Ensuring custom GPO packs are copied to linked deployment shares

It’s been a surprisingly common question in the past few weeks – how come MDT doesn’t copy custom GPO packs to linked deployment shares?  Well, it’s been like that since support for GPO packs was added to MDT 2012 Update 1.

The simple scenario:  Someone has created a custom security template using the Security Compliance Manager and exported that as a local GPO pack.  They then copied that GPO pack into an MDT deployment share, under the “Templates\GPOPacks” folder and added a step to one or more task sequences to apply that GPO pack.  And everything works fine – until they set up linked deployment shares or media.  In those situations, they find that the extra GPO pack isn’t copied to the other deployment shares.

So why does this happen?  MDT knows to replicate certain folders to linked deployment shares and media.  (Really media is just another linked deployment share from a behavior perspective.)  And the “Templates\GPOPacks” folder isn’t included in that list of folders.

Fortunately, MDT does include a mechanism for adding folders to the list, a feature added just in case there was ever a need to do something like this.  See https://blogs.technet.com/b/mniehaus/archive/2009/10/01/mdt-2010-new-feature-21-copying-extra-folders.aspx for details.  I still don’t think it’s in the documentation, and it’s definitely not in the UI.  So you need to use PowerShell to configure it.

The process for doing that has changed a little since 2009, only because we now use a PowerShell 2.0 module.  So you would want to execute commands like so:

Import-Module 'C:\Program Files\Microsoft Deployment Toolkit\Bin\MicrosoftDeploymentToolkit.psd1'
Restore-MDTPersistentDrive
Set-ItemProperty -Path 'DS001:\Linked Deployment Shares\LINKED001' -Name ExtraFolders -Value @(“Templates\GPOPacks”)
Set-ItemProperty -Path 'DS001:\Media\MEDIA001' -Name ExtraFolders -Value @(“Templates\GPOPacks”)

These commands assume you only have one “main” deployment share (which becomes DS001: when the Restore-MDTPersistentDrive cmdlet runs), one linked deployment share (which has a logical name of “LINKED001”), and one media definition (which is “MEDIA001”).  You might need to adjust the values if you have more deployment shares or different objects.  (You can see the logical IDs in Workbench.)

After executing the command to add the extra folder, the next time you update or replicate the content, the custom GPO packs will be copied.