 ms V2R6_STIG_SCAP_1-1_Benc hmark-xccdf .xml -cpe . \ 2812\U R2 ms V2R6 STIG_SCAP_1-1_Benchmark-cpe-dictionary.xm1 -server cm-cb. -database Cm I•ISC -collection msc88814 -out . \output_

Here is my command line if you want to copy-n-pate it.

dcmtoscap.exe -xccdf .\2012\U_Windows_2012_and_2012_R2_MS_V2R6_STIG_SCAP_1-1_Benchmark-xccdf.xml -cpe .\2012\U_Windows_2012_and_2012_R2_MS_V2R6_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml -server -database CM_MSC -collection MSC00014 -out .\output

Below are the command line parameters for each type.

For SCAP 1.0/1.1 content

dcmtoscap.exe –xccdf <xccdf.xml> –cpe <cpe.xml> –server <CMSiteServerMachineName> –database <CMSiteDatebaseName> –collection <deviceCollectionID> OR -machine <host name> -select <xccdfBenchmark \ profile> -out <outputResultFolder>

For SCAP 1.2 content (such as the latest USGCB content):

dcmtoscap.exe –scap <scapdatastreamfile.xml> –server <CMSiteServerMachineName> –database <CMSiteDatebaseName> –collection <deviceCollectionID> OR -machine <host name> -select <datastream \ xccdfBenchmark \ profile> -out <outputResultFolder>

For single OVAL file with external variables

dcmtoscap.exe –oval <singleOvalFile.xml> [-variable <externalVariableFile.xml>] –server <CMSiteServerMachineName> –database <CMSiteDatebaseName> –collection <deviceCollectionID> -out <outputResultFolder>

And if all goes well you should end up with something like this for your output.  

Machine generated alternative text: U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP 1-1 U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP 1-1 U Windows 2012 and 2012 R2 MS V2R6 STIG SCAP 1-1 Z] Windows 2012 MS STIG 16777221 ORC2012R2.txt Windows 2012 MS STIG 16777221 ORC2012R2xmI Benchmark-cpe-oval.xml-default 16777221 ORC2012R2.xmI Benchmark-ovalxml-default 16777221 ORC2012R2xml Benchmark-oval.xml-notapplicable 16777221 ORC2012R2.xmI 12/23/2016 2:53 AM 12/23/2016 2:53 AM 12/23/2016 2:53 AM 12/23/2016 2:53 AM 12/23/2016 AM XML Document XML Document XML Document Text Document XML Document 277 G 281 G 206 KB

And then we are done.  

Next will be how to use the Baseline Configurations and check for compliance against VM’s running in Azure.  Then, I will conclude with custom remediation when clients fail evaluation.

Command line parameters for SCAP extensions

ParameterUsage Required

server [SQLServer\SQLInstance]

Specify the name of Configmgr site database server and the SQL instance.


database [SQLDatabase]

Specify the name of the Configuration Manager site database.


collection [collection id]

Specify the collection id to generate the SCAP report.

Yes (when -machine is not specified)

machine [machine name]

Specify the computer name to generate the SCAP report.

Yes (when -collection is not specified)

-organization [organization name]

Specify the organization name, which would be displayed in report. It can be separated by ‘;’ to specify a multi-line organization name.


-type [thin / full / fullnosc]

Specify the OVAL result type: thin result or full result or full result without system characteristic.

No (if not specified, then the default value is full)


Specify the cpe-dictionary file

Yes (for SCAP 1.0 \ 1.1)

scap [scap data stream file]

Specify the SCAP data stream file.

Yes (for SCAP 1.2 data stream, mutually exclusive with -xccdf and -oval \ -variable)

xccdf [xccdf file]

Specify the XCCDF file.

Yes (for SCAP 1.0 \ 1.1 XCCDF, mutually exclusive with -scap and -oval \ -variable)

oval [oval file]

Specify the OVAL file.

Yes (for standalone OVAL file, mutually exclusive with -xccdf and -scap

-variable [oval external variable file]

Specify the OVAL external variable file.

No (optional for standalone OVAL file when there is an external OVAL variable file, mutually exclusive with -xccdf and -scap)

select [xccdf benchmark \ profile]

Select XCCDF benchmark, profile from either the SCAP data stream or XCCDF file.

Yes (for SCAP 1.0 \ 1.1 and 1.2. A selection must be made to generate a report to match the corresponding DCM baseline in Configuration Manager database)

-out [output directory]

Specify where to output the Compliance Settings cab file.

No (if not specified, then the output only lists the content without conversion)

-log [log file]

Specify the log file.

No (if not specified, then the log is written to SCAPToDCM.log \ DCMtoSCAP.log file)

-help / -?

Print out tool usage.





Log Files

These are the relevant log files for troubleshooting the deployment and evaluation of Configuration Baselines

Log nameDescription
CIAgent.logRecords details about the process of remediation and compliance for compliance settings, software updates, and application management.
CIDownloader.logRecords details about configuration item definition downloads
CITaskManager.logRecords information about configuration item task scheduling.
DCMAgent.logRecords high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications.
DCMReporting.logRecords information about reporting policy platform results into state messages for configuration items.
DcmWmiProvider.logRecords information about reading configuration item sync lets from Windows Management Instrumentation (WMI).
PolicyAgent.logRecords requests for policies made by using the Data Transfer service.
Scheduler.logRecords activities of scheduled tasks for all client operations.
StatusAgent.logRecords status messages that are created by the client components.
DataTransferService.logRecords all BITS communication for policy or package access.
PolicyEvaluator.logRecords details about the evaluation of policies on client computers, including policies from software updates.








10 Things You Must Know Before Your Next Windows Deployment

This is the first article in a series of articles on Windows 10 deployment and management.  In this first article, I will cover some of the basics for a refresher or if Windows 10 is your first time deploying an OS.  I will also cover what has changed or updated recently as well as what is new.  This series will get progressively deeper into deployment and then I will cover management of your newly deployed Windows 10 computers and devices starting with the basics again followed by deeper technical articles.  With Windows 10 being available on July 29th and the paradigm shift in Windows and Windows deployment my intention is to provide enough information to enable others with the ability to confidently deploy and manage Windows 10 before the 29th of July.


Series of articles:

  1. What is new in Windows deployment
  2. Options for deploying Windows 10
  3. How-to successfully deploy Windows 10
  4. What is new in Windows systems management
  5. Options for managing Windows 10
  6. How-to manage Windows 10

Read more10 Things You Must Know Before Your Next Windows Deployment

Advanced Threat Analytics Now Included in EMS

ZDNet ran a story on this yesterday with an update today.  But this looks like it is confirmed at this point.  No additional cost to the EMS license for this, which is interested and not sure if I believe that part.

“Update (June 23): Microsoft has removed the blog post about EMS getting Advanced Threat Analytics, and also has removed the webinar registration post. (My guess is they weren’t yet ready to announce this.)”

From Brad Anderson’s Ignite summary post on ATA

The problems caused by compromised user credentials is the #1 issue we hear reported by organizations all over the world.

The reason for this problem is twofold:

  • First, many end users are still getting up to speed when it comes to understanding the importance of credential security.
  • Second, the existing security tools are just too cumbersome – they create way too many false positives, they take years to fine tune, and the reports they generate are nearly impossible to read and understand quickly.

Perhaps the most problematic issue of all is how traditional IT security solutions operate once a breach occurs. Getting a massive data dump when you’re trying to identify and isolate the intrusion can take far too long at a time when every second can make or break your organization. It’s counterproductive to have your security software hand you a haystack when you really need a needle.

  • You can detect advanced security threats fast via behavioral analytics that leverage Machine Learning.
  • Now you can adapt to the changing nature of cyber-security threats with a technology that is continuously learning.
  • You can narrow down the most important factors using the simple attack timeline.
  • ATA’s innovative technology reduces false positive fatigue and raises red flags only when needed.

More info on ATA here.

10 Most Important Announcements From Ignite

My top 10 most important announcements so far at Ignite.  Ranked from most important to least importance, as it pertains to me.

  1. Technical preview of Configmgr vNext available now with SCEP
  2. Service pack for SCCM 2012 due next week
  3. Announced Azure Stack – Replacing Azure Pack for on-prem Azure services Deploying Azure in Your Datacenter
  4. Roadmap for Configmgr and Intune
  5. The Microsoft Operations Management Suite (OMS)
  6. Microsoft Advanced Threat Analytics
  7. Power BI in SCCM
  8. Detecting Anomalous Sign-Ins with EMS
  9. Windows 10 Device Guard
  10. The New Outlook App: A Modern Standard for Secure E-mail

Configmgr vNext Technical Preview

New features in today’s Technical Preview include:

  • Support for Windows 10 upgrade with OS deployment task sequence – In addition to providing support for existing wipe-and-load (refresh) scenarios, the ConfigMgr Technical Preview includes enhanced upgrade support with in-place upgrade to Windows 10.
  • Support for installing Configuration Manager on Azure Virtual Machines – Similar to how you can install ConfigMgr on Hyper-V today, you can now run ConfigMgr in Azure VMs. This provides flexibility to move some or all of your datacenter server workloads to the cloud with Azure.
  • Ability to manage Windows 10 mobile devices via MDM with on-premises Configuration Manager infrastructure – With this new option, you can manage Windows 10 mobile devices using ConfigMgr integrated with Microsoft Intune (hybrid) without the need to store your data in the cloud. This is especially helpful for managing devices that are unable to connect to the Internet such as Windows IoT/Embedded devices. So go ahead and try it out – you can enroll devices, set policies, and wipe/retire devices today with more functionality to be added in the future to manage all of your Windows 10 devices with MDM.

Service Pack for Configmgr 2012 (next week)

Next week, Microsoft will also be releasing service packs for Configuration Manager 2012 and 2012 R2 to customers. These will deliver full compatibility with existing features for Windows 10 deployment and management as well as several other features, including:

  • App-V publishing performance – Improved performance that reduces the time required for apps to display after the first logon for non-persistent VDI environments.
  • Scalability improvements  Increased hierarchy scale to 600K and primary/standalone site scale to 150K.
  • Content distribution improvements – Improved data transfer reliability for slow and latent networks, and also improved scale and performance for pull distribution points (DP).
  • Native support for SQL Server 2014 – Added native support for SQL Server 2014 to enable site installation and recovery using SQL Server 2014.
  • Hybrid features  Added a large number of hybrid features for customers using ConfigMgr integrated with Microsoft Intune (hybrid). Some of the features that you can expect to see in this release include conditional access policy, mobile application management, and support for Apple Device Enrollment Program (DEP).

Finally, for SCCM 2007:

  • System Center Configuration Manager 2007 (SP2, R2, and R3) support for the management of Windows 10 is coming via a compatibility pack in Q4 2015 (Note: OS and client deployment will not be supported).
  • An update for the Microsoft Deployment Toolkit (MDT) in Q3 2015 that will deliver support for Windows 10.

Azure Stack

This is Azure running in your own datacenter.

Azure Stack transforms your datacenter infrastructure into automated resource pools that can be tailored to application service levels. This means that your app owners can quickly consume standardized IaaS/PaaS services using the same self-service experience as Azure – and they can do it through a consistent app platform that spans on-premises and Azure.

This makes containers and Hyper-V containers and Nano server much more interesting.

Four other things to consider with Azure Stack:

  • Cloud-inspired infrastructure
    Azure Stack is built on a great heritage of technology (Azure, Windows Server, System Center) and it delivers reliable, software-defined infrastructure, that’s proven at hyper scale.
  • On-demand infrastructure extensions
    With Azure Stack you have access to Azure’s bottomless scale and elasticity – without affecting your ongoing on-prem security protocols or performance.
  • Cloud-consistent service delivery
    Enable your developers and end-users to productively consume software-defined infrastructure using the same intuitive self-service experience as Azure. The result is faster time-to-market with composable IaaS/PaaS services that can be deployed wherever you need them (on-prem, hosted, or Azure).
  • Cloud-optimized application platform
    Windows Server and Azure deliver a consistent app platform for next-generation apps. This empowers your developers to build apps for any environment, and those apps can be used in any cloud without having to modify, rewrite or reconfigure code.

Roadmap for Configmgr 2012






Conditional Access Policy

  • Restrict Access to Exchange on-premise email only if the device is managed
  • Restrict access to Exchange Online only if the device is managed and compliant (Extension released to add support for Exchange Online in March 2015)
  • Restrict access to SharePoint Online and OneDrive for Business only if the device is managed and compliant

Mobile Application Management

  • Managed Office mobile apps – Word, Excel, PowerPoint, OneDrive, OneNote
  • App Wrapping Tool for existing iOS line-of-business apps
  • Managed Browser for iOS and Android devices
  • PDF Viewer, AV Player, and Image Viewer for iOS (in web viewer) and Android devices

Configuration Policies and Resources Access

  • Deployment of certificates in .pfx format (Network Device Enrollment Service not required)
  • Device lockdown via supervised iOS devices and Assigned Access for Windows Phone 8.1
  • Application install allow/deny list
  • Support for custom policies for iOS devices
  • Deployment of email profiles for Android devices using Samsung KNOX
  • Deployment of VPN profiles for Android devices
  • Passcode reset and remote device lock for iOS, Android, and Windows Phone devices

Ongoing Support for Device Platforms

  • Support for Apple Device Enrollment Program (DEP)
  • Support for Samsung KNOX Standard
  • Push free store apps to iOS devices
  • Convenient access to internal corporate resources via per-app VPN configurations for iOS



Conditional access policy

  • Ability to restrict access to Outlook app based on device enrollment and compliance

Mobile app management

  • Intune app SDK for iOS
  • Intune app wrapping tool for Android
  • Support for MAM in Outlook apps
  • Multi-Identity

Ongoing support for device platforms

  • Support for Apple Volume Purchase Program (VPP)
  • Windows 10 support
  • Mac OS X support

Microsoft Operations Management Suite


A new tool for managing your on-premise datacenter and cloud environment from a single view.

Having a hybrid infrastructure that is “pretty good” is not enough. This is a solution that creates a hybrid infrastructure that is great.  Now you can manage Azure or AWS, Windows Server or Linux, VMware or OpenStack – all with a cost-effective, all-in-one cloud IT management solution.

With OMS you’re going to see six big benefits right out of the box:

  • Log Analytics:
    Now you can collect and search across multiple machine data sources and identify the root cause of any operational issues (learn more here).
  • Availability:
    Integrated recovery is enabled for all your servers and apps – no matter where they reside.
  • Automation:
    Complex and repetitive operations are orchestrated for more efficient and cost-effective hybrid cloud management.
  • Security:
    You can identify malware status and missing system updates, and collect security-related events to perform forensic, audit and breach analysis.
  • Extending System Center:
    OMS combines with System Center to do some amazing things. For example, OMS extends its capability to deliver a full hybrid management experience across any datacenter or cloud.
  • Hybrid & Open:
    We recognize that your organization is no longer housed in just a single datacenter. That’s why OMS can manage your hybrid cloud no matter what topology or technology you’re using – and, of course, it works seamlessly with our existing on-prem infrastructure.

View a video of OMS in action here.

The pricing today is available as an addition to your Azure subscription with pay-as-you-go pricing for the features you need.  In July you will also be able to add it to your System Center licensing as a step-up pricing.


Microsoft Advanced Threat Analytics

Microsoft Advanced Threat Analytics is an on-premises product to help IT organizations protect their enterprise from advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices, and resources) behavior through Active Directory, the identity management technology used by most enterprises. It also detects known malicious attacks and security issues using security research work. ATA provides clear and relevant threat information on a simple convenient feed, helping IT security professionals to focus on what is important.  You can learn more by visiting the Microsoft Advanced Threat Analytics page. Read today’s blog post from our engineering team.

Power BI for Configmgr


This combines two great things that are long overdue being paired together: Power BI and System Center Configuration Manager. This combination gives configmgr admins the ability to monitor and report on software update and endpoint protection compliance in their organization, along with other compliance data from baseline configurations, configuration items, software deployments, so on.

This is the dashboard every CISO in the world would want to have and use. In a single place you can now get a view of mobile device compliance with corporate policies, PC compliance with security updates, and malware encounters across the entire enterprise. The Power BI dashboard enables you to drill into a wide variety of reports to identify trends and correlations, as well as use the Power BI Q&A feature to quickly identify any user data that may be at risk.

By integrating with Power BI, you are able to make this data accessible and consumable by IT organizations everywhere and enable IT Pros to unlock powerful new ways to work with, learn from, and take action on their data.

This is an incredible example of the truly vast benefits of using an integrated solution for PC and mobile device management.

The benefits include

  • This dashboard is massively helpful for monitoring and reporting on software updates and endpoint protection compliance for your organization.
  • The interface allows you to identify correlations and gain insight into management and security trends.
  • With the Power BI Q&A feature you can immediately get answers to natural language questions about software updates and malware data.
  • Now you can wallow in the data and see insights that would have been impossible to spot before.

Get started with Power-BI and Configmgr here.

Detecting Azure Anomalous Logins with EMS

This adds analytics-driven security controls to the security you already have. Azure Active Directory’s Machine Learning based anomaly detection reports analyze login patterns to detect irregular activity

  • Azure AD is constantly monitoring user authentication behavior to detect anomalies that might be indicative of identity compromise.
  • This constant monitoring allows IT to quickly identify attacks to their organization and take action.
  • Having Azure AD do the heavy lifting of nonstop user authentications monitoring allows IT to focus on the mission-critical task of remediation.
  • You can catch these compromised accounts and stop attacks!

Device Guard for Windows 10

Device Guard demands that every app attempting to access your network has to be proven safe before it enters, and, even more importantly, Device Guard’s capabilities are protected in an unprecedented way that uses virtualization to protect itself even in the event that the Windows Kernel is fully compromised.

For this reason, Device Guard can block zero day exploits and unknown malware threats because it isn’t dependent on the latest AV signatures or behavior monitoring. It also neutralizes common intrusion workarounds because Device Guard protects users even when they have full admin privileges.

  • This feature is ideal for a very wide range of devices, like PoS’s, ATM’s, and any other assets that serve a critical business function and contain sensitive data.
  • As noted above: It blocks zero day exploits and protects users with admin privileges.
  • This enables IT to provide a much higher level of assurance that malware will not be running on devices.

Coming soon

New Outlook Using MAM

This gives IT control of which apps have access to business data and can share that data. Now end-users no longer need two apps for the same purpose (e.g. one for personal and one for work) because apps that have been enlightened to participate in the Intune MAM capabilities are now multi-user capable.

This feature also enables the full protection stack from identity to device, to apps, to files when used with O365, Azure AD, Intune, and Azure Rights Management (RMS).

Today was the first time Microsoft publicly discussed the multi-identity support coming to the Intune App SDK. This multi-identity support will enable apps to be used in both your personal and corporate lives.

  • Microsoft’s commitment to Data Leakage Protection
    This demo made it clear that Microsoft is committed to not only protecting against data leakage, abut also providing MAM for all platforms. The new Outlook app for iOS and Android, combined with the power of Intune and O365, is delivering on that commitment.
  • Our MAM strategy goes beyond “containers”
    Not only does it extend beyond the idea of containers, it enables multi-identity-aware work and personal experiences that are relevant for real-world uses as well as the expectations users have when interacting with their apps.
  • Identifying corporate vs. personal apps/data
    Not only is it now possible to identify corporate and personal apps and data on a device, but you can keep it separate – and you can do it all in a way that is seamless to the user. This prevents users from accidentally sharing sensitive data outside of the organization, and it allows IT to specifically define which apps have access to that corporate data. This also ensures that, when a device is wiped, only the corporate content is removed.

Coming soon

In addition, Microsoft announced

  • Intune Conditional Access and Mobile Application Management for the Outlook app: This quarter, Intune will enable customers to restrict access to the Outlook app based upon device enrollment and compliance policies as well as restrict actions such as cut, copy, paste, and save as between the Intune-managed Outlook app and personal apps.  Stay tuned to the Intune blog for more information on this feature when it becomes generally available.
  • Azure AD Cloud App Discovery:  In the next month Azure AD will enable customers to identify cloud apps being used in a customer’s IT environment revealing shadow IT. Read more from our engineering team about Cloud App Discovery.
  • Public preview of Azure AD Privileged Identity Management: Enables customers to discover, restrict and monitor privileged accounts and their access to resources and enforce on-demand temporary administrative access when needed. Azure AD Privileged Identity Management is available in Azure AD Premium. Read more from our engineering team about Privileged Identity Management.
  • Public preview of Azure Rights Management Document Tracking: Enables customers to track activities on sensitive files that they have shared with others. With a single click, users can also revoke access to shared files. Read more from our engineering team about Document Tracking.

Custom OMA-URI for Windows 10

Additionally, you can now create custom policies using OMA-URI to manage new Windows 10 features with Intune. As part of our monthly cloud cadence, we also plan to incrementally add native UI support for new Windows 10 features to provide you with best-in-class management for Windows 10 with Intune.

You can find more information on custom OMA-URI settings for Windows 10 here. This list of settings will continue to be expanded over time. You can also view the complete list of Configuration Service Providers (CSPs) exposed in the Windows 10 Technical Preview builds here.


Can Microsoft Disrupt Google’s Dominance of Mobile

New tools for developers to integrate with the Universal Windows Platform capabilities

At the Build conference today Microsoft made a play to shift the device ecosystem to Windows.  In the past Android ruled the device OS, Apple came in a distant second with iOS, and Microsoft was in last place, about four laps down.  Part of the problem was from the carriers blocking Microsoft from getting on the device.  This is Google’s battle to lose, they have essentially already won it and just need to not screw it up.  Microsoft is betting that it can make the Windows platform attractive again and is making moves to allow any type of app to run on Windows 10. 

Here is a breakdown of some of the announcements made today.

Porting Android and iOS apps to Windows 10 just became a breeze.

New SDK’s to port apps to Windows 10

  • iOS Objective C
  • Android Java and C++
  • .NET and Win32
  • Web sites

Windows 10 on one billion devices in three years

Windows 10 Device Family

Windows Store for consumers and business

“For businesses, the Windows Store enables admins to highlight apps for their employees, distribute select apps from the Windows Store and private line-of-business apps to their employees, and use business payment methods like purchase orders.”

“Developers will be able to write an application once and distribute it to the entire Windows 10 device family, making discovery, purchasing and updating easy for customers.”

Windows Store in Windows 10.

Universal Windows Platform

“With the Universal Windows Platform, developers can now create a single application for the full range of Windows 10 devices. The platform’s UX controls automatically adapt to different screen sizes, and the developer can then tailor applications to unique capabilities of each device. “


New Continuum functionality in Windows 10 extends the Continuum functionality for PCs and tablets to phones, enabling people to use their phones like a PC for productivity or entertainment

Windows 10 phone Contiuum

Intune Enrollment Instructions

Microsoft released a Word doc that includes step-by-step instructions on enrolling a mobile device that can be customized and distributed by IT to mobile users.  It includes instructions for iOS, Android and Windows Phone.  This is a pretty common need for a new service to help educate end users and will save the team managing a rollout of Intune some time.

It’s available here for download.