Microsoft Security Compliance Manager (SCM)

This is an awesome tool that helps you define and document your Group Policy Objects. It can be downloaded here: As part of the installation, it will install SQL Server Express with a small database. The rest of the installation is straightforward.


When you launch the tool for the first time, it will go ahead download all some older baselines (up to Windows 8, Server 2012, and Office 2010). To add current baselines, click the “Download Microsoft baselines automatically” link under “Get knowledge.”

After a quick search, the tool returns all available baselines. Select the items you want and click “Download”. I choose both of the options for Windows 10 1607.

Windows 10 is broken into several baselines, each for implementing particular security features. Not all baselines will be broken down like this. You start exploring the policies by clicking on a baseline.

Importing Your GPO

The really powerful feature of this tool is it’s ability to compare baselines to each other, or to your current settings. To start, you must import your GPO into the tool. To do this, you need to export your GPO. To do this, right-click on the GPO in the Group Policy Management MMC snap-in and select Back Up.

Give the wizard a location and description. The GPO SID becomes the folder name. In SCM, select “GPO Backup (folder)” from the Import section of the Action pane.

Select your backup folder and the program will import your GPO as a custom baseline.

Comparing Baselines

Now that we have our GPO imported, we can run a compare against a Microsoft baseline. To do this, select “Compare / Merge” from the action pane.

The wizard will ask you which baseline to compare too. I’m going to select the “Win10-1607 Computer Security Compliance 1.0” baseline.

After this, we have our comparison, broken down by settings that differ, settings that match, settings that are only in baseline A (my GPO), and only settings that are in baseline B (the Microsoft baseline).

I highlighted one import thing from the comparison screenshot – Export to Excel. This can exported to Excel, where you get this information in different sheets. Unfortunately you cannot work in Excel and have that information reflected in SCM. You will have to configure settings from within SCM.

Modifying Settings within SCM

You can change settings from within SCM. In the screenshot above, you can see that I have it set to prevent changing the lock screen image. If I decide that does not conform to a baseline and what I to change it back, I can select the setting and change it to “Not Configured”.

That will now be reflected in my current baseline.

Creating a GPO from a Baseline

Now that I’m setting “Prevent changing the lock screen image” to “Not Configured”, I need to get this back to Group Policy. To do that, you have to export the baseline. The easiest way to do this is to create a GPO Backup. This create the same folder structure from the GPO export above, and allow us to import it through the Group Policy Management MMC. To do this, select “GPO Backup (folder)” from the Export section of the Action Pane.

Tell the wizard where to export your backup. From there, import the backup. You now have your updates GPO.


In this case (changing one setting), I would not have bothered with the export – I would’ve just changed the one setting I needed changed. This tool is really powerful for making sure that you are still within your baselines. It’s also really helpful when a new operating system comes out. Using this tool, I can make sure that my Windows 10 1607 GPO’s are still within the GPO I defined for Windows 10 1511. I can modify the GPO as needed to ensure that Windows 10 1607 is still in compliance.

Non-Microsoft Baselines

This tool is really fast and easy for importing Microsoft baselines. What about baselines from NSIT or CIS? Well these can also be imported. If you can download a cab or GPO backup folder, those are easy, just select “GPO Backup (folder)” or “SCM (.cab)” from the import section. If that’s not available, you can take the baseline GPO’s and import them through the Group Policy Management MMC, then re-export them as a GPO Backup. That will allow them to be imported into this tool.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.