Using Microsoft Security Baselines with System Center Configuration Manager

This post is obsolete and uses tools that are no longer available. Please see Import Microsoft Security Baselines into MEMCM – ( for an updated way of importing baselines.

Microsoft provides security baselines with hundreds of security configuration settings that you can use to compare against your systems to determine how secure your environment is or to monitor security compliance in your organization.  Comparing the settings of a security baseline against many computers and obtaining the result may prove to be a challenging task.  Thankfully, the Microsoft Security Compliance Manager (SCM) tool makes it easy to export these security baselines into a System Center Configuration Manager (SCCM) configuration pack, which can easily be imported into SCCM as a Desired Configuration Management (DCM) configuration baseline.

The Security Compliance Manager comes with many security baselines for the latest versions of Windows, Office and Internet Explorer.  For example, for Windows 7, the following baselines are provided.

Selecting a baseline and then clicking on Properties on the right pane displays an explanation of the security baseline.  These are the properties of the Win7-EC-Laptop baseline (EC stands for Enterprise Client).

When you select a baseline, the main middle pane shows a list of the settings contained in that baseline.  For example, these are the first six settings (out of 266) in the Win7-EC-Laptop baseline:

The Default column indicates what the default value is for a setting, the Microsoft column indicates the recommended configuration from Microsoft, and the Customized column indicates the customized configuration if you have modified the setting.

Note that Microsoft does not allow you to modify their settings.  For example, when you click on a setting, the controls are greyed-out:

What you can if you need to modify settings is to make a copy of a baseline.  You make a copy by selecting the baseline and then click on Duplicate on the right-pane.

The Duplicate wizard prompts you to enter a name for the new baseline (you can accept the default which is “Copy of XXX”, where XXX is the name of the baseline that you are duplicating.

The duplicated baseline will then appear under Custom Baselines:

The controls of a setting in the duplicated baseline are no longer greyed-out, allowing you to make changes to it:

You can use your SCCM infrastructure to compare the settings in a baseline against your SCCM client computers and obtain the comparison results.  To accomplish this, first export a baseline by selecting it and clicking on SCCM DCM 2007 under Export in the right pane.

This will save the baseline as a CAB file.  You can then import this CAB file into SCCM by right-clicking on the Configuration Baselines node and selecting Import Configuration Data as illustrated below.

In the Import Configuration Data wizard click on Add to select the CAB file.

The wizard will display the configuration data being imported.  This is a partial list:

When the Import wizard finishes, it will display the imported configuration data.  This is a partial list:

The imported configuration baseline will them be added to the SCCM Configuration Baselines node.

You are now ready to assign the baseline to the appropriate collection for evaluation.   For information on how to assign a baseline to a collection and view the results of the evaluation on target systems, see the following article from Windows Management Experts:

Authoring a DCM Configuration Item to Identify and Fix Non-compliant Systems



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.