Microsoft Security Compliance Toolkit (SCT) Deep Dive¶
Platform: Windows only | Binary: SCT/LGPO.exe | Type: Official Microsoft baseline tool
Overview¶
The Microsoft Security Compliance Toolkit (SCT) includes tools like Policy Analyzer and LGPO (Local Group Policy Object) utility for evaluating Windows systems against Microsoft's own security baselines.
How CISentinel Uses SCT¶
1. Installation¶
⚠️ Manual Setup Required: SCT requires manual download from Microsoft due to licensing restrictions.
Download from: Microsoft Security Compliance Toolkit
Place files at: %LOCALAPPDATA%\cis-sentinel\tools\SCT\
2. Expected Structure¶
tools/SCT/
├── LGPO.exe # Local Group Policy utility
├── PolicyAnalyzer/ # Policy comparison tool
└── Baselines/ # Security baseline definitions
3. Scan Execution¶
CISentinel's WindowsWrapper.run_sct() executes SCT tools to: - Analyze current Group Policy settings - Compare against Microsoft baselines - Generate compliance delta reports
4. Output Parsing¶
SCT produces XML and POL files which CISentinel parses to extract: - Policy settings and their values - Baseline compliance status - Recommended vs. actual configurations
Components¶
| Component | Purpose |
|---|---|
| LGPO.exe | Apply/export Local Group Policy settings |
| Policy Analyzer | Compare GPO settings against baselines |
| Security Baselines | Pre-defined security configurations by Microsoft |
Available Baselines¶
Microsoft provides baselines for: - Windows 10 (various versions) - Windows 11 - Windows Server 2016/2019/2022 - Microsoft Edge - Microsoft 365 Apps - Microsoft Office
Output Artifacts¶
| Artifact | Format | Description |
|---|---|---|
| XML Report | XML | Policy comparison results |
| POL Files | POL | Group Policy object data |
Common Issues¶
| Issue | Cause | Solution |
|---|---|---|
| Tool not found | Manual installation required | Download from Microsoft |
| LGPO not in PATH | Wrong directory structure | Ensure SCT/LGPO.exe exists in tools dir |
| Baseline mismatch | Wrong baseline for OS version | Download matching baseline version |
Why Manual?¶
Unlike other tools, SCT cannot be auto-downloaded because: 1. Microsoft requires acceptance of EULA 2. Download links are behind a consent page 3. Baseline files are version-specific and regularly updated