… is not needed and will not be created.  I had kind of blogged about this a while back but it was hidden under a more general title, so the question about Set_FDCC_LGPO on Windows 7 continues to get asked. This post offers another easy and flexible way for you to apply NIST’s GPOs and any customizations you need.  All you need are ImportRegPol.exe and Apply_LGPO_Delta.exe and a simple PowerShell script.  ImportRegPol and Apply_LGPO_Delta don’t require installation – you can run them directly – and PowerShell is already included in Windows 7. 

Sidebar:  For those of you who haven’t explored PowerShell yet, I have to say that it is the most revolutionary technology we have shipped in many years (well, other than Kinect for Xbox).  PowerShell blows all other command line and scripting environments away. Beyond that, it has become my preferred programming environment, and I often use it to prototype ideas I later implement with C#.  If you want to learn PowerShell really well, I highly recommend Bruce Payette’s bookLee Holmes’ Cookbook is also a great resource.  As long as I’m advertising books, I should mention Mark’s and my new Sysinternals book, although it has only a few mentions of PowerShell.  OK, back to the topic…

Here’s all you need to do:

  • Extract the combined GPO zip file downloaded from NIST's site to your hard drive.  To follow this example, extract it into C:\USGCB.  (Note: don’t just download the zip file – extract its contents into C:\USGCB and retain the folder structures.) 
  • Copy ImportRegPol.exe and Apply_LGPO_Delta.exe into C:\USGCB.
  • Using Notepad or any other text editor (I use vi.exe, believe it or not), create a PowerShell script called ApplyUSGCB.ps1 in C:\USGCB with the following commands, which you can copy and paste directly from here:

dir -recurse -include registry.pol | 
  ?{ $_.FullName.Contains("\Machine\") } | 
  %{ cmd /c start /wait .\importregpol.exe -m $_ /log .\Policies.log }

dir -recurse -include registry.pol | 
  ?{ $_.FullName.Contains("\User\") } | 
  %{ cmd /c start /wait .\importregpol.exe -u $_ /log .\Policies.log }

dir -recurse -include GptTmpl.inf  | 
  %{ cmd /c start /wait .\Apply_LGPO_Delta.exe $_ /log .\SecTempl.log }

.\Apply_LGPO_Delta.exe .\Deltas.txt /log .\Deltas.log /boot

Here’s how it works:  The first command (which spans the first three lines) recursively searches for registry.pol files that have a full path including the text “\Machine\”; these are Computer Configuration administrative template files. Each one is is imported into Computer Configuration using ImportRegPol.exe with results logged to Policies.log.  The “cmd /c start /wait” is needed because ImportRegPol and Apply_LGPO_Delta are not console applications, but we want the script to wait for the commands to complete before continuing the script. The second command does the same, but looking for User Configuration administrative templates under “\User\” folders.  The third command searches for GptTmpl.inf security templates and applies them with Apply_LGPO_Delta, logging detailed results to SecTempl.log.  The last command applies your policy customizations (see below), logging results to Deltas.log, and then rebooting.

  • Create a Deltas.txt file listing any modifications you want to make to the NIST-provided GPOs.  I have attached the Deltas.txt that I often use for my own work to this blog post (you will probably need at least the WindowsFirewall changes it includes). The file must adhere to the Apply_LGPO_Delta file format (a simple text format described in the Apply_LGPO_Delta documentation).  There are some other sample files you can use here.
  • You’re ready to go!  Start PowerShell with administrative rights, and run the following commands:

Set-ExecutionPolicy RemoteSigned

cd C:\USGCB

.\ApplyUSGCB.ps1

The Set-ExecutionPolicy command needs to be configured only once.  By default, PowerShell lets you run individual commands but not scripts.  Setting the execution policy to RemoteSigned allows local unsigned scripts to run, but requires that any downloaded scripts or configuration files be digitally signed by a trusted publisher.

The “.\” before the script (and commands in the script file) are required because unlike the rest of Windows, PowerShell does not include the current directory in the search path.