Along with the release of official government guidance for Windows 7, NIST has rebranded the Federal Desktop Core Configuration (FDCC) as the United States Government Configuration Baseline (USGCB).  NIST’s spreadsheets, Group Policy Objects (GPOs) and virtual hard disks (VHDs) for Windows 7 can be downloaded from http://usgcb.nist.gov.  From this point forward, “FDCC” is just a four-letter word that starts with “F”.  🙂

At some point we may move our technical blog over to blogs.technet.com/b/usgcb, but for now we’ll just change the title on the existing blog, to preserve existing bookmarks.  Well, except that when the blog got rehosted a few months ago, ALL the URLs changed — there is now a “/b/” between technet.com and fdcc.  The same thing happened to all the other MSDN and TechNet blogs.  Worse, all the “pages” that didn’t have dates embedded in their URLs got relocated to date-specific blog posts.  You can still find them by clicking on “Pages” under Tags.  When I get a chance, I’ll put them somewhere easier to find.  (The minutes I had that I used to call “spare time” have become completely consumed with my taking over co-authorship of the Sysinternals Administrators Reference, working with Mark RussinovichHopefully I’ll be winding that up before the end of the year.)

One of the frequently asked questions has been, “Where is the Set_FDCC_LGPO for Windows 7?”  I’ve been thinking about creating that and changing some things about it, but in the meantime, it’s still easy to automate the application of USGCB policies to local group policy, using the other two Local Group Policy utilities, ImportRegPol and Apply_LGPO_Delta (same link as for Set_FDCC_LGPO).  Here’s how:

Extract the GPO zip file downloaded from NIST’s site to your hard drive.
CD into the top extracted folder (e.g., USGCB-1.0.x.0-GPOs), and copy ImportRegPol.exe and Apply_LGPO_Delta.exe into that folder.
Create a PowerShell script (ApplyUSGCB.ps1) with the following commands:

dir -recurse -include registry.pol | ?{ $_.FullName.Contains(“Machine”) } | %{ cmd /c start /wait .importregpol.exe -m $_ /log usgcbpolicies.log }
dir -recurse -include registry.pol | ?{ $_.FullName.Contains(“User”) } | %{ cmd /c start /wait .importregpol.exe -u $_ /log usgcbpolicies.log }
dir -recurse -include GptTmpl.inf  | %{ cmd /c start /wait .Apply_LGPO_Delta.exe $_ /log usgcbSecTempl.log }

These three lines find all the Computer Configuration and User Configuration Administrative Templates and all the security templates in the GPOs and incorporate them into the current computer’s local group policies.  You should reboot after these are completed; you can automate that by adding /boot to the Apply_LGPO_Delta command line.

One tip:  some of the policies, particularly involving the Firewall settings, don’t work so well when applied to local policy.  If I remember correctly, two that get in the way are the DisableUnicastResponsesToMulticastBroadcast setting and the no-local-exceptions policies, and that when applied to local policy they prevent the computer from getting a DHCP address.  What you can do is after extracting the GPOs, delete the Firewall Settings folder before running the PowerShell script, and find another way to apply firewall settings.


Comments (4)

  1. Craig says:

    WIth the new name change does this mean that there will be available in the near future for Windows Server 2008 R2 similar to what is available for WIndows 7?

    [Aaron Margosis]  To my knowledge, NIST hasn’t announced any plans to mandate server configurations.  They have announced plans to cover Mac OS X and Red Hat Enterprise:
    http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_platforms.  Microsoft’s security guidance for Server 2008 R2 is currently in Beta.

  2. Kurt De Greeff says:

    Hi Aaron, I’m trying to run Apply_LGPO_Delta.exe in a loginscript. We don’t have Active Directory and all users are not administrators. Is there a way I can apply local user GPO’s to a computer via a normal user account logging on? I always got error that
    admin rights are required..

    Thank you in advance

    [Aaron Margosis]  Login scripts run as the user.  If the user is not an admin the script runs without admin rights.  Consider using a computer startup script instead – computer startup scripts run as System.


  3. Anonymous says:

    Pingback from Set_FDCC_LGPO for Windows 7??? – Windows Virtualization Team Blog – TechNetKlub

  4. Anonymous says:

    Pingback from Set_FDCC_LGPO for Windows 7??? – Microsoft U.S. Partner Team – Partner Community – Microsoft Dynamics Community