FDCC is now USGCB

  • Article

Along with the release of official government guidance for Windows 7, NIST has rebranded the Federal Desktop Core Configuration (FDCC) as the United States Government Configuration Baseline (USGCB).  NIST's spreadsheets, Group Policy Objects (GPOs) and virtual hard disks (VHDs) for Windows 7 can be downloaded from https://usgcb.nist.gov.  From this point forward, "FDCC" is just a four-letter word that starts with "F".  :-)

At some point we may move our technical blog over to blogs.technet.com/b/usgcb, but for now we'll just change the title on the existing blog, to preserve existing bookmarks.  Well, except that when the blog got rehosted a few months ago, ALL the URLs changed -- there is now a "/b/" between technet.com and fdcc.  The same thing happened to all the other MSDN and TechNet blogs.  Worse, all the "pages" that didn't have dates embedded in their URLs got relocated to date-specific blog posts.  You can still find them by clicking on "Pages" under Tags.  When I get a chance, I'll put them somewhere easier to find.  (The minutes I had that I used to call "spare time" have become completely consumed with my taking over co-authorship of the Sysinternals Administrators Reference, working with Mark RussinovichHopefully I'll be winding that up before the end of the year.)

One of the frequently asked questions has been, "Where is the Set_FDCC_LGPO for Windows 7?"  I've been thinking about creating that and changing some things about it, but in the meantime, it's still easy to automate the application of USGCB policies to local group policy, using the other two Local Group Policy utilities, ImportRegPol and Apply_LGPO_Delta (same link as for Set_FDCC_LGPO).  Here's how:

Extract the GPO zip file downloaded from NIST's site to your hard drive.
CD into the top extracted folder (e.g., USGCB-1.0.x.0-GPOs), and copy ImportRegPol.exe and Apply_LGPO_Delta.exe into that folder.
Create a PowerShell script (ApplyUSGCB.ps1) with the following commands:

dir -recurse -include registry.pol | ?{ $_.FullName.Contains("Machine") } | %{ cmd /c start /wait .importregpol.exe -m $_ /log usgcbpolicies.log }
dir -recurse -include registry.pol | ?{ $_.FullName.Contains("User") } | %{ cmd /c start /wait .importregpol.exe -u $_ /log usgcbpolicies.log }
dir -recurse -include GptTmpl.inf | %{ cmd /c start /wait .Apply_LGPO_Delta.exe $_ /log usgcbSecTempl.log }

These three lines find all the Computer Configuration and User Configuration Administrative Templates and all the security templates in the GPOs and incorporate them into the current computer's local group policies.  You should reboot after these are completed; you can automate that by adding /boot to the Apply_LGPO_Delta command line.

One tip:  some of the policies, particularly involving the Firewall settings, don't work so well when applied to local policy.  If I remember correctly, two that get in the way are the DisableUnicastResponsesToMulticastBroadcast setting and the no-local-exceptions policies, and that when applied to local policy they prevent the computer from getting a DHCP address.  What you can do is after extracting the GPOs, delete the Firewall Settings folder before running the PowerShell script, and find another way to apply firewall settings.