Deploying local group policies with MDT 2013 Update 2

Every now and then you run into machines that are not part of the domain, but still need to have local group policies applied to them.

One option is obviously to have them set in your image, but I don't recommend that. I rather keep the image clean from settings, and apply the policies when deploying the image. This way you don't have to create a new image every time you need a different policy configured.

Background

In previous versions of MDT, you could use GPO Packs, but that no longer works in MDT 2013 Update 2, because they broke it. Luckily, this is really no big deal because that feature also didn't support Windows 10. So instead you should use the new LGPO.exe tool that works for all supported Windows versions, meaning Windows 7 / Windows Server 2008 R2 or higher. Very shiny!.

Note: The LGPO.exe does not have the functionality of the MLGPO function, which is used to apply policies specific to users and groups of users. Still working on figuring out a good replacement for that. For more info, read the comments of this post: http://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/

Anyway, the high-level process to deploy local group policies with MDT 2013 Update 2 are as follows:

  1. Create a group policy baseline with your settings. Either via Security Compliance Manager 4.0, or by exporting policies from an existing machine.
  2. Add the LGPO.exe tool to your MDT deployment share, or your image, or both
  3. Have the task sequence copy the baseline to the client during deployment, and call the LGPO.exe tool to install it.

Creating a group policy baseline using Security Compliance Manager 4.0

Creating a group policy baseline using SCM 4.0 is quite easy. You install the tool, duplicate an existing template, do your changes, and then export the baseline as a GPO Backup.

Note: SCM 4.0 requires a somewhat shiny SQL Server version, so I used SQL Server 2014 Express with Tools (including SQL Server Management Studio) that you can download here: http://www.microsoft.com/en-us/download/details.aspx?id=42299 , select the ExpressAndTools 64BITSQLEXPRWT_x64_ENU.exe file. (Thanks to Ami Casto for pointing out this prereq 🙂 )

In the below example I created two user policy settings for Windows 7 SP1.

Btw, here is the download for Security Compliance Manager 4.0: http://www.microsoft.com/en-us/download/details.aspx?id=53353

SCM40
A custom Windows 7 SP1 baseline with some settings.

Exporting the group policy baseline

Once you have configured the group policy baseline the way you want it, you simply click Export / GPO Backup, and specify a folder. In this example I exported the group policy baseline to E:\MDTBuildLab\GPOBackup.

GPO02
The original export.

Then, I recommend changing the {guid} folder name to something useful, in this case I rename the folder to E:\MDTBuildLab\GPOBackup\Win7GPO.

GPO01
The renamed folder.

Configure MDT 2013 Update 2 to deploy the group policy baseline

So now there is a GPO backup in the E:MDTBuildLabGPOBackupWin7GPO folder, and to have the task sequence install it, you need to add the LGPO.exe tool that you can download here: http://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/

In my environment, I simply copied the LGPO.exe tool to my deployment share, in this case E:\MDTBuildLab\Tools\x64.

LGPO
LGPO.exe copied to E:MDTBuildLabToolsx64.

Then I modified my task sequence to copy the group policy baseline locally, and then run lgpo.exe /g to install it. Below are the actions:

Name: Copy Local GPO to C:WindowsTemp
Command line: xcopy "%DEPLOYROOT%\GPOBackup" C:\Windows\Temp /e /i

Name: Apply Local GPO via LGPO.exe
Command line: "%DEPLOYROOT%\Tools\%ARCHITECTURE%\lgpo.exe" /g C:\Windows\Temp\Win7GPO

TS
The modified task sequence.

Verifying the result

Finally, it's time to verify the result by opening the local group policy editor, gpedit.msc, and then also try to open the control panel.

gp01
The local policy configured via LGPO.exe and the exported baseline.
gp02
Trying to open the control panel on a Windows 7 SP1 machine.
About the author

Johan Arwidmark

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

>