Microsoft Security Compliance Manager 4.0, Policy Analyzer, and LGPO – Security Admin Tools


(Microsoft’s Channel 9 Podcast – Defrag Tools)

I recently installed the Security Compliance Manager 4.0 using and already installed version of SQL Server 2016 express. This is how you need to install SCM 4.0 on windows 10, since SQL Server 2008 is no longer compatible with Windows 10. If you do not already have SQL Server Express installed, then you need to download and install SQL Server express 2014 or 2016 and install just the engine. Then you can install Security Compliance Manager 4.0 and it will ask for an installed instance of SQL Server and you must choose the name of the instance that you just installed. Then SCM4.0 will install successfully on Windows 10. Although Petri.com has posted a review of Microsoft Security Compliance Manager in 2014, there is now a new version available and this post will discuss Version 4.0. Security Compliance Manager will allow you to download Microsoft recommended Security Baselines for Windows 7,8, and 10, and for Windows Server 2012, 2016, and SQL Server 2012. These baselines contain group policies and settings that are recommended by Microsoft to secure your Active Directory domains.

Also available now is Policy Analyzer.

Policy Analyzer

Photo of Policy Analyzer from Microsoft Security Guidance blog on Microsoft TechNet.



The most interesting of the new baselines is perhaps the Windows 10 1607 Security Baseline, and it is available to download after you install Security Compliance Manager 4.0. This baseline can be exported to an Excel spreadsheet that separates the settings and configurations into different tabs. For some reason I am not able to preview this page anymore as I type it, I think adding Google tag manager has screwed it up. So I’m going to post this and then investigate what happened, and I might have to remove the Google Tag Manager. Hopefully I will continue this post later, if you have any questions about these two security software applications from Microsoft feel free to email me at james at jgnetworksecurity.com.