none
Security Compliance Manager - Export for SCCM DCM 2007 RRS feed

  • Question

  • Hi,

    When I export the SCM .CAB file .... it exports successfully but when I try to import the in the SCCM DCM section the error message comes up saying the file is corrupt.... when I know it is not.

    On the other hand when I try to export the settings to SCCM DCM 2007 .CAB file I get the following error message.....

    Any ideas will be highly appreciated.

     

    The error message is attached below...

     

    Cheers,
    Ijaz

     

    **********************************************************************
    Baseline:    WS08R2-Member-Server-Compliance- V1.0
    Export format:    DCM Export
    Export directory:    E:\SCM Template for Windows 2008 R2\WS08R2-Member-Server-Compliance- V1.0_DCM.CAB
    **********************************************************************


    The following settings were not included in the DCM Export as they are not supported in this format:
    **********************************************************************


    Setting Name: Network security: Force logoff when logon hours expire , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10588-2
    Setting Name: Network access: Allow anonymous SID/Name translation , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10024-8
    Setting Name: Accounts: Administrator account status , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10571-8
    Setting Name: Accounts: Rename administrator account , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10976-9
    Setting Name: Accounts: Rename guest account , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10747-4
    Setting Name: Accounts: Guest account status , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-9989-5
    Setting Name: Accounts: Administrator account status , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10571-8
    Setting Name: Accounts: Rename administrator account , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10976-9
    Setting Name: Accounts: Rename guest account , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-10747-4
    Setting Name: Accounts: Guest account status , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , CCEID: CCE-9989-5
    Setting Name: Profile system performance , UI Path: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , CCEID: CCE-10193-1
    **********************************************************************

    Thursday, October 20, 2011 4:23 AM

All replies

  • I have exactly the same problem.

     

    Regards,

    Coen

    Monday, October 24, 2011 12:19 PM
  • This is expected behavior, Configuration Manager does not support all types of settings available in group policy. That's why these settings are dropped when you export to DCM format.
    Kurt Dillard http://www.kurtdillard.com
    Tuesday, October 25, 2011 2:44 PM
    Moderator
  • I can understand that not all settings are supported but settings like "Rename Administrator'  and 'Rename Guest' are (at least to me) must have settings (rename Administrator is Critical in the baseline) should according to me be supported
    Tuesday, October 25, 2011 3:11 PM
  • Coen,
    I understand your frustration, but the SCM developers explained to me last year that its not possible in DCM right now. I believe this is the full list of what gets dropped:
    • The following settings are not currently supported when generating SCAP content or DCM configuration packs:
      Accounts: Rename administrator account
         
      • Accounts: Rename guest account
         
      • Accounts: Administrator account status
         
      • Accounts: Guest account status
         
      • Network security: Force logoff when logon hours expire
         
  • The following settings are not supported when generating SCAP content or DCM configuration packs for either Windows Vista or later:
     
    • Audit account logon events
       
    • Audit account management
       
    • Audit directory service access
       
    • Audit logon events
       
    • Audit object access
       
    • Audit policy change
       
    • Audit privilege use
       
    • Audit process tracking
       
    • Audit system events
       

Kurt Dillard http://www.kurtdillard.com
Tuesday, October 25, 2011 4:01 PM
Moderator
  • Hi Kurt, It find it a bit strange that the SCM developers told you this. After importing to DCM I can easy add these checks (by means of WMI query) Best regards, Coen
    Tuesday, January 10, 2012 10:02 AM
  • Coentjo;

    I am aware of what you can do with WMI, I was unable to pursuade the developers to incorporate that in the last release. It may be frustrating, but we have limited resources and time, if they had stopped to work on these settings they would have had to drop other features or improvements in SCM 2.

    The next version of SCM will include restricted support for PowerShell cmdlets, Jose and I hope to redo settings like this with cmdlets in future releases of the baselines, but I'm not sure when we'll be releasing updates to the baselines after the current project. Updates for the Windows client baselines are already in Beta and they don't include PowerShell cmdlets for these settings, I'm talking about what we'll try to do in a release late this year or perhaps sometime in 2013.


    Kurt Dillard http://www.kurtdillard.com
    Monday, January 16, 2012 4:41 PM
    Moderator
  • i had the same problem cannot export out the Account : Rename Administrator account even i updated the Security compliance 3.0 with supported latested OS Windows server 2012 r2. May  i know when it get it fix ?


    Friday, October 31, 2014 11:08 PM