You are here:   Research
Register   |  Login
The quickest way to find articles is to use the below search option.

However, if you go to the end of this page, you also find the Blog archive (calendar format) that allows for browsing of older articles.

Search:

Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Nov 27

Written by:
11/27/2011 12:01 PM  RssIcon

Applying GPO Packs is one of the many new features in MDT 2012 Beta 2.

GPO Packs is a way to deploy your configurations to non-domain joined computers. The GPO Packs are created with either the LocalGPO utiliy that ships with Microsoft Security Compliance Manager (SCM) v2, or by adding a few files to an exported SCM v2 baseline.

MDT 2012 Beta 2 comes with four built in GPO Packages, and each matching package is applied to the correct OS. Meaning if you for example deploy Windows 7 SP1, the Win7SP1-MDTGPOPack will be applied by default.

  • Win7SP1-MDTGPOPack (146 settings)
  • WinVistaSP2-MDTGPOPack (152 settings)
  • WS2008R2SP1-MDTGPOPack (117 settings)
  • WS2008SP2-MDTGPOPack (129 settings)

Here is what you need to do - high level overview:

  • Step 1 - Installing SCM v2 and the optional LocalGPO tool
  • Step 2 - Configure the SCM baseline
  • Step 3 - Export the SCM baseline
  • Step 4 - Create the GPO Pack
  • Step 5 - Configure MDT 2012 Beta 2 to deploy the GPO Pack

Step 1 - Installing SCM v2 and the optional LocalGPO tool

The SCM v2 setup is pretty straightforward, but it does require .NET Framework 4.0 and a SQL Express database. If you don't have SQL Express installed already, you will get an option to install SQL Express as part of the setup wizard. You should also have Office (or the Word Viewer) installed to be able to read the SCM v2 word documents (guides). SCM v2 is available on this link: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776

  1. Install .NET Framework 4.0

  2. Install SQL Server 2008 R2 Express

  3. Install SCM v2

  4. Install the LocalGPO tool/script (LocalGPO.msi, available via Start / All Programs / Microsoft Security Compliance Manager / LocalGPO). Note: This utility is only needed if you want to create a GPO Pack from a machine configuration, or apply a GPO Backup to a machine. 

Step 2 - Configure the SCM baseline

In this sample you will create a custom version of the Enterprise Client security recommendations for Windows 7 (The Win7-EC-Desktop 1.0 security baseline) using SCM v2, and apply it to the local machine. Then you will create a GPO Pack from the local machine configuration.

  1. On your virtual machine, start the SCM console.

  2. In the SCM Console, expand the Windows 7 node, select the Win7-EC-Desktop 1.0 security baseline, in the action pane, click Duplicate.




    3.  Change the name and description some something useful, and click Save (I named mine "ViaMonstra Enterprise Desktop Win7").
    
    4.  Change the policies as needed, in the the below example I enabled the Remote Desktop Connection policy.



The custom baseline in SCM



Step 3 - Export the SCM baseline

  1. After changing the policies in your custom baseline, select your custom baseline, and in the Actions pane, click GPO Backup (folder).

  2. In the Browse For Folder dialog box, select a folder where you want you GPO Backup, I selected C:\GPOBackup on my machine.



The GPO Backup folder


Step 4 - Create the GPO Pack

  1. In your C:\GPOBackup folder, rename the new folder ({49ea86e8-5683-4f4e-814c-6bc7d03d62b1} in my example) to something useful (the name of your baseline for example). I named mine "ViaMonstra Enterprise Desktop Win7".
     
  2. Go to the <DeploymentShare>\Templates\GPOPacks folder, and copy the following files to C:\GPOBackup\ViaMonstra Enterprise Desktop Win7 
     
    GPOPack.wsf
    LocalPol.exe
    LocalSecurityDB.sdb



The completed GPO Pack



Step 5 - Configure MDT 2012 Beta 2 to deploy the GPO Package

The default GPO packs are stored in the <DeploymentShare>\Templates\GPOPacks folder. You use the GPOPackPath property to override the default path, the path specified in this property is relative to the Templates\GPOPacks folder.

1. Copy your GPO Pack to the <DeploymentShare>\Templates\GPOPacks folder.

2. Configure the GPOPackPath property with the GPO Pack folder name, in my example

GPOPackPath=ViaMonstra Enterprise Desktop Win7

Note: When setting the GPOPackPath property, MDT will no longer apply its default GPO Packs (unless you actually set the GPOPackPath to one of the default GPO Packs).




Optional Step - Create a GPO Pack using the LocalGPO tool

You can also create GPO Packs using the LocalGPO tool.

You can still use SCM v2 to create the baseline and apply it your machine, or just use the native Local Policy Editor. Anyway, the LocalGPO tool will export what you have on your local machine into a GPO Pack.

1. Create a GPO Pack from a local configuration by starting an elavated command prompt (Run as Administrator) and type following commands

cd /d "C:\Program Files (x86)\LocalGPO"

cscript.exe LocalGPO.wsf /Path:C:\GPOBackup /Export /GPOPack

2. Rename the new folder in C:\GPOBackup to something usefule (the name of your baseline for example). I named mine "ViaMonstra Enterprise Desktop Win7".

3. Verify that the C:\GPOBackup\ViaMonstra Enterprise Desktop Win7 folder contains the following folder and files.

DomainSysvol
Backup.XML
bkupInfo.XML
GPOPack.wsf
LocalPol.exe
LocalSecurityDB.sdb


/ Johan











 

19 comment(s) so far...


Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Hi, I posted a reply in the Microsoft forum post.

/ Johan

By Arwidmark on   12/1/2011 1:52 PM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

I haven't tested adding multiple GPO Packs, but as longs as you set the a new GPOPackPath in between the different Apply GPO Packs I can't see why it should not work.

As for the tools you should not thank me, but rather the MDT team :)

/ Johan

By Arwidmark on   3/10/2012 4:46 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

If you want to have task sequence specific GPO Packs you can set the property directly in the task sequence.

Or use techniques described in this article which is also valid for MDT 2012.

Settings per Task Sequence using MDT 2010
www.deployvista.com/Blog/JohanArwidmark/tabid/78/EntryID/139/language/sv-SE/Default.aspx

/ Johan

By Arwidmark on   5/27/2012 11:09 PM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Great! And thanks for posting back the solution.

/ Johan

By Arwidmark on   7/18/2012 7:51 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Thanks for posting back the fix... If possible, can you file a bug on Connect so it might get fixed in future versions?

/ Johan

By Arwidmark on   11/16/2013 6:58 PM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Hi Mads,

GPO Packs have worked fine when I tested to deploy from media.

Do you get a ZTIApplyGPOPack.log file? Does the SMSTS.log report executing that step?

/ Johan

By Arwidmark on   11/16/2013 8:04 PM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Dear Johan

could you please look at social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/30250636-f8b2-4d51-b346-2ecca5f299ba/?

Now I have fixed the problem, by adding " oEnvironment.SetDAT "SMSTSLogPath_Cache", oEnvironment.Item("_SMSTSLogPath")" to ZTIUtility.vbs (MDT2008).

I would like to know why the value of oEnvironment.Item("_SMSTSLogPath") is empty in the section of "Copy the SMSTS.LOG if present". (I added some code to retrieve the value and output to bdd.log as shown below)

























]LOG]!>
]LOG]!>
]LOG]!>




By seanlv on   12/1/2011 1:05 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Dear Johan

could you please look at social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/30250636-f8b2-4d51-b346-2ecca5f299ba/?

Now I have fixed the problem, by adding " oEnvironment.SetDAT "SMSTSLogPath_Cache", oEnvironment.Item("_SMSTSLogPath")" to ZTIUtility.vbs (MDT2008).

I would like to know why the value of oEnvironment.Item("_SMSTSLogPath") is empty in the section of "Copy the SMSTS.LOG if present". (I added some code to retrieve the value and output to bdd.log as shown below)

























]LOG]!>
]LOG]!>
]LOG]!>




By seanlv on   12/1/2011 1:06 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Dear Johan

could you please look at social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/30250636-f8b2-4d51-b346-2ecca5f299ba/?

Now I have fixed the problem, by adding " oEnvironment.SetDAT "SMSTSLogPath_Cache", oEnvironment.Item("_SMSTSLogPath")" to ZTIUtility.vbs (MDT2008).

I would like to know why the value of oEnvironment.Item("_SMSTSLogPath") is empty in the section of "Copy the SMSTS.LOG if present". (I added some code to retrieve the value and output to bdd.log as shown below)

























]LOG]!>
]LOG]!>
]LOG]!>




By seanlv on   12/1/2011 1:40 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Quick couple of questions...If you're applying multiple GPOs to the reference image (OS, IE, Firewall, Office, etc.) is there a simple daisy chain method of adding them all to the same "pack", or is creating a copy of the task sequence line and creating a new "pack" the approved method? The other thing: is the tool that MDT 2012 is using to apply GPO to local policy appending or replacing already existing objects/settings? In other words, if I've already applied the OS gpo and follow on later with an Office gpo, the one pol file won't replace the other, correct? I have yet to use the LocalGPO tool shipped with SCM, having used a similar tool by Aaron Margosis for a couple of years now.

Having worked with MDT since it's BDD days, I wanted to say thanks for such a handy tool!!! Each version gets better than the last. Love some of the additions 2012 has introduced. Especially the breaking out of the Deploywiz files...big thanks for that!!!

-Jay

By Jaysus on   3/9/2012 8:58 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

I am running into an issue with deploying a custom GPO pack to my windows 7 sp1 Baseline build.

I am using MDT 2012 and the standard Client build task sequence.

I have modified the GPOPackPath variable to reflect the custom PACK in my .ini file.

The task sequence runs through completely and reports no errors.

When I look at the ZTIApplyGpoPack log in my OSDlogs folder it states that the Pack applied successfully with no errors. Yet none of the policies have been applied.

Has anyone seen these symptoms as well? Any help or suggestions would be greatly appreciated.

By lambicmxr on   5/16/2012 5:02 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

I am running into an issue with deploying a custom GPO pack to my windows 7 sp1 Baseline build.

I am using MDT 2012 and the standard Client build task sequence.

I have modified the GPOPackPath variable to reflect the custom PACK in my .ini file.

The task sequence runs through completely and reports no errors.

When I look at the ZTIApplyGpoPack log in my OSDlogs folder it states that the Pack applied successfully with no errors. Yet none of the policies have been applied.

Has anyone seen these symptoms as well? Any help or suggestions would be greatly appreciated.

By lambicmxr on   5/16/2012 5:25 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

I was able to solve my problem. I explained the resolution on the following forum post. Thanks for the help!

social.technet.microsoft.com/Forums/sa/mdt/thread/0d699de4-75bb-40b2-a57c-f435d09d5745?prof=required

By lambicmxr on   7/18/2012 4:14 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Hello Johan,

In regards to this post, I have a 2008 SP2 and a 2008 R2 SP1 pack? Since I'm deploying from the same share, what would be your recommendation in setting that in my customsetting.ini file? Since I have two task sequences for 08 and 08 R2 could I just add the step as a run command line to call the ApplyGPOPack.wsf? Also, if I put two packs in one folder, and point to the top folder, would it select both of them?

Thanks for all you do in helping make deployments easier,

By davcob2 on   5/27/2012 9:41 PM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Hi Johan- I don't see any Baselines for "Windows 8.1" in Security Compliance Manager 3.0, nor does the "ZTIApplyGPOPack.wsf" script in MDT 2013 have an entry for "Windows 8.1". How can I apply a "Win 8.1" GPOPack in MDT2013/Win81?

Thanks!

By chemdawg on   11/13/2013 11:16 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

So just to answer my own question above (i.e. supporting Win8.1 GPO Packs) I simply modified the "GPOPack.wsf" script by adding the following, and it resolved the issue (until support is added officially):

If(Left(strOpVer,3) = "6.3") and (strProductType = "1") then strOS = "Win81"

By chemdawg on   11/15/2013 11:50 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Hi Johan.

I have made some offline media of a deployment share in MDT2012 for some offices not on our Domain. Deployment Share deploys without errors normally but from the USB drive it doesn't apply the GPO pack at all. Neither the standard in the default task sequence or if i make a custom one and specify it in the Rules. Do you have any experience to share on how to get MDT to apply the GPOPacks when deploying from offline media?

Cheers,
Mads.

By Lerager on   11/14/2013 6:11 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

I was wrong in my assesment of what was wrong. The GPO pack was indeed applied but when you create the Offline media it doesn't copy over the custom GPO packs i put in the deployment share, instead it just puts in the default GPO's so those have to be added to the media manually after building it with the "Update Media Content" command.

By Lerager on   11/18/2013 5:51 AM
Gravatar

Re: Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Hi Lerager,
a bit late, but...please have a look at blogs.technet.com/b/mniehaus/archive/2013/10/10/ensuring-custom-gpo-packs-are-copied-to-linked-deployment-shares.aspx
the GPOpacks folder is still handled as and extra folder. (for whatever reason)
/ Sascha

By Sascha on   1/13/2014 8:26 AM