The Windows Server 2012 Security Compliance Baseline is integrated with the Microsoft Security Compliance Manager(SCM) 3.0. To access the Windows Server 2012 Security Guide included with this baseline, download SCM.

SCM is a free tool from the Microsoft Solution Accelerators Team that enables you to quickly configure and manage your computers, traditional datacenter, and private cloud using Group Policy and Microsoft System Center Configuration Manager. The entire Windows Server 2012 Security and Compliance Baseline package is available through SCM 3.0. The tool is designed to provide you with an end-to-end solution to help you plan, deploy, and monitor security baselines for computers running Windows operating systems, and other Microsoft products in your environment. 

See the SCM Getting Started wiki for information about installing SCM and to orient you with the tool’s console and integrated Help guidance.

These release notes are carefully and closely monitored. The SCM engineering team regularly improves the tool and maintains this article to share the latest release information and known issues. Any changes that you make will be evaluated and then quickly accepted, refined, or reverted. Because this is a wiki, additions or refinements to these release notes might have been made by community members.

Please direct questions and comments about SCM to


Download and Online Locations

  • To learn more about this product baseline, see the Windows Server 2012 Security Baseline page in the TechNet Library
  • To download the Security Compliance Manager tool, visit the Microsoft Download Center

Baseline Components

The Windows Server 2012 Security and Compliance Baseline available in SCM 3.0 includes the following components:

  • Attachments
    • Windows Server 2012 Security Guide.docx (version 1.0)
    • Windows Server 2012 CCE Reference.xlsm
  • Baselines
    • WS2012 AD Certificate Service Server Security v1.0
    • WS2012 DHCP Server Security v1.0
    • WS2012 DNS Server Security v1.0
    • WS2012 Domain Controller Security Compliance v1.0
    • WS2012 Domain Security Compliance v1.0
    • WS2012 File Server Security v1.0
    • WS2012 Hyper-V Security v1.0
    • WS2012 Member Server Security Compliance v1.0
    • WS2012 Network Policy and Access Service Security v1.0
    • WS2012 Print Server Security v1.0
    • WS2012 Remote Access Service Security v1.0
    • WS2012 Remote Desktop Service Security v1.0
    • WS2012 Web Server Security v1.0  

Version History

Version 1.0 of the Windows Server 2012 Security and Compliance Baseline (January 2013).

Known Issues

The following are known issues for the Windows Server 2012 Security Compliance Baseline:

  • When importing a GPO that includes the “Profile system performance" setting configured to include the  “NT SERVICE\WdiServiceHost” account, the SCM GPO Import process will drop the “NT SERVICE\” portion of the name. The workaround for this issue is to manually configure the setting in the SCM UI to include the full account name: NT SERVICE\WdiServiceHost
  • When importing a GPO that includes the “Allow users to connect remotely by using Remote Desktop Services" setting configured to “Enabled” or “Disabled”, the SCM GPO Import process will reverse the setting configuration. The workaround for this issue is to manually configure the setting value in the SCM UI to match the correct value configured in the imported GPO.
  • Exported Windows Server 2012 DCM packs for Microsoft System Center Configuration Manager 2007 are not compatible with System Center Configuration Manager 2012. To resolve this compatibility issue, upgrade to System Center Configuration Manager 2012 Service Pack 1 (SP1).