Tuesday, November 1, 2016

SCAP Extensions for Configuration Manager

The SCAP Extensions tool will let you convert XML's that are SCAP 1.0 or 1.2 / DataStream SCAP 1.2 Compliant into Configuration Manager (ConfigMgr 2012+)  usable Configuration Item \ Configuration Baseline packages ( DCM CAB's).

 I did not have a ton of luck finding a straightforward, step by step instruction set for this, and the documentation left me a bit confused (nothing new to see here folks!). My biggest issue was finding a usable baseline and dictionary.

 If you are interested in security, involving a ConfigMgr environment, I cannot stress enough how valuable the Microsoft Security Compliance Manger (SCM) is: https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Where's what I got, where I got it, and how I ran it.


  • SCAP Extensions 3.0 Announcement: Click Here
  • SCAP Extensions Download (v3.0.1157.0): Click Here
  • SCAP Extensions Documentation: Click Here
    • SCAP Extensions only supports .XML that include XCCDF (SCAP 1.0 and 1.1)/DataStream SCAP1.2 content.
    • Doc's point you to checklists that meet the above criteria here: Click Here (very generic link)


Let's do a Windows 10 Baseline!


  • Download and install SCAP Extensions per documentation (install, next…next installation process).
    • The install will create a link in the Start Menu called "SCAP Extensions" within "SCAP Extensions" leading to a command prompt sitting at "C:\Program Files (x86)\SCAP Extensions".
    • However, since you need to have an Admin level privilege to make changes in that subfolder, you'd right-click the link to start it as Administrator, but that will dump you in "C:\Windows\System32".
    • Just be aware that it will do that.
  • Review info about the Benchmark we are using: Click Here
  • Download the checklist, from the page listed above (Windows 10 Benchmark STIG Version 1, Release 3, SCAP 1.1 Content): Click Here
  • Extract all 4 XML files to "C:\Program Files (x86)\SCAP Extensions\"
    • Obviously, this can be done more cleanly, use a sub-folder at least, network share would be a good practice.
  • Within "C:\Program Files (x86)\SCAP Extensions\" create the subfolder "DCM_CABS"
  • Open an Admin level command prompt to "C:\Program Files (x86)\SCAP Extensions\"
  • Run: "C:\Program Files (x86)\SCAP Extensions>scaptodcm -xccdf U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-xccdf.xml -cpe U_Windows_10_V1R3_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml -out .\DCM_CABS"

Watch some sweet scrolling text of status updates and progress!


  • Within the subfolder "DCM_CABS" you'll find a file "Windows_10_STIG.cab".
  • Then take this file, and import it via the ConfigMgr DCM import tool.

The rest is pretty self-explanatory \ out of scope for this write up. Enjoy!

Posted by at No comments:
Labels: , , , , , , ,
Location: Albany, NY, USA
Subscribe to: Posts (Atom)