The Deployment Guys

Helping to deploy your world automagically...

MDT 2012: New Features– GPO Packs

MDT 2012: New Features– GPO Packs

  • Comments 29
  • Likes

There are many new features of MDT 2012 but one that I particularly like is the ability to apply GPO Packs created using Security Compliance Manager (SCM) during the deployment process.

SCM is a great tool that allows you to create and manage group policy baselines in an easy to use interface. These polices are then able to be applied at the domain level or as  “Local GPO Packs”. MDT can now deploy these “Local GPO Packs” during deployment.

MDT provides four default GPO packs for the following operating systems that are applied by default during deployment. The correct GPO pack will be applied based on the operating system that is deployed. If an operating system matching the GPO pack is not found then no GPO Pack will be applied.

1. Windows 7 SP1

2. Windows Vista SP2

3. Windows 2008 SP2

4. Windows 2008 R2 SP1

All GPO packs are stored in the Templates folder within the Distribution Share. For example <Distribution Share>\Templates\GPOPacks\<GPO Pack Folder>. When you specify your own GPO Pack you must override the default GPO pack using the GPOPackPath variable in the customsettings.ini file. This is a relative path from the <Distribution Share>\Templates\GPOPacks\ folder. For example

GPOPackPath = Win7-HighSecurity

If you do not want to apply any GPO Packs then task sequence step can be skipped by setting the variable ApplyGPOPack to NO in customsettings.ini.

You can create your own GPO packs using the following process.

1. Use SCM to create an SCM baseline

2. Export the baseline using a GPO backup

Now we need to turn the baseline into a GPO pack, this is a simple process.

3. Open to an existing GPO pack and copy the following files to the backup - GPOPack.wsf, LocalPol.exe, LocalSecurityDB.sdb

4. Copy the GPO Pack to the <Distribution Share>\Templates\GPOPacks folder

3. Update the GPOPackPath variable in the customsettings.ini file to point at the new GPO Pack

Each ofthe default GPO Packs updates the local policy with the settings in the attached excel file.

This post was contributed by Ben Hunter, a Senior Program Manager for MDT with Microsoft

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

Attachment: MDTGPOPacks.xlsx
  • I'm revisiting this six months later, but I'm having the exact same problems as before:  It only applies User Rights Assignment settings and nothing else.  Any ideas anyone?  *silence*

  • Hi Catharsis,

    Unfortunately don't have a suggestion as to what could be causing this issue. Are you using the GPO packs that came with MDT or are you creating your own GPOPack?



  • I'm creating my own.

  • Hi Catharsis,

    How exactly are you creating and capturing your own GPO's? The error shouldn't be in the GPO Pack application process so maybe it is caused by how you are capturing the GPO.



  • I'm creating it in SCM.  I duplicated the baseline Win7 one, emptied it, and added in what I need for our requirements.  There is a mix of User Rights Assignments, Security Options, Auditing, etc.  Only USR gets applied.

  • Because I'm not applying this on a domain-joined machine, does that have something to do with it?  I have been reading some on the LocalGPO tool, and I think maybe that's what I have to use.  But it sounds like I have to install it on every single machine.  That's totally impractical.  The point is that it would be applied during/at the end of deployment.

    Starting Monday I will be spending two weeks imaging about 700 computers.  I really wish I had the answer to this question now to save our technicians time during the next three weeks.

  • Hi Catharsis,

    I don't really have any more guidance to offer, however I would definitely recommend that you post the question to the Microsoft forum for the LocalGPO tool, there are lots of experts who manage the forum -



  • Actually, I just now got it working.  It has everything to do with secedit not wanting to run templates from a remote location (UNC path).  I copied everything down to the local machine with a cmd (this is all during a TS), including the folder with the GPO pack that I made, then ran GPOPack.wsf locally with a simple cscript command-line.  It seems like everything applied this time.

    This link was INCREDIBLY helpful and detailed:

  • Now that SCM 3.0 Beta released we can use it for Windows 8 . I just wrote a tweak to fix that in MDT2012 for Windows 8.

  • I have a problem. The default Microsoft baseline GPO security kills port 139. Does anyone know how to revert all the extra settings the default baseline security adds?

    I tried reverting back by taking the GPO from a fresh DVD install on windows 7 and nothing. So would love to hear some good news from the deployment experts.

    Please enlighten me on this one, cuz I'm fresh out of options.

  • Installation fails with error 1603. Basically, Security compliance manager doesn't work.

  • The Excel Spreadsheet attached to this article saved me a ton of time. When copying over the MDT from one server to the next I didn't bring over the customsettings.ini file and it applied these GPO packs. What a mind boggle.

  • Is there support for Win8.1 GPO packs? Looks like the ZTIApplyGPOPack has code for Win8, but none for 8.1; also MDT2013 doesn't come with GPOPacks for Win8 or Win8.1 -- is this oversight (like the wireless settings: ), or will it explicitly NOT work for some reason in Win8/8.1?

  • What is the best way to apply a specific GPO to a specific task? Is it in the script file?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment