none
Editing - Importing Group Policy Object (GPO) backup in Security Compliance Manager; USGCB - NIST Baseline for Windows 7

    Question

  • Hello!

    I am in the process of hardening our Windows 7 image and decided to use USGCB Baseline GPO as a starter, modifying it to our needs.

    I imported “USGCB Windows 7 Computer Settings” GPO backup (can be found here) into SCM and started reviewing each setting.

    But, when editing the GPO settings through SCM I am not able to edit the first section in the settings list called “Additional Settings”. All other sections I am able to modify without issues, but in this one all settings are greyed out.

    Can someone please exlain to me why is this happening?

    Also when opening the GPO backup using Group Policy Management snap-in I do not see these settings at all, yet for some reason they appear in SCM.

    Here is a screenshot.






    • Edited by BSolver Monday, November 23, 2015 11:43 PM Title clearification.
    Monday, November 23, 2015 11:33 PM

Answers

  • Hi Martin,

    Thank you for your prompt reply.

    I did more research over the last few days and it looks like I was wrong is saying the settings are not visible in GPMC, but you might not have been entirely correct on the SCM side.

    Still thanks a bunch for pointing me in the correct direction.

    So it appears that "Additional Settings" (in imported USGCB GPO backup) that I see in SCM can in fact be found if looking through GPMC, just not that straightforward, the names of the settings in SCM are obscure and limited.

    For example the setting with a name ‘bthserv’ as seen in SCM corresponds to GPMC setting “Bluetooth Support Service (Startup Mode: Disabled)” and ‘Mcx2Svc’ corresponds to “Media Center Extender Service (Startup Mode: Disabled)” and the unnamed settings with registry value changes (like in the screenshot) correspond to some other settings which I haven’t found yet, but should be there as well.

    It looks like the reason for this are the limitations of the SCM itself, which (it looks like), does not rely local or AD GPO Administrative Templates, but on some built in database, which does not cover all the settings in standard MS ADMX files.

    Though poorly worded, the following paragraph from SCM FAQ looks to be the proof:

    Q: What setting types are not supported in SCM?

    A: SCM 2.0 supports nearly all administrative template settings in recent versions of Windows, Internet Explorer, and Office as well as password policies, account lockout policies, user rights assignment, legacy audit policies, security options, Windows Firewall with Advanced Security, and advanced audit policies. That means that other types which are not natively supported by SCM include restricted groups, software restriction policies, public key policies, Kerberos policies, scripts, application control policies, IP security policies, policy-based QoS, group policy preferences, and other types of group policy settings. Here are a couple of potential ways to work around these limitations: first, just leave those settings in your Active Director-based GPOs without trying to use SCM to management. Second, you can import GPO backups with those settings defined into SCM, the settings will not be visible or manageable in SCM but when you export that baseline as a GPO backup the settings should still be there.

    Similar Question was asked here:https://social.technet.microsoft.com/Forums/en-US/10fbe550-d273-4c0e-b7e0-124ce34110ed/how-to-get-more-policy-settings-for-baseline-in-scm?forum=compliancemanagement

    It looks like I’ll have to be using GPMC to edit the settings that are not correctly displayed is SCM.

    So again thanks for your help and hopefully this help will someone in the future.

     

    • Edited by BSolver Thursday, November 26, 2015 9:59 PM
    • Marked as answer by BSolver Friday, November 27, 2015 9:15 PM
    Thursday, November 26, 2015 7:53 PM

All replies

  • > Can someone please exlain to me why is this happening?
     
    Yes.
     
    These settings were added to the source GPO through a custom ADM(X)
    template. You do not own this ADM(X) template (at least it is not
    present in your INF (ADM) or PolicyDefinitions (ADMX) folder).
     
    So SCM (and the GPO settings report in GPMC) will display them as
    additional settings or registry values, but GPEDit and SCM cannot edit
    them because they lack a description (from the ADM(X)) how to do so -
    valid values and value types, eg.
     
    Tuesday, November 24, 2015 11:14 AM
  • Hi Martin,

    Thank you for your prompt reply.

    I did more research over the last few days and it looks like I was wrong is saying the settings are not visible in GPMC, but you might not have been entirely correct on the SCM side.

    Still thanks a bunch for pointing me in the correct direction.

    So it appears that "Additional Settings" (in imported USGCB GPO backup) that I see in SCM can in fact be found if looking through GPMC, just not that straightforward, the names of the settings in SCM are obscure and limited.

    For example the setting with a name ‘bthserv’ as seen in SCM corresponds to GPMC setting “Bluetooth Support Service (Startup Mode: Disabled)” and ‘Mcx2Svc’ corresponds to “Media Center Extender Service (Startup Mode: Disabled)” and the unnamed settings with registry value changes (like in the screenshot) correspond to some other settings which I haven’t found yet, but should be there as well.

    It looks like the reason for this are the limitations of the SCM itself, which (it looks like), does not rely local or AD GPO Administrative Templates, but on some built in database, which does not cover all the settings in standard MS ADMX files.

    Though poorly worded, the following paragraph from SCM FAQ looks to be the proof:

    Q: What setting types are not supported in SCM?

    A: SCM 2.0 supports nearly all administrative template settings in recent versions of Windows, Internet Explorer, and Office as well as password policies, account lockout policies, user rights assignment, legacy audit policies, security options, Windows Firewall with Advanced Security, and advanced audit policies. That means that other types which are not natively supported by SCM include restricted groups, software restriction policies, public key policies, Kerberos policies, scripts, application control policies, IP security policies, policy-based QoS, group policy preferences, and other types of group policy settings. Here are a couple of potential ways to work around these limitations: first, just leave those settings in your Active Director-based GPOs without trying to use SCM to management. Second, you can import GPO backups with those settings defined into SCM, the settings will not be visible or manageable in SCM but when you export that baseline as a GPO backup the settings should still be there.

    Similar Question was asked here:https://social.technet.microsoft.com/Forums/en-US/10fbe550-d273-4c0e-b7e0-124ce34110ed/how-to-get-more-policy-settings-for-baseline-in-scm?forum=compliancemanagement

    It looks like I’ll have to be using GPMC to edit the settings that are not correctly displayed is SCM.

    So again thanks for your help and hopefully this help will someone in the future.

     

    • Edited by BSolver Thursday, November 26, 2015 9:59 PM
    • Marked as answer by BSolver Friday, November 27, 2015 9:15 PM
    Thursday, November 26, 2015 7:53 PM
  • It looks like I’ll have to be using GPMC to edit the settings that are not correctly displayed is SCM.

    So again thanks for your help and hopefully this help will someone in the future.

    Thank you for sharing your experience here. It will be very beneficial for other community members who have similar questions.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, November 30, 2015 5:40 AM
    Moderator