a] I am trying to understand if the policies packaged within SCM are 'security policies' or 'operational policies' or a combination of both?
This is what I found from Microsoft site: Baselines based on Microsoft security guide recommendations and industry best practices
b] After deploying the above SCM policies, is there any 'auto' remediation that happens if a rule/policy is violated or does it require manual remediation?