Security Compliance Manager installer is just terrible

    General discussion

  • First of all, if you try to install SCM on a domain controller it will fail.  Why? Because the installer will go and automatically download SQL Express 2008 and install it with default options that includes trying to use a local system account, which you can't do on a DC.

    Fine, I thought.  I'll just download and manually install SQL Express and configure it to use a domain account.  Which works just fine except that the SCM installer doesn't even bother to check to see if you already have SQL installed.  It insists on installing it itself, which of course causes it to fail.

    There should at least be an option during the SCM installation to either specify an already existing instance of SQL, or to configure settings such a service accounts manually.

    So I'm forced to install it on a Windows 7 machine, where I've already got SQL Express 2008 R2 installed, which of course the installer doesn't care about and forces me to install SQL Express 2008.

    Just.. terrible.

    Friday, November 19, 2010 8:28 AM

All replies

  • I second this...
    Saturday, November 20, 2010 12:00 PM
  • I found this issue too. I spend several hours to install SCM on my Win 7, where SQL Express 2008 R2 was already installed. At the end I did this: 1. Launched the SCM setup executable 2. Found in in %temp% the log file for SCM installation 3. From the log file found temporary folder,where installation files were stored and copied them to temp folder. 4. Found file appconfiginfo.xml and replaced the string: <DatabaseInfo DatabaseName="Xtans" DatabaseServerName="\\.\pipe\SQLLocal\scm" DatabaseAuthenticationType="" with <DatabaseInfo DatabaseName="Xtans" DatabaseServerName="\\.\pipe\sqlexpress\scm" DatabaseAuthenticationType="" cause my instance of SQL Express called sqlexpress but not SQLLocal 5. After that I launched the scmsetup_x64.msi directly and if finally got installed.
    Friday, November 26, 2010 8:55 AM
  • Ouch! Sorry folks. I'll take the blame on this one! We didn't do a great job on setup in version 1, I fully admit it. We are working hard on version 2 right now and we have added an option to point to an existing SQL server.

    My blog post also discusses this:

    Thanks for hanging in there with us and using SCM! :) 

    Jeff dot Sigman at microsoft dot com
    {Programmer Dude}
    Microsoft | Solution Accelerators

    Wednesday, December 01, 2010 11:07 PM
  • Howdy Jeff,

    One more thing which is rather annoying which can hopefully be rectified for the next release.

    If you have .NET 4 installed as well as .NET 3.5 SP1 the SCM installer will not detect that .NET 3.5 SP1 is installed.

    I had to uninstall .NET 4 on my Windows Server 2008 R2 server because I kept on getting the error message that .NET 3.5SP1 was not installed during SCM installation.

    After uninstalling .NET 4, the SCM install works fine, bar the issues above (I already had SQL 2008 SP1 installed but that wasn't detected), then I reinstalled .NET 4 afterwards.

    I am going to try rnedosekin's workaround now as I am getting an error message when trying to duplicate baselines with SQL 2005 express.





    Friday, December 24, 2010 9:34 AM
  • hmmm,

    well I uninstalled SQL 2005 express and then tried to point the SCM setup program to the SQL 2008 SP1 installation. I updated appconfiginfo.xml by updating "DatabaseServerName=\\.\pipe\sql\query" but that didn't work either.

    I eventually uninstalled SQL 2008 SP1 and just ran the installation with SQL 2008 express.

    All good now,




    Friday, December 24, 2010 3:28 PM
  • Hi Jeff,

    I too struggled with that truly UGLY SCM installer for HOURS and HOURS .... 

    I was used to use the previous version of the Security Compliance Manager without SQL before (including that cool GPO Accelerator) for the same purpose (i.e. generating Baseline GPOs in a Lab environment) and that worked fine :-). But that version can't be used for Office 2010, because it supports Office 2007 only ...

    rnedosekin's workaround didn't work for me, although the sql server 2008 express install on my DC worked fine.

    I used "SQLDownloadPathTo=%SYSTEMDRIVE%\SQLEXPRESS\SQLEXPR_x64_ENU.exe" as mentioned in the setup.ini of the extracted scm installer bits to point to sql express installer and modified appconfiginfo.xml appropriately too, but the scmsetup_x64.msi on my Server 2008 R2 Standard server DC finally died silently.

    Now I give it up and am waiting for the next version as you (Jeff) mentioned:

    "We are working hard on version 2 right now and we have added an option to point to an existing SQL server."

    So please tell us when this version is ready and available :-)

    with regards from Germany


    PS.: btw.: all SQL server version's installers are crazy / ugly / terrible too, this applies since the appearance of SQl Server 5, where I started to use that database server(s). Never seen a more wacky "quirks mode" install "routine" than those of SQL servers, applies to full and express versions :-)



    Vista TAP-RD Partner and IT Architect
    Thursday, December 30, 2010 9:32 AM
  • Hey Gareth! Wow, again – sorry about the trouble. If it makes you feel better I’m running a very very early build of SCM v2.0 right now and it resolves both of these problems. J We now depend on the .net fx 4 client (as we are now compiling against the latest stuff) and the install dependency is GONE. 

    I know your next question – when can you get it?! Hopefully in as little as a month we will have a preview of the new GPO Import feature we are so excited about. Keep your eyes on the blog – I’ll announce there and ask for help testing it out. 


    Jeff dot Sigman at microsoft dot com
    {Programmer Dude}
    Microsoft | Solution Accelerators

    Tuesday, January 04, 2011 4:20 PM
  • Hey Rainer in Germany! J I’ll again take the blame again (I’m pretty good at that). Installing SCM on a domain controller is complicated because currently SCM 1.x requires SQL Express to be installed and this isn’t straightforward on a domain controller. I need to write this up on our TechNet Wiki as there are some workarounds to get it going. SCM 2.x handles this as it does not require an install of SQL express (you can point it at an existing instance of SQL).

    I predict we will have a “CTP” or Customer Technology Preview of v2.0 in a month from now. The first feature we want feedback on is GPO Import – as it is our biggest change in the next version and we want to make sure we got it right.



    Jeff dot Sigman at microsoft dot com
    {Programmer Dude}
    Microsoft | Solution Accelerators

    Tuesday, January 04, 2011 4:30 PM
  • HI there.


    I suffered from the same problem with the installer croaking on a domain controller.

    I started out by installing mssqlexpress 2008 r2 and then using rnedosekin's instructions but i got the silent failure that Rainer P was experiencing.

    Not one to give up too easily i ran the msi from a command line like this:

    scmsetup_x64.msi /lv newlog.txt

    that gave me a log file of some 115 kb showing me that it stopped when looking for a db instance named MicrosoftSCM


    SetSqlProperties: STARTED.
    SetSqlProperties: Got SQL Server instance property. lpc:XXXXXXXXXXX\MicrosoftSCM
    SetSqlProperties: Successfully parsed the instance name. MicrosoftSCM
    GetSqlInstanceRegNodeName: Loop opening registry key that contains the SQL instance registry IDs.
    GetSqlInstanceRegNodeName: Opening registry key. SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
    GetSqlInstanceRegNodeName: First registry key open failed; trying non-redirected key. Error Code: 0x80070002.
    GetSqlInstanceRegNodeName: Opening registry key. SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
    GetSqlInstanceRegNodeName: Success opening registry key; reading node ID registry value. MicrosoftSCM
    GetSqlInstanceRegNodeName: Failed reading registry value. Error Code: 0x80070002.
    GetSqlInstanceRegNodeName: Second registry key value read failed. Error Code: 0x80070002.
    GetSqlInstanceRegNodeName: Failed to get instance's registry node ID. Error Code: 0x80070003. MicrosoftSCM
    SearchRegKeyForSqlServer: Instance is not installed. Error Code: 0x80070003. MicrosoftSCM
    SetSqlProperties: Selected INSTALL_MODE property. TRUE
    SetSqlProperties: SQL Server instance not found. Aborting. Error Code: 0x80070490.


    at this point i installed a fresh db instance with the correct name and ran the installer again with the same switch, it went by quickly and silently but after checking the newly created log file i saw the following happy message


    MSI (c) (4C:AC) [17:01:58:750]: Product: Microsoft Security Compliance Manager -- Installation completed successfully.


    So I am all set now, it works great.

    I hope this will help someone.





    Magnus Hansson


    Wednesday, January 05, 2011 8:50 AM
  • Awesome, thanks for the info Magnus. I’ll use this to help me write the TechNet Wiki post on this (unless you want to do that J).



    Jeff dot Sigman at microsoft dot com
    {Programmer Dude}
    Microsoft | Solution Accelerators

    Tuesday, January 11, 2011 4:03 PM
  • Hi

    I'm doing some POC as the momment and have a SQL instance installed on my dev machine and don't want to go through installing SQL again. Might do what Magnus did:-)

    Can anyone tell me where i can get the 64bit installer please? And is there an offline database we can use as there will not be an internet connection in our environment.

    Many thanks in advance

    Wednesday, February 16, 2011 4:40 PM
  • I agree with 143MHD. I am using this in a "internetless" environment as well. I have the SQL Express installer downloaded, but using the SCM installer to point to already-downloaded SQL Express installer it fails. Can't wait for the next version of the installer.
    Thursday, March 10, 2011 6:03 PM
  • SCM CTP 2.0 is still asking to install SQL Express. How can I install SCM and use another SQL server ?


    Thursday, April 07, 2011 3:26 PM
  • Yes, but now it's optional. :) The setup UI now allows you to point SCM to an existing SQL instance. Did you not see this UI?


    Thursday, April 07, 2011 5:41 PM
  • Ok, I found it...I just missed that I have to install SCM locally on the SQL server. I thought it was possible to install SCM on a server and then choose to install database on a remote SQL server.

    Friday, April 08, 2011 7:27 AM
  • I have had a similar experience on v2 as well.  Turns out, you can't have the Sql native client installed when installing SCM. 

    Jason Yates
    Monday, May 02, 2011 10:18 PM
  • I am attempting to do the scm on an xp sp3 device.  Clean build off the network to keep it clean.  I have installed msi 4.5 and framework 3.5  SCM then asks for the location of my sql server express installed, I have had it point to 3 seperate files SQLEXPR32_x86_ENU, SQLEXPRWT_x86_ENU, and SQLEXPRADV_x86_ENU, which I just downloaded from MS, and it still says these are incompatible.  What seems to be the issue.  Is their a way that you can install scm without connection to the network?

    Thank You


    Friday, July 15, 2011 8:45 PM
  • I've just installed SCM v2 on my Win 7 x64 machine successfully. It didn't work initially from the SCM installer, kept getting installation error when it tried installing SQL Express. However I downloaded an x64 version of SQL Express and then installed it separately, then ran the SCM installer again and had no issues whatsoever.


    Hope this helps.

    Thanks, Patrick Leathen
    Tuesday, October 04, 2011 7:18 AM
  • I also assumed this would be the case. Has anyone figured out how to get SCM to connect to a remote database yet? In our environment it would make sense to host the SCM database on a shared sql server and have multiple engineers connect to it in order to review and build policies. Due to separation of duties we cannot log in to the sql server to work on SCM, nor does it seem sensible to each have our own install of SCM and export/import the policies.

    - also I had to install the sqlexpress instance on a separate volume, there is no option to do this in the install process. As a work around it is possible to change the reg value 'ProgramFilesDir' under hklm\software\microsoft\windows\currentversion\ to the required volume, reboot, extract the sqlexpress install files using the /x switch then run the sqlexpress setup. For some reason if you run the self extracting version it ignores the value of the programfilesdir and continues to install under "c:\program files". Perhaps that behaviour is unique to my machine.

    • Edited by PeterHiggins Thursday, October 06, 2011 12:37 AM
    Thursday, October 06, 2011 12:30 AM
  • thanks Patrick, that's good to know

    Kurt Dillard
    Thursday, October 06, 2011 3:05 PM
  • Jeff, Before I get too far into the install of SCM v2, can it be installed on a DC?  So far just in our test environment, my DC there is Win2003 Standard Edition SP2.  When we test it fully, production is Win2008 R2 SP1. So in test so far I needed to install WIC and .Net 4.0.  Now I try to run setup.exe and get a message "Unable to find a version of the runtime to run this application."  The title of this dialog box is "SCMSetup.exe - .NEt Framework Initialization Error."  When I double check add/remove programs for .NET I've got MS .NET Framework 4 Client Profile and MS .NET Framework 4 Extended.  Do I need a different .NET install?  Or am I running into trouble due to some other reason.  Thanks.


    Ok, well...I've gotten a little further.  I installed SQL Express and .NET 2.0 and can get a little further with the installer.  On the Instillation Requirements, there is an X next to Microsoft Installer version.  My DC doesn't have internet access so I cannot read the details behind this error since the installer just closes at this point.  I tried capturing the standard error from the command line to no avail.  Any suggestions are welcome. 

    run from cmd line, similar to Magnus.

    Desktop>Security_Compliance_Manager_Setup.exe /lv 2> c:.\log.txt

    Welp...found a link that gave me system requirements...which helped...all set now.

    Friday, February 03, 2012 3:28 PM
  • Hi Guys,

    What a pain to install, if you are trying to deploy this a few things to note.

    If you have previously attempted to deploy check your sql directory for existing databases and delete them if they exist. x.trans.mdf and x.trans_log.ldf

    In my case path is C:\Program Files\Microsoft SQL Server\MSSQL10.MICROSOFTSCM\MSSQL\DATA

    I am trying to script the msi install via sccm to make it available to IT dept staff. One undocumented property is very helpful for this and can be used in the msi install command.  SQLSVR_INSTANCE=localhost\MicrosoftSCM

    Replace localhost\microsoftSCM with your database instance name.

    My working command line is:

    msiexec /i scmsetupx64.msi /l c:\temp\scmog.txt SQLSVR_INSTANCE=localhost\MicrosoftSCM

    • Edited by Andrew Harte Wednesday, February 08, 2012 11:16 AM
    Wednesday, February 08, 2012 11:14 AM
  • I don't know what you guys call a fix, or a working program I have tried everything to get SCM to work on my windows 7 computer but all I get are errors or fail to install

    The Microsoft Security Compliance Manager Setup Wizard failed while installing the microsoft Security Compliance Manager

    An Error occured in the setup wizard. Please close all open applications and retry the setup wizard


    I don't know about you but if I installed my systems the way you guys come up with these programs and then fixes for your programs I would be out of business. You need to tell Gates to get of his royal behind and make a working operating system. I think you guys need to go back to 3.1.1 and start agian. Maybe the second time around you will get it right. If only I chose not to use Windows.

    Friday, June 29, 2012 11:52 PM
  • Very much same here.

    There seems to be a trend with all Microsoft's products - nothing works out of the box. You need to spend time babysitting the automation and end up doing everything manually with shaman dances to the sound of the tambourine.

    The setup constantly fails with Error 1603.

    Friday, October 25, 2013 2:01 AM
  • Same issues
    Friday, December 06, 2013 4:28 PM
  • Thanks. Let me check it out.
    Friday, December 06, 2013 4:29 PM
  • Version has fixed all the issues above - finally!!!
    Friday, December 06, 2013 5:25 PM
  • I have the same issue. We have a dedicated SQL server that ALL databases must be installed to. We are not allowed local installs of SQL of any kind for compliance reasons. How do we install SCM and setup the database on our Enterprise SQL server. Why you would want to install Express on a Domain Controller is beyond me. We want SCM on the DC but the Database on a Database Server, as per best practices
    Wednesday, January 08, 2014 10:56 PM
  • I wish I could agree with JLM1's post (12/6/13).  Has support for XP been removed from SCM 3.0?  The download says just "Windows 7, Windows 8," and I've never had any success getting it installed on my main Admin machine.  Also, I get this:

    Checking Security Compliance Manager Installation Prerequisite...
    Node - <pcname>
    Code = 0x80041001
    Description = Generic failure
    Facility = <pcname>

    Installing Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319

    Then:  A newer version of Microsoft Visual C++ 2010 Redistributable has been detected on the machine.

    Why can't a piece of software from Microsoft account for subsequent patches and updates for a run-time library which are, presumably, to overcome bugs/problems in the earlier edition?

    My time is limited, so I'm not as willing as many, here, to tweak and tune my reliable system to accommodate broken software from what was, once, a reliable source.  Color me disappointed, again!

    --Carol Anne

    • Edited by CAOgdin192 Thursday, January 23, 2014 12:58 AM add detail
    Thursday, January 23, 2014 12:44 AM
  • Any suggestions on how to deploy Security Compliance Manager 3 with ConfigMgr 2012?

    Friday, March 07, 2014 3:35 PM
  • Hi Carol Anne

    I've just had the same issue with one of my 2 machines, but not the other.

    After installing v10.0.40219 of C++ Redist onto the failing machine, the installer has worked fine.

    Hope this helps someone.


    Tuesday, July 08, 2014 10:37 AM
  • Jeff,

    I'm fighting with a scenario where a team works on new GPOs.

    I don't want all local installations of SCM so I thought about simply moving the database to a central SQL-Server and redirecting the client to that instance. Changed the connectionstring in "Security Compliance Manager.exe.config" but when starting the software it says: wrong db configuration.

    Is it possible at all to work with remove db? When developing complex GPO sets I don't want to rely on client backup, etc......

    Thanks for your help.


    Thursday, October 09, 2014 7:43 AM
  • So, I just wanted to throw this out there for anyone else that encounters this and spends 4 hours attempting to figure it out...  I was attempting to install SCM 3.0 as we use it heavily when performing GPO analysis and baseline configurations.  I basically got similar error messages as those mentioned above.  Here's what I did to get the error:

    1. Install SQL Express 2014, accepting defaults
    2. Attempt to install SCM 3.0.  In the SCM installer, it detected the SQL Express instance I had just installed as localhost\MSSQLSERVER.
    3. Select localhost\MSSQLSERVER from the list and continue the SCM installation.
    4. The installation FAILS with 1603 message.  After reviewing the logs it appeared to be an issue connecting to the SQL instance I specified.

    To resolve I went into SQL Server Configuration Manager and enabled the "Named Pipes" protocol and restarted the SQL instance.  By default, SQL Express apparently only enables "Shared Memory" prototocol, which the SCM installer is incapable of using to connect.

    Wednesday, December 24, 2014 4:42 PM
  • Rdoram's solution worked for installing SCM 3.0 on Win8.1 with SQL 2014 Express.  You just saved me hours of digging.


    Wednesday, December 24, 2014 5:43 PM
  • How to point SCM 3.0 installation to use remote SQL DB? Graphic setup does not give me any options, only to install SQL express which I do not want.
    Wednesday, February 11, 2015 4:52 PM
  • How to point SCM 3.0 installation to use remote SQL DB? Graphic setup does not give me any options, only to install SQL express which I do not want.

    You could try extracting the .msi of SCM 3.0 and then use the parameter SQLSRV="SERVER\Instance" against the .msi -package.

    Thursday, February 12, 2015 4:54 AM
  • How to point SCM 3.0 installation to use remote SQL DB? Graphic setup does not give me any options, only to install SQL express which I do not want.

    You could try extracting the .msi of SCM 3.0 and then use the parameter SQLSRV="SERVER\Instance" against the .msi -package.

    Thank you, I actually did that yesterday, and the installation cannot contact the instance or something. (I could troubleshoot and provide logs later). I´ve read, that at least previous version did not Support remote SQL cluster installation. By instance, does it mean really the instance which is MSSQLSERVER (as default) for many database, or does it mean the DP name appearing in SQL studio?

    I´m executing installation process with admin rights who have full rights to the SQL cluster too, but I didin´t add SCM machine rights to SQL, because I cannot add Computer account to SQL logins.

    I´m just wondering, is this scenario supported, even possible or not, with 3.0 version?

    Thursday, February 12, 2015 6:47 AM
  • Don't know if it's supported or not, and yes, you can add computer account as an SQL login, just add it with DOMAIN\hostname$ like noted here:
    Thursday, February 12, 2015 5:59 PM
  • I'm having the 1603 fail issues as well on 3.0.6 installer on a 2012R2 server with 2014 SQL Express w/Adv.  I too tried Rdoram's suggestion of enabling the "Named Pipes" on an instance created just for SCM and it still fails. 

    If I let it create its own instance it wants to install SQL 2008 Express and then I get the errors of how it is not compatible with 2012R2.

    Wish there was an updated installer that came out with the updated 2012R2 Baselines...

    Friday, February 20, 2015 7:02 PM
  • I needed to install SCM on a Windows 7 Enterprise that of course is a standalone system to fix an issue of missing MSS settings in GPO. I agree that the quality and forethought that goes into some of these downloads are seriously lacking. I actually just installed the SQL express separately and it worked just fine.
    Saturday, May 21, 2016 8:08 PM
  • +1024k. Perfect. Worked like a charm on Windows 10 Pro. Thanks doOd.
    Monday, May 23, 2016 8:56 PM
  • I was able to get around the C++ error fairly quickly. When the install fails, dont click OK. Find the extracted folder by going to %temp%, order by date, look for the C++ redist install html file, launch that file, set to verbose, then look for the drive/folder. My install went to an external usb drive, not sure why. Copy the ENTIRE contents of the folder to a new location,  finish up the original install by clicking OK, then go to the folder where you copied the goods. Once in there, you can simply run the scmsetup.exe.
    Thursday, August 18, 2016 10:44 PM
  • Does anyone have experiences with SCM 4.0 installer?
    Friday, August 19, 2016 2:50 AM
  • I just installed 4.0. Got the same error about C++ being newer and did the same trick to get around it as before. See my previous post.
    • Edited by rpuffd Monday, August 22, 2016 11:22 PM
    Monday, August 22, 2016 11:17 PM
  • 2017, and this is still happening, clearly v2 has not come...
    • Edited by SysIT Monday, January 23, 2017 3:59 AM
    Monday, January 23, 2017 3:59 AM
  • I myself can't get version 4.0 installed on my Windows 10 system.

    Keep getting SQL Server Express Edition Unknown error (0x84b40000).

    Wednesday, March 22, 2017 3:26 PM
  • Iawson23,

    Install SQL Express 2014 and choose to use existing database when installing the SCM.

    I did it here and it worked.


    Wednesday, March 22, 2017 3:59 PM
  • Actually was coming here to say I installed SQL 2016 Express and then it worked.  Thanks for the info Vandrey not sure what is wrong with the installer in executing SQL Express but they should either figure it out or just remove it and put in Pre Req requirements to be done outside the SCM installer.
    Wednesday, March 22, 2017 4:06 PM
  • No problem! I guess that the problem is that the installer uses an old version of SQL Express that is not compatible with Windows 10...
    Wednesday, March 22, 2017 4:12 PM
  • External DB would be my choice for the whole product. This actually can be changed from the Security Compliance Manager.exe.config -file. Doing a repack of the whole SCM installation would be one way to go, with custom option for the database location..

    Wednesday, March 22, 2017 6:27 PM