MDT 2012: New Features– GPO Packs


There are many new features of MDT 2012 but one that I particularly like is the ability to apply GPO Packs created using Security Compliance Manager (SCM) during the deployment process.

SCM is a great tool that allows you to create and manage group policy baselines in an easy to use interface. These polices are then able to be applied at the domain level or as  “Local GPO Packs”. MDT can now deploy these “Local GPO Packs” during deployment.

MDT provides four default GPO packs for the following operating systems that are applied by default during deployment. The correct GPO pack will be applied based on the operating system that is deployed. If an operating system matching the GPO pack is not found then no GPO Pack will be applied.

1. Windows 7 SP1

2. Windows Vista SP2

3. Windows 2008 SP2

4. Windows 2008 R2 SP1

All GPO packs are stored in the Templates folder within the Distribution Share. For example <Distribution Share>\Templates\GPOPacks\<GPO Pack Folder>. When you specify your own GPO Pack you must override the default GPO pack using the GPOPackPath variable in the customsettings.ini file. This is a relative path from the <Distribution Share>\Templates\GPOPacks\ folder. For example

GPOPackPath = Win7-HighSecurity

If you do not want to apply any GPO Packs then task sequence step can be skipped by setting the variable ApplyGPOPack to NO in customsettings.ini.

You can create your own GPO packs using the following process.

1. Use SCM to create an SCM baseline

2. Export the baseline using a GPO backup

Now we need to turn the baseline into a GPO pack, this is a simple process.

3. Open to an existing GPO pack and copy the following files to the backup – GPOPack.wsf, LocalPol.exe, LocalSecurityDB.sdb

4. Copy the GPO Pack to the <Distribution Share>\Templates\GPOPacks folder

3. Update the GPOPackPath variable in the customsettings.ini file to point at the new GPO Pack

Each ofthe default GPO Packs updates the local policy with the settings in the attached excel file.

This post was contributed by Ben Hunter, a Senior Program Manager for MDT with Microsoft

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

MDTGPOPacks.xlsx

Comments (29)

  1. Now that SCM 3.0 Beta released we can use it for Windows 8 . I just wrote a tweak to fix that in MDT2012 for Windows 8.  blogs.technet.com/…/3547682.aspx

  2. Anonymous says:

      MDT 2012: New Features– GPO Packs – The Deployment Guys – Site Home – TechNet Blogs There are

  3. Ben Hunter says:

    Hi Hunter,

    You could set the value for the GPOPackPath variable within the task sequence itself. There is a built in action that allows you to do this.

    Thanks,

    Ben

  4. Anonymous says:

    I'm revisiting this six months later, but I'm having the exact same problems as before:  It only applies User Rights Assignment settings and nothing else.  Any ideas anyone?  *silence*

  5. Ben Hunter says:

    Hi Red,

    You can simply set the variable ApplyGPOPack to NO in customsettings.ini and no GPO Packs will be applied.

    When you disable this feature the GPO Pack will not be applied, nothing else changes.

    Thanks,

    Ben

  6. Anonymous says:

    What is the automated process for removing (resetting to a not configured state) a single setting that has been applied via a GPO Pack?

    Example:

     Today we have a GPO that has 100 settings (including 'setting x')

     We create a GPO Pack for this GPO and apply it across our environment

     Tomorrow we remove 'setting x' from that GPO

     How do revert that single setting (in local policy) back to a not configured state?

  7. Ben Hunter says:

    Hi Catharsis,

    I don't really have any more guidance to offer, however I would definitely recommend that you post the question to the Microsoft forum for the LocalGPO tool, there are lots of experts who manage the forum – social.technet.microsoft.com/…/threads

    Thanks,

    Ben

  8. Ben Hunter says:

    Hi Catharsis,

    How exactly are you creating and capturing your own GPO's? The error shouldn't be in the GPO Pack application process so maybe it is caused by how you are capturing the GPO.

    Thanks,

    Ben

  9. Ben Hunter says:

    Hi fearofweapons,

    The GPO pack needs to be in the folder <Distribution Share>TemplatesGPOPacksWin7-HighSecurity.

    The GPO Packs can also be created using an export process from an existing machine. See this blog post by Johan for further details – http://www.deploymentresearch.com/…/Creating-and-Applying-Custom-GPO-Packs-using-MDT-2012-Beta-2-with-or-without-SCCM-2007-2012.aspx

    Thanks,

    Ben

  10. Anonymous says:

    I'm creating my own.

  11. Ben Hunter says:

    Hi Catharsis,

    Unfortunately don't have a suggestion as to what could be causing this issue. Are you using the GPO packs that came with MDT or are you creating your own GPOPack?

    Thanks,

    Ben

  12. Anonymous says:

    Because I'm not applying this on a domain-joined machine, does that have something to do with it?  I have been reading some on the LocalGPO tool, and I think maybe that's what I have to use.  But it sounds like I have to install it on every single machine.  That's totally impractical.  The point is that it would be applied during/at the end of deployment.

    Starting Monday I will be spending two weeks imaging about 700 computers.  I really wish I had the answer to this question now to save our technicians time during the next three weeks.

  13. Ben Hunter says:

    The task will not be added to existing task sequences that have been upgraded to MDT 2012. However you can add this task to an existing task sequence by doing the following:

      1. Create a new "Run Command Line" task sequence action. I would recommend that you add it after the restore groups step.

      2. Name the task – Apply Local GPO Package

      3. Set the command line to – cscript.exe "%SCRIPTROOT%ZTIApplyGPOPack.wsf"

    Thanks,

    Ben

  14. Ben Hunter says:

    I would recommend changing the setting at the domain level as the settings in the local GPO pack will be overridden by domain GPO's.

    Thanks,

    Ben

  15. Anonymous says:

    I'm creating it in SCM.  I duplicated the baseline Win7 one, emptied it, and added in what I need for our requirements.  There is a mix of User Rights Assignments, Security Options, Auditing, etc.  Only USR gets applied.

  16. Anonymous says:

    I'm revisiting this six months later, but I'm having the exact same problems as before:  It only applies User Rights Assignment settings and nothing else.  Any ideas anyone?  *silence*

  17. Anonymous says:

    Six months later I'm revisiting this with Windows 8.  I'm still encountering the problem I listed above.  Any help or clue at all would be awesome.  I'm doing everything the instructions for these new GPOPacks tell me to do, but I only have User Right Assignment settings being applied, but nothing else.

  18. Anonymous says:

    I love this idea.  However, after the long, painful process of recreating the policy from scratch in SCM and following the instructions on this page, I found that the only settings that carried over were only User Rights Assignment.  Security Options and Audit Policy settings were the regular Windows 7 default.  I made a LOT of changes in all three sections.

  19. Anonymous says:

    Actually, I just now got it working.  It has everything to do with secedit not wanting to run templates from a remote location (UNC path).  I copied everything down to the local machine with a cmd (this is all during a TS), including the folder with the GPO pack that I made, then ran GPOPack.wsf locally with a simple cscript command-line.  It seems like everything applied this time.

    This link was INCREDIBLY helpful and detailed:

    blogs.technet.com/…/scm-v2-beta-localgpo-rocks.aspx

  20. fearofweapons says:

    Ben, nice to see you posting again. Two questions…

    1) When you say a relative path would the exmaple you give resolve to <Distribution Share>TemplatesGPOPacks folderWin7-HighSecurity or would it resolve to <Distribution Share>TemplatesGPOPacksWin7-HighSecurity ? Not clear in your post.

    2) Can GPO packs be created out side of SCM? Not all orgs use SCM, mine uses a Novell product, but it would be good to be able to apply GPO packs at build time.

  21. tony says:

    Excellent!  Applying security settings is one of the biggest pains when developing a new base image.  Is there a migration path, upgrade option when going from MDT 2010 to 2012?

  22. Andreas Mangerich says:

    Hi Ben,

    thanks for explaining and documenting this new feature!

  23. Hunter Buchanan says:

    I am relatively new to MDT and love the idea of applying GPO packs during an unattended installation, as my computing group uses a few very specific policies to access servers that don't normally cooperate with Windows. However, if you set GPOPackPath in CustomSettings.ini, won't it use the same GPO for every task sequence? If my deployment share or media includes 4 different task sequences for 4 different OS's, how would I tell MDT to use a different custom GPO pack for each task sequence?

  24. RED says:

    you right but after deployment a found several troubleshoot caused by this GPO local for example i can't modifier setting for my Windows update and Windows can't find a "résidentiel group" and we don't have the right to acces of any of PCs in my network

    my question is if i disable this feature from the task sequences what the resulte ?

  25. Alin Grecea says:

    I have a problem. The default Microsoft baseline GPO security kills port 139. Does anyone know how to revert all the extra settings the default baseline security adds?

    I tried reverting back by taking the GPO from a fresh DVD install on windows 7 and nothing. So would love to hear some good news from the deployment experts.

    Please enlighten me on this one, cuz I'm fresh out of options.

  26. Moohaa says:

    Installation fails with error 1603. Basically, Security compliance manager doesn't work.

  27. justin says:

    The Excel Spreadsheet attached to this article saved me a ton of time. When copying over the MDT from one server to the next I didn't bring over the customsettings.ini file and it applied these GPO packs. What a mind boggle.

  28. msb says:

    Is there support for Win8.1 GPO packs? Looks like the ZTIApplyGPOPack has code for Win8, but none for 8.1; also MDT2013 doesn't come with GPOPacks for Win8 or Win8.1 — is this oversight (like the wireless settings:

    http://keithga.wordpress.com/2013/10/18/mdt-2013-fails-to-deploy-unattended-on-win-8-1-with-wi-fi-network-card/ ), or will it explicitly NOT work for some reason in Win8/8.1?

  29. tony says:

    What is the best way to apply a specific GPO to a specific task? Is it in the script file?