Viewing MSS settings in a GPO

Posted: March 15, 2011 in Group Policy, Security

Security GPOs provide a number of ‘hidden’ settings that all start with the ‘MSS’ prefix. These settings are referenced in the NIST FDCC guidelines for group policy as well as many other locations. The settings would all normally be found under Computer Configuration\Windows Settings\Security Settings\Local Policy\Security Options. However, the settings are not readily visible or available within a GPO.

If you search for instructions on enabling the settings, you will find the following instructions:

  1. Download and install the Windows 7 Security Compliance Management Toolkit. (
  2. Log on to the computer as an administrator.
  3. On the desktop, click the Start button, click All Programs, and click Microsoft Security Compliance Manager and then Local GPO.
  4. On the desktop, click the Start button, click All Programs, and click LocalGPO
  5. Right-click the LocalGPO command-line file, and then click Run as administrator to open a command prompt with full administrative privileges.
  6. At the command prompt, type cscript LocalGPO.wsf /ConfigSCE and then press ENTER.
  7. In the Click Yes to continue, or No to exit the script message box, click Yes.
  8. In The Security Configuration Editor is updated message box, click OK.

These instructions will do the trick but they always frustrate me because the installation of the Security Compliance Management Toolkit is quite large and includes the installation of SQL Express. It seems that a simple task like viewing important GPO settings doesn’t need this full package to be installed on each GPO management console.

Well, it turns out that it doesn’t. With a little manipulation, you can install only the required pieces. Just follow this procedure:

  1. Download the toolkit and start the installation but don’t click any buttons when the wizard starts.
  2. Navigate to the root of your C drive and look for the temporary directory created by the installation. The directory name will be a long hex string.
  3. Open the directory and extract the contents of the file using any decompression tool.
  4. Find the extracted file GPOMSI and rename it to LocalGPO.MSI.
  5. Run LocalGPO.MSI and complete the installation.
  6. Cancel the original installation of the toolkit.
  7. Continue with step 4 in the instructions above.

Nice, quick and simple and you can keep the LocalGPO.Msi file for installation on other systems.

  1. David Parnell says:

    I know this is an old post; but it’s a really good one. I wish I had found this post 24 hours ago and saved myself a lot of hassle getting SCM loaded on a system that doesn’t have direct Internet access!

  2. Jason says:

    This was an extremely helpful tutorial. Thanks!

  3. Shahzad says:

    somehow it did not worked for me. on step 5 and 6 it says the tool can only run in XP/vista/7/8/2008/2012 etc. when i click ok it runs but no confirmation message. and nothing updated in editor. I am on server 2012 r2 x64 and windows 8.1 x64

    • Guy Yardeni says:

      Hi Shahzad,
      Thank you for your comment. You are correct that the tools have not been updated for Windows 2012 R2 (or Windows 8.1). Myself and others have had success by editing the LocalGPO.wsf and either removing/bypassing the version check or adding version check lines for version 6.3 of the OS.

      The added lines would look like:
      If(Left(strOpVer,3) = “6.3”) and (strProductType “1”) then
      strOs = “WS12”
      ElseIf(Left(strOpVer,3) = “6.3”) and (strProductType = “1”) then
      strOS = “Win8”
      ElseIf(Left(strOpVer,3) = “6.2”) and (strProductType “1”) then
      strOS = “WS12”

      Hope this helps,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s