Microsoft Security Compliance Manager (SCM) - Getting Started

Microsoft Security Compliance Manager (SCM) - Getting Started

Installation Steps

This section provides instructions on how to install the Microsoft Security Compliance Manager (SCM) tool. While installing the tool, you can configure it to download all of the latest security baselines from Microsoft, or after completing the installation you can access the File, Check for Update menu to check for baselines.

Note   The download process for SCM automatically installs SQL Server 2008 Express Edition on your computer if you do not already have this software.

If SQL Instance (s) are found on your computer, you may choose one of them to install SCM.

To download and install SCM

  1. On the Microsoft Security Compliance Manager download page, scroll down to the Quick Details section, and then click the Download button next to Microsoft_Security_Compliance_Manager.Setup.exe to start the download.
  2. Do one of the following:
    • On the File Download – Security Warning prompt, click Run to immediately start the download process.
    • On the File Download – Security Warning prompt, click Save, and then in the Save as dialog box, specify where on your computer to download the installation file for the tool, and then click Save.
  3. If required, on the User Account Control prompt, provide your credentials if needed, and then click OK to allow the download to proceed.
  4. On the Welcome to the Microsoft Security Compliance Manager Wizard page, consider the following options, and then click Next:
    • Automatically check for application and baseline updates from during application usage for current user.
    • The Read the online privacy statement link to this information on the tool.
  5. On the License Agreement page of the wizard, review the terms of the license agreement, choose the option to accept the terms in order to proceed with the installation, and then click Next.
  6. On the Installation Folder of the wizard, confirm the default installation folder for the tool or click Browse to change it.
  7. On the SQL Server Express page of the wizard, choose from the following options:
    • If you already have SQL Instance (s) available on your computer, you may choose one of them to install SCM.
    • Install SQL Server 2008 Express Edition on your computer if you do not already have this software.
      • Download and install.
      • Install from previously downloaded installation files.
  8. On the SQL Server Express License Agreement page of the wizard, review the terms of the license agreement to use SQL Server 2008 Express Edition, choose the option to accept the terms in order to proceed with this part of the installation process, and then click Next.

    Note   There is also an option on this page to print the license agreement for this software if you want to make a copy for your reference.

  9. On the Ready to Install page of the wizard, confirm the Installation Summary information that you specified previously, and then click Install.

    Important   You cannot cancel the setup wizard after you start the installation process for the SQL Server Express and SCM.

  10. On the Installing the Microsoft Security Compliance Manager page of the wizard, monitor the installation progress for the software while waiting for the setup wizard to complete the installation.

    Note   The installation process may take awhile to complete.

  11. On the Installation Successful page of the wizard, click Finish to complete the installation process.

The SCM Console

The SCM Console provides you with a single point of access to work with the recommended security baselines from Microsoft for your security environment. The console also provides access to supporting documentation to help you make informed decisions about how to customize the security baselines to meet your organization's security requirements.

To access the SCM Console

  • On your computer, click Start, click All Programs, click Microsoft Security Compliance Manager to open this directory to access the tool, and then click Security Compliance Manager to open the welcome page of the tool console.


The SCM Console Welcome page displays the three panes that you use to import, customize, deploy, and monitor your security baselines. These are:

  • Baseline Library: The left pane of the console lists all of the available baselines in a tree structure.
  • Baseline Information: The center pane of the console displays component information about the baseline that is currently selected in the left pane of the console.
  • Actions: The right pane of the console lists commands to manage your baselines that change depending on what process you are using the tool to accomplish. 

For more information about the tool interface, and how to use various features of the tool, see the Help Topics link, under Help section of the actions pane.


Please direct questions and comments to Security Solutions Questions & Feedback

Sort by: Published Date | Most Recent | Most Useful
  • Requirements for this tool? (OS, HW, account permissions, service account?)

    Should be run on server or client?

    Can we use an existing SQL instance creating a new database for this tool?

  • Great article!

  • This is a great tool! A database as a requirement to run this tool might sound peculiar but it is definitely worth it. It is a real accelerator when creating tailored policies for your environment. Well done! Category: Essential

  • Ed Price - MSFT edited Revision 6. Comment: Amazing article! Added the TOC.

  • Congratulations on being featured on the front page of TechNet Wiki!

  • Very good

  • The installer that comes with 2.5 is broken. I'm trying to install in a Server 2003 environment and it failed to install with no explanation. I looked at the batch file from the files extraction "scm_install_prereq_checker.bat" which has significantly changed since the last version. The check for VC++ redistro fails because in a stock Server 2003 environment the WMI class Win32_Product does not exist and so the script will crash and burn resulting in you not being able to install. Here is the check from the batch file.

    WMIC Path Win32_Product Get IdentifyingNumber /Value   results in Invalid class

    For Server 2003 you need to go to Add/Remove->Windows Components and add "WMI Windows Installer Provider". This should be added to a 'requirements' section. Additionally since the check fails it will try to reinstall VC++ even though you have it.

  • Nice work.  Very helpful SCM info.

  • Good article, but I find getting to this point is pretty straightforward - it's the next steps that I get into trouble over. A TLG for the SCM would be really helpful - how to incorporate it's use into a domain would be helpful.

  • Having the solution accelerator is nice and I intend to work on getting the SCCM 2012 integration put into practice, but sometimes all you need are the Word documents.  This is a bit of a burdensome process just to get those.

Page 1 of 2 (13 items) 12