Microsoft FDCC deployment resources
Complying with the Federal Desktop Core Configuration (FDCC) mandate is a complex process. Tools and resources from Microsoft and NIST can help.
1. Work with your operations, security, and management teams (including branch locations if you have them) to review and analyze the required FDCC settings and determine what effects they will have on your organization.
2. Decide whether you will develop an image (and whether it will be based on Microsoft Windows XP or Windows Vista) incorporating FDCC settings or create Group policy objects (GPOs) to contain the settings.
3. Determine the operating system components or features that you will install and create your image or GPOs.
a. Download the Microsoft Deployment Toolkit and install on a server.
b. Acquire the FDCC configuration from the NIST Web site.
c. Collect information on device drivers used on your agency desktops.
- Check existing inventory applications using Microsoft Systems Management Server 2003, Microsoft Systems Center Configuration Manager 2007, or a third-party systems management solution.
- Download and run the Microsoft Assessment and Planning (MAP) Solution Accelerator tool (which now includes the Windows Vista Hardware Assessment) to collect a hardware inventory and list of device drivers.
d. Identify specific hardware drivers that are required for your organization and add them to the Microsoft Deployment Toolkit. You can obtain device drivers for specific hardware from the hardware vendor Web site.
e. Download the Microsoft Application Compatibility Toolkit, and use it to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, or a new version of Windows Internet Explorer in your environment.
f. Add applications to the Microsoft Deployment Toolkit, determining silent installation method (i.e., command line) to eliminate user action during installation, and test them.
4. Submit deviations and correction plans to NIST.
5. Apply the settings in a test environment to identify and resolve or mitigate potential system or application compatibility issues caused by FDCC settings and to validate standardized security settings and compliance.
You can use virtual machines, produced by NIST and Microsoft for Windows XP Professional and Windows Vista, to streamline this step. The virtual machines help you to conduct software application compatibility testing early in the process to identify and fix incompatibilities. Your IT staff can also use the virtual machines to become familiar with the FDCC and to plan for a successful implementation.
Alternatively, you can apply the FDCC settings directly to a PC in your test environment, either by importing and applying the FDCC GPOs or by running the Local Policy Tool (Set_FDCC_LGPO), which is available on the FDCC blog on TechNet. These actions will streamline implementation of the FDCC settings on a PC that you can then use to test system and application compatibility.
6. Develop a production deployment plan.
7. Communicate the change to your IT customers.
8. Deploy your desktop configuration using Active Directory Group Policies (GPOs), enterprise management tools, such as Microsoft Systems Center Configuration Manager 2007 or Systems Management Server 2003, and/or your existing disk imaging process.
- SCCM 2007 works with images produced by the Microsoft Deployment Toolkit (MDT), while SMS 2003 operating system deployment (OSD) requires a separate step to "capture" the operating system (OS) image for deployment. Because SCCM OS images use the latest version of the Windows Preinstallation Environment (WinPE), they support driver injection, which detects device drivers on the computer during the installation process and installs them automatically. SMS 2003 OSD uses an older version of WinPE, which does not support driver injection, so you will need to store device drivers either as part of the OS image or in a network folder that is referenced during OS installation.
- If you are using Systems Center Configuration Manager, find and delete the following line: OSD (Operating System Deployment).
- Decide whether you will upgrade in place, which preserves user data and applications, or simply erase each target machine and install a new image.
- If you are using the Microsoft Deployment Toolkit in conjunction with Systems Center Configuration Manager or Systems Management Server with the Operating System Deployment Feature Pack, you can completely automate deployment using Zero Touch Installation (ZTI). If software installation tools are not in place, Lite Touch Installation requires very limited interaction at the targeted computer.
- You can use the Windows User State Migration Tool (USMT) Version 3.0.1 to capture user settings and documents and migrate them to the new installation.
- For users that are not connected to a workgroup, as well as for testing configurations, you can use Local Group Policy Objects (LGPOs) to configure FDCC recommended settings in the Local Policy Tool (Set_FDCC_LGPO), which is available on the FDCC blog on TechNet.
