I did not have a ton of luck finding a straightforward, step by step instruction set for this, and the documentation left me a bit confused (nothing new to see here folks!). My biggest issue was finding a usable baseline and dictionary.
If you are interested in security, involving a ConfigMgr environment, I cannot stress enough how valuable the Microsoft Security Compliance Manger (SCM) is: https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
Where's what I got, where I got it, and how I ran it.
- SCAP Extensions 3.0 Announcement: Click Here
- SCAP Extensions Download (v3.0.1157.0): Click Here
- SCAP Extensions Documentation: Click Here
- SCAP Extensions only supports .XML that include XCCDF (SCAP 1.0 and 1.1)/DataStream SCAP1.2 content.
- Doc's point you to checklists that meet the above criteria here: Click Here (very generic link)
Let's do a Windows 10 Baseline!
- Download and install SCAP Extensions per documentation (install, next…next installation process).
- The install will create a link in the Start Menu called "SCAP Extensions" within "SCAP Extensions" leading to a command prompt sitting at "C:\Program Files (x86)\SCAP Extensions".
- However, since you need to have an Admin level privilege to make changes in that subfolder, you'd right-click the link to start it as Administrator, but that will dump you in "C:\Windows\System32".
- Just be aware that it will do that.
- Review info about the Benchmark we are using: Click Here
- Download the checklist, from the page listed above (Windows 10 Benchmark STIG Version 1, Release 3, SCAP 1.1 Content): Click Here
- Extract all 4 XML files to "C:\Program Files (x86)\SCAP Extensions\"
- Obviously, this can be done more cleanly, use a sub-folder at least, network share would be a good practice.
- Within "C:\Program Files (x86)\SCAP Extensions\" create the subfolder "DCM_CABS"
- Open an Admin level command prompt to "C:\Program Files (x86)\SCAP Extensions\"
- Run: "C:\Program Files (x86)\SCAP Extensions>scaptodcm -xccdf U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-xccdf.xml -cpe U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml -out .\DCM_CABS"
Watch some sweet scrolling text of status updates and progress!
- Within the subfolder "DCM_CABS" you'll find a file "Windows_10_STIG.cab".
- Then take this file, and import it via the ConfigMgr DCM import tool.