The Deployment Guys

Helping to deploy your world automagically...

MDT 2012: New Features– GPO Packs

MDT 2012: New Features– GPO Packs

  • Comments 26
  • Likes

There are many new features of MDT 2012 but one that I particularly like is the ability to apply GPO Packs created using Security Compliance Manager (SCM) during the deployment process.

SCM is a great tool that allows you to create and manage group policy baselines in an easy to use interface. These polices are then able to be applied at the domain level or as  “Local GPO Packs”. MDT can now deploy these “Local GPO Packs” during deployment.

MDT provides four default GPO packs for the following operating systems that are applied by default during deployment. The correct GPO pack will be applied based on the operating system that is deployed. If an operating system matching the GPO pack is not found then no GPO Pack will be applied.

1. Windows 7 SP1

2. Windows Vista SP2

3. Windows 2008 SP2

4. Windows 2008 R2 SP1

All GPO packs are stored in the Templates folder within the Distribution Share. For example <Distribution Share>\Templates\GPOPacks\<GPO Pack Folder>. When you specify your own GPO Pack you must override the default GPO pack using the GPOPackPath variable in the customsettings.ini file. This is a relative path from the <Distribution Share>\Templates\GPOPacks\ folder. For example

GPOPackPath = Win7-HighSecurity

If you do not want to apply any GPO Packs then task sequence step can be skipped by setting the variable ApplyGPOPack to NO in customsettings.ini.

You can create your own GPO packs using the following process.

1. Use SCM to create an SCM baseline

2. Export the baseline using a GPO backup

Now we need to turn the baseline into a GPO pack, this is a simple process.

3. Open to an existing GPO pack and copy the following files to the backup - GPOPack.wsf, LocalPol.exe, LocalSecurityDB.sdb

4. Copy the GPO Pack to the <Distribution Share>\Templates\GPOPacks folder

3. Update the GPOPackPath variable in the customsettings.ini file to point at the new GPO Pack

Each ofthe default GPO Packs updates the local policy with the settings in the attached excel file.

This post was contributed by Ben Hunter, a Senior Program Manager for MDT with Microsoft

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

Attachment: MDTGPOPacks.xlsx
  • <p>Ben, nice to see you posting again. Two questions...</p> <p>1) When you say a relative path would the exmaple you give resolve to &lt;Distribution Share&gt;\Templates\GPOPacks\ folder\Win7-HighSecurity or would it resolve to &lt;Distribution Share&gt;\Templates\GPOPacks\Win7-HighSecurity ? Not clear in your post.</p> <p>2) Can GPO packs be created out side of SCM? Not all orgs use SCM, mine uses a Novell product, but it would be good to be able to apply GPO packs at build time.</p>

  • <p>Hi fearofweapons,</p> <p>The GPO pack needs to be in the folder &lt;Distribution Share&gt;\Templates\GPOPacks\Win7-HighSecurity.</p> <p>The GPO Packs can also be created using an export process from an existing machine. See this blog post by Johan for further details - <a rel="nofollow" target="_new" href="http://www.deploymentresearch.com/Blog/tabid/62/EntryId/47/Creating-and-Applying-Custom-GPO-Packs-using-MDT-2012-Beta-2-with-or-without-SCCM-2007-2012.aspx">www.deploymentresearch.com/.../Creating-and-Applying-Custom-GPO-Packs-using-MDT-2012-Beta-2-with-or-without-SCCM-2007-2012.aspx</a></p> <p>Thanks,</p> <p>Ben</p>

  • <p>&#160; MDT 2012: New Features– GPO Packs - The Deployment Guys - Site Home - TechNet Blogs There are</p>

  • <p>Excellent! &nbsp;Applying security settings is one of the biggest pains when developing a new base image. &nbsp;Is there a migration path, upgrade option when going from MDT 2010 to 2012?</p>

  • <p>The task will not be added to existing task sequences that have been upgraded to MDT 2012. However you can add this task to an existing task sequence by doing the following:</p> <p> &nbsp; 1. Create a new &quot;Run Command Line&quot; task sequence action. I would recommend that you add it after the restore groups step.</p> <p> &nbsp; 2. Name the task - Apply Local GPO Package</p> <p> &nbsp; 3. Set the command line to - cscript.exe &quot;%SCRIPTROOT%\ZTIApplyGPOPack.wsf&quot;</p> <p>Thanks,</p> <p>Ben</p>

  • <p>Hi Ben,</p> <p>thanks for explaining and documenting this new feature!</p>

  • <p>What is the automated process for removing (resetting to a not configured state) a single setting that has been applied via a GPO Pack?</p> <p>Example:</p> <p> &nbsp;Today we have a GPO that has 100 settings (including &#39;setting x&#39;)</p> <p> &nbsp;We create a GPO Pack for this GPO and apply it across our environment</p> <p> &nbsp;Tomorrow we remove &#39;setting x&#39; from that GPO</p> <p> &nbsp;How do revert that single setting (in local policy) back to a not configured state?</p>

  • <p>I would recommend changing the setting at the domain level as the settings in the local GPO pack will be overridden by domain GPO&#39;s.</p> <p>Thanks,</p> <p>Ben</p>

  • <p>I am relatively new to MDT and love the idea of applying GPO packs during an unattended installation, as my computing group uses a few very specific policies to access servers that don&#39;t normally cooperate with Windows. However, if you set GPOPackPath in CustomSettings.ini, won&#39;t it use the same GPO for every task sequence? If my deployment share or media includes 4 different task sequences for 4 different OS&#39;s, how would I tell MDT to use a different custom GPO pack for each task sequence?</p>

  • <p>Hi Hunter,</p> <p>You could set the value for the GPOPackPath variable within the task sequence itself. There is a built in action that allows you to do this.</p> <p>Thanks,</p> <p>Ben</p>

  • <p>I love this idea. &nbsp;However, after the long, painful process of recreating the policy from scratch in SCM and following the instructions on this page, I found that the only settings that carried over were only User Rights Assignment. &nbsp;Security Options and Audit Policy settings were the regular Windows 7 default. &nbsp;I made a LOT of changes in all three sections.</p>

  • <p>you right but after deployment a found several troubleshoot caused by this GPO local for example i can&#39;t modifier setting for my Windows update and Windows can&#39;t find a &quot;résidentiel group&quot; and we don&#39;t have the right to acces of any of PCs in my network </p> <p>my question is if i disable this feature from the task sequences what the resulte ?</p>

  • <p>Hi Red,</p> <p>You can simply set the variable ApplyGPOPack to NO in customsettings.ini and no GPO Packs will be applied.</p> <p>When you disable this feature the GPO Pack will not be applied, nothing else changes.</p> <p>Thanks,</p> <p>Ben</p>

  • <p>Six months later I&#39;m revisiting this with Windows 8. &nbsp;I&#39;m still encountering the problem I listed above. &nbsp;Any help or clue at all would be awesome. &nbsp;I&#39;m doing everything the instructions for these new GPOPacks tell me to do, but I only have User Right Assignment settings being applied, but nothing else.</p>

  • <p>I&#39;m revisiting this six months later, but I&#39;m having the exact same problems as before: &nbsp;It only applies User Rights Assignment settings and nothing else. &nbsp;Any ideas anyone? &nbsp;*silence*</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment