Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Applying GPO Packs is one of the many new features in MDT 2012 Beta 2.

GPO Packs is a way to deploy your configurations to non-domain joined computers. The GPO Packs are created with either the LocalGPO utiliy that ships with Microsoft Security Compliance Manager (SCM) v2, or by adding a few files to an exported SCM v2 baseline.

MDT 2012 Beta 2 comes with four built in GPO Packages, and each matching package is applied to the correct OS. Meaning if you for example deploy Windows 7 SP1, the Win7SP1-MDTGPOPack will be applied by default.

  • Win7SP1-MDTGPOPack (146 settings)
  • WinVistaSP2-MDTGPOPack (152 settings)
  • WS2008R2SP1-MDTGPOPack (117 settings)
  • WS2008SP2-MDTGPOPack (129 settings)

Here is what you need to do – high level overview:

  • Step 1 – Installing SCM v2 and the optional LocalGPO tool
  • Step 2 – Configure the SCM baseline
  • Step 3 – Export the SCM baseline
  • Step 4 – Create the GPO Pack
  • Step 5 – Configure MDT 2012 Beta 2 to deploy the GPO Pack

Step 1 – Installing SCM v2 and the optional LocalGPO tool

The SCM v2 setup is pretty straightforward, but it does require .NET Framework 4.0 and a SQL Express database. If you don't have SQL Express installed already, you will get an option to install SQL Express as part of the setup wizard. You should also have Office (or the Word Viewer) installed to be able to read the SCM v2 word documents (guides). SCM v2 is available on this link: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776

  1. Install .NET Framework 4.0
  2. Install SQL Server 2008 R2 Express
  3. Install SCM v2
  4. Install the LocalGPO tool/scripts (LocalGPO.msi, available via Start / All Programs / Microsoft Security Compliance Manager / LocalGPO). Note: This utility is only needed if you want to create a GPO Pack from a machine configuration, or apply a GPO Backup to a machine. 

Step 2 – Configure the SCM baseline

In this sample you will create a custom version of the Enterprise Client security recommendations for Windows 7 (The Win7-EC-Desktop 1.0 security baseline) using SCM v2, and apply it to the local machine. Then you will create a GPO Pack from the local machine configuration.

  1. On your virtual machine, start the SCM console.
  2. In the SCM Console, expand the Windows 7 node, select the Win7-EC-Desktop 1.0 security baseline, in the action pane, click Duplicate.

    3.  Change the name and description some something useful, and click Save (I named mine "ViaMonstra Enterprise Desktop Win7").

    4.  Change the policies as needed, in the the below example I enabled the Remote Desktop Connection policy.

The custom baseline in SCM


Step 3 – Export the SCM baseline

  1. After changing the policies in your custom baseline, select your custom baseline, and in the Actions pane, click GPO Backup (folder).
  2. In the Browse For Folder dialog box, select a folder where you want you GPO Backup, I selected C:\GPOBackup on my machine.
The GPO Backup folder

Step 4 – Create the GPO Pack

  1. In your C:\GPOBackup folder, rename the new folder ({49ea86e8-5683-4f4e-814c-6bc7d03d62b1} in my example) to something useful (the name of your baseline for example). I named mine "ViaMonstra Enterprise Desktop Win7".  
  2. Go to the Templates\GPOPacks folder, and copy the following files to C:\GPOBackup\ViaMonstra Enterprise Desktop Win7

    GPOPack.wsf
    LocalPol.exe
    LocalSecurityDB.sdb

The completed GPO Pack

Step 5 – Configure MDT 2012 Beta 2 to deploy the GPO Package

The default GPO packs are stored in the Templates\GPOPacks folder. You use the GPOPackPath property to override the default path, the path specified in this property is relative to the Templates\GPOPacks folder.

1. Copy your GPO Pack to the Templates\GPOPacks folder.

2. Configure the GPOPackPath property with the GPO Pack folder name, in my example

GPOPackPath=ViaMonstra Enterprise Desktop Win7

Note: When setting the GPOPackPath property, MDT will no longer apply its default GPO Packs (unless you actually set the GPOPackPath to one of the default GPO Packs).

Optional Step – Create a GPO Pack using the LocalGPO tool

You can also create GPO Packs using the LocalGPO tool.

You can still use SCM v2 to create the baseline and apply it your machine, or just use the native Local Policy Editor. Anyway, the LocalGPO tool will export what you have on your local machine into a GPO Pack.

1. Create a GPO Pack from a local configuration by starting an elavated command prompt (Run as Administrator) and type following commands

cd /d "C:\Program Files (x86)\LocalGPO"

cscript.exe LocalGPO.wsf /Path:C:\GPOBackup /Export /GPOPack

2. Rename the new folder in C:\GPOBackup to something usefule (the name of your baseline for example). I named mine "ViaMonstra Enterprise Desktop Win7".

3. Verify that the C:\GPOBackup\ViaMonstra Enterprise Desktop Win7 folder contains the following folder and files.

DomainSysvol
Backup.XML
bkupInfo.XML
GPOPack.wsf
LocalPol.exe
LocalSecurityDB.sdb

/ Johan

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
19 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Sascha
Sascha
8 years ago

Hi Lerager,
a bit late, but…please have a look at blogs.technet.com/b/mniehaus/archive/2013/10/10/ensuring-custom-gpo-packs-are-copied-to-linked-deployment-shares.aspx
the GPOpacks folder is still handled as and extra folder. (for whatever reason)
/ Sascha

Lerager
Lerager
8 years ago

I was wrong in my assesment of what was wrong. The GPO pack was indeed applied but when you create the Offline media it doesn't copy over the custom GPO packs i put in the deployment share, instead it just puts in the default GPO's so those have to be added to the media manually after building it with the "Update Media Content" command.

Admin
Admin
8 years ago

Hi Mads,

GPO Packs have worked fine when I tested to deploy from media.

Do you get a ZTIApplyGPOPack.log file? Does the SMSTS.log report executing that step?

/ Johan

Admin
Admin
8 years ago

Thanks for posting back the fix… If possible, can you file a bug on Connect so it might get fixed in future versions?

/ Johan

chemdawg
chemdawg
8 years ago

So just to answer my own question above (i.e. supporting Win8.1 GPO Packs) I simply modified the "GPOPack.wsf" script by adding the following, and it resolved the issue (until support is added officially):

If(Left(strOpVer,3) = "6.3") and (strProductType = "1") then strOS = "Win81"

Lerager
Lerager
8 years ago

Hi Johan.

I have made some offline media of a deployment share in MDT2012 for some offices not on our Domain. Deployment Share deploys without errors normally but from the USB drive it doesn't apply the GPO pack at all. Neither the standard in the default task sequence or if i make a custom one and specify it in the Rules. Do you have any experience to share on how to get MDT to apply the GPOPacks when deploying from offline media?

Cheers,
Mads.

chemdawg
chemdawg
8 years ago

Hi Johan- I don't see any Baselines for "Windows 8.1" in Security Compliance Manager 3.0, nor does the "ZTIApplyGPOPack.wsf" script in MDT 2013 have an entry for "Windows 8.1". How can I apply a "Win 8.1" GPOPack in MDT2013/Win81?

Thanks!

Admin
Admin
10 years ago

Great! And thanks for posting back the solution.

/ Johan

lambicmxr
lambicmxr
10 years ago

I was able to solve my problem. I explained the resolution on the following forum post. Thanks for the help!

social.technet.microsoft.com/Forums/sa/mdt/thread/0d699de4-75bb-40b2-a57c-f435d09d5745?prof=required

Admin
Admin
10 years ago

If you want to have task sequence specific GPO Packs you can set the property directly in the task sequence.

Or use techniques described in this article which is also valid for MDT 2012.

Settings per Task Sequence using MDT 2010
http://www.deployvista.com/Blog/JohanArwidmark/tabid/78/EntryID/139/language/sv-SE/Default.aspx

/ Johan

davcob2
davcob2
10 years ago

Hello Johan,

In regards to this post, I have a 2008 SP2 and a 2008 R2 SP1 pack? Since I'm deploying from the same share, what would be your recommendation in setting that in my customsetting.ini file? Since I have two task sequences for 08 and 08 R2 could I just add the step as a run command line to call the ApplyGPOPack.wsf? Also, if I put two packs in one folder, and point to the top folder, would it select both of them?

Thanks for all you do in helping make deployments easier,

lambicmxr
lambicmxr
10 years ago

I am running into an issue with deploying a custom GPO pack to my windows 7 sp1 Baseline build.

I am using MDT 2012 and the standard Client build task sequence.

I have modified the GPOPackPath variable to reflect the custom PACK in my .ini file.

The task sequence runs through completely and reports no errors.

When I look at the ZTIApplyGpoPack log in my OSDlogs folder it states that the Pack applied successfully with no errors. Yet none of the policies have been applied.

Has anyone seen these symptoms as well? Any help or suggestions would be greatly appreciated.

lambicmxr
lambicmxr
10 years ago

I am running into an issue with deploying a custom GPO pack to my windows 7 sp1 Baseline build.

I am using MDT 2012 and the standard Client build task sequence.

I have modified the GPOPackPath variable to reflect the custom PACK in my .ini file.

The task sequence runs through completely and reports no errors.

When I look at the ZTIApplyGpoPack log in my OSDlogs folder it states that the Pack applied successfully with no errors. Yet none of the policies have been applied.

Has anyone seen these symptoms as well? Any help or suggestions would be greatly appreciated.

Admin
Admin
10 years ago

I haven't tested adding multiple GPO Packs, but as longs as you set the a new GPOPackPath in between the different Apply GPO Packs I can't see why it should not work.

As for the tools you should not thank me, but rather the MDT team 🙂

/ Johan

Jaysus
Jaysus
10 years ago

Quick couple of questions…If you're applying multiple GPOs to the reference image (OS, IE, Firewall, Office, etc.) is there a simple daisy chain method of adding them all to the same "pack", or is creating a copy of the task sequence line and creating a new "pack" the approved method? The other thing: is the tool that MDT 2012 is using to apply GPO to local policy appending or replacing already existing objects/settings? In other words, if I've already applied the OS gpo and follow on later with an Office gpo, the one pol file won't replace the other, correct?… Read more »

Admin
Admin
10 years ago

Hi, I posted a reply in the Microsoft forum post.

/ Johan

seanlv
seanlv
10 years ago

Dear Johan

could you please look at social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/30250636-f8b2-4d51-b346-2ecca5f299ba/?

Now I have fixed the problem, by adding " oEnvironment.SetDAT "SMSTSLogPath_Cache", oEnvironment.Item("_SMSTSLogPath")" to ZTIUtility.vbs (MDT2008).

I would like to know why the value of oEnvironment.Item("_SMSTSLogPath") is empty in the section of "Copy the SMSTS.LOG if present". (I added some code to retrieve the value and output to bdd.log as shown below)

]LOG]!>
]LOG]!>
]LOG]!>

seanlv
seanlv
10 years ago

Dear Johan

could you please look at social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/30250636-f8b2-4d51-b346-2ecca5f299ba/?

Now I have fixed the problem, by adding " oEnvironment.SetDAT "SMSTSLogPath_Cache", oEnvironment.Item("_SMSTSLogPath")" to ZTIUtility.vbs (MDT2008).

I would like to know why the value of oEnvironment.Item("_SMSTSLogPath") is empty in the section of "Copy the SMSTS.LOG if present". (I added some code to retrieve the value and output to bdd.log as shown below)

]LOG]!>
]LOG]!>
]LOG]!>

seanlv
seanlv
10 years ago

Dear Johan

could you please look at social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/30250636-f8b2-4d51-b346-2ecca5f299ba/?

Now I have fixed the problem, by adding " oEnvironment.SetDAT "SMSTSLogPath_Cache", oEnvironment.Item("_SMSTSLogPath")" to ZTIUtility.vbs (MDT2008).

I would like to know why the value of oEnvironment.Item("_SMSTSLogPath") is empty in the section of "Copy the SMSTS.LOG if present". (I added some code to retrieve the value and output to bdd.log as shown below)

]LOG]!>
]LOG]!>
]LOG]!>


>