Configuring DISA STIG Group Policy Settings for Windows 10 RRS feed

  • Question

  • I am looking at the best way to configure the DISA STIG group policy settings for Windows 10 Enterprise. Ideally DISA would provide a official group policy backup /template file with all the settings configured in their STIG files, allowing administrators to easily import the complete set of settings directly into an actual GPO for testing / deployment.

    Unfortunately I have checked with DISA and they indicated they do not provide an actual GPO backup, they indicated that administrators must configure the settings themselves based on their guidance in the STIG. So this appears to mean the only way to get the STIG settings into a actual GPO is to manually configure each of the 200+ settings in the GPO.

    I am wondering if anyone is aware of a better or easier way to configure/import DISA STIG settings into a GPO. I see other threads on this regarding using the Microsoft Security Compliance Manager to somehow accomplish this but I have yet to find a solution that would actually work in this scenerio.

    DISA provides a Manual-xccdf.xml file which contains all the STIG settings and that is able to be imported into STIG view application as well as other compliance tools. Unfortunately this file can't be imported into the Microsoft SCM to allow a backup to be created.

    Is anyone aware of a way to import this xccdf content into the Microsoft SCM? 

    Friday, March 4, 2016 1:49 AM

All replies

  • Bump
    Wednesday, September 14, 2016 3:58 PM
  • Either of you guys make progress on this?

    Tuesday, September 20, 2016 6:16 PM
  • No progress yet? I'd love to learn more about this
    Friday, November 4, 2016 5:47 PM
  • Check out the support disks for the Host Secure Baseline in the IASE website. They include GPOs for the OS, Office and IE and a few others. Saves you plenty of time in making GPOs with STIG settings.
    Monday, May 22, 2017 5:21 PM
  • Essentially...you are stuck with creating an initial STIG baseline. I have done this in the past, and actually used SCM, cloned the MS SCM baseline for Win10, then went through and made the changes for STIG. Still have to review each setting, but I found that more flexible.

    One thing you can look at is the SCAP extensions for SCCM (https://technet.microsoft.com/en-us/library/cc677271.aspx

    Here is a guide for converting SCAP files (from DISA) to SCCM DCM baseline items -  https://configmgr.com/stig-compliance-with-scap-and-dcm-in-configmgr/ 

    Once you have an SCCM baseline from your STIG, you can audit a test machine for compliance and see where the gaps are.

    So, start with the MS SCM baseline, create GPO, deploy GPO, create DCM baseline from the SCAP STIG files, deploy DCM baseline, and see what is non-compliant after the GPO is applied.

    Address individual GPO settings to achieve compliance. 

    Note - in my experience there wasn't a great deal of deviation between STIG and MS SCM baselines for Windows, there are greater gaps in the Office and IE baselines. 

    Hope this helps, I can empathise it is a painful process, but once you have that initial GPO that is STIG compliant, make sure you check for STIG revisions and changes to keep it up to date. There won't be a Windows 11, so maintaining STIG compliant GPO's should be manageable after the initial investment if you keep on top of it. 

    Friday, July 28, 2017 5:22 AM
  • DISA now provides quarterly STIG GPO downloads here:


    "This package is to be used to assist administrators implementing STIG
    settings within their environment. The administrator must fully test GPOs in
    test environments prior to live production deployments. The GPOs provided
    contain most applicable GPO STIG settings contained in STIG files.

    This package contains ADMX template files, GPO backup exports, GPO reports,
    and WMI filter exports and STIG Checklist files. It is to provide enterprise
    administrators the supporting GPOs and related files to aid them in the
    deployment of GPOs within their enterprise to meet STIG requirements.  See the
    ReadMe.txt file for additional information."

    Hope this helps!

     - Glenn Fincher (Microsoft)

    Wednesday, March 7, 2018 7:36 PM
  • This site was migrated earlier this year.  Anyone have any idea where we can get these quarterly downloads now?  Can't seem to find any references to them anymore.

    Monday, December 2, 2019 3:09 PM
  • cyber (dot) mil/stigs/gpo/

    Just downloaded and verified the GPO's this morning.  



    Tuesday, December 3, 2019 3:35 PM
  • As said above, you just download GPO STIGs  [1] then, the Security Compliance Toolkit [2].

    SCT has different Windows versions. You use yours, substitute the GPOs in the downloads by STIGs of Windows 10, substitute the EP.xml file by stigs (renamed EP.xml). In summary change script to point to STIG content not Microsoft gpos.

    Also substitute the policies files.

    And now execute the scripts with stig content instead of windows.

    In summary. Substitute Microsoft ADMX Templates from STIG ones, the EP.xml copy from STIGs DOD_EP_V2.XML, rename EP.XML and substitute in microsoft scripts and content.

    And finally add the folders GPO with those big numbers, and make your script load those numbers and not microsoft.

    Execute the script and you are good to go.

    It will implement the policies.

    [1] https://public.cyber.mil/stigs/gpo/

    [2] https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10.

    Thursday, February 20, 2020 10:35 AM
  • I appreciate what you put in there, I had no idea about the Policy Analyzer. I can see it is an amazing tool. But I am still confused.

    I have the DISA Stig GPO objects downloaded and that SCT, but I'm still not sure how to get the STIGs into Group Policy. I can browse the GPO I want to import (Server 2016 Member STIG) in the Policy Analyzer but that is where I am stuck.

    I couldn't find a "EP.XML" or a "DOD_EP_V2.XML" when I downloaded the February 2020 DISA STIG GPO Package 0213 from the DISA website. So I must be doing something differently. And while I do see the scripts I am not sure what to do with them to get them to do anything.

    Thursday, April 23, 2020 7:03 PM