MDT 2012: New Features– GPO Packs
There are many new features of MDT 2012 but one that I particularly like is the ability to apply GPO Packs created using Security Compliance Manager (SCM) during the deployment process.
SCM is a great tool that allows you to create and manage group policy baselines in an easy to use interface. These polices are then able to be applied at the domain level or as “Local GPO Packs”. MDT can now deploy these “Local GPO Packs” during deployment.
MDT provides four default GPO packs for the following operating systems that are applied by default during deployment. The correct GPO pack will be applied based on the operating system that is deployed. If an operating system matching the GPO pack is not found then no GPO Pack will be applied.
1. Windows 7 SP1
2. Windows Vista SP2
3. Windows 2008 SP2
4. Windows 2008 R2 SP1
All GPO packs are stored in the Templates folder within the Distribution Share. For example <Distribution Share>\Templates\GPOPacks\<GPO Pack Folder>. When you specify your own GPO Pack you must override the default GPO pack using the GPOPackPath variable in the customsettings.ini file. This is a relative path from the <Distribution Share>\Templates\GPOPacks\ folder. For example
GPOPackPath = Win7-HighSecurity
If you do not want to apply any GPO Packs then task sequence step can be skipped by setting the variable ApplyGPOPack to NO in customsettings.ini.
You can create your own GPO packs using the following process.
1. Use SCM to create an SCM baseline
2. Export the baseline using a GPO backup
Now we need to turn the baseline into a GPO pack, this is a simple process.
3. Open to an existing GPO pack and copy the following files to the backup - GPOPack.wsf, LocalPol.exe, LocalSecurityDB.sdb
4. Copy the GPO Pack to the <Distribution Share>\Templates\GPOPacks folder
3. Update the GPOPackPath variable in the customsettings.ini file to point at the new GPO Pack
Each ofthe default GPO Packs updates the local policy with the settings in the attached excel file.
This post was contributed by Ben Hunter, a Senior Program Manager for MDT with Microsoft
Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use
Comments
Anonymous
January 01, 2003
Now that SCM 3.0 Beta released we can use it for Windows 8 . I just wrote a tweak to fix that in MDT2012 for Windows 8. blogs.technet.com/.../3547682.aspxAnonymous
January 01, 2003
MDT 2012: New Features– GPO Packs - The Deployment Guys - Site Home - TechNet Blogs There areAnonymous
January 01, 2003
Hi Hunter, You could set the value for the GPOPackPath variable within the task sequence itself. There is a built in action that allows you to do this. Thanks, BenAnonymous
January 01, 2003
I'm revisiting this six months later, but I'm having the exact same problems as before: It only applies User Rights Assignment settings and nothing else. Any ideas anyone? silenceAnonymous
January 01, 2003
Hi Red, You can simply set the variable ApplyGPOPack to NO in customsettings.ini and no GPO Packs will be applied. When you disable this feature the GPO Pack will not be applied, nothing else changes. Thanks, BenAnonymous
January 01, 2003
What is the automated process for removing (resetting to a not configured state) a single setting that has been applied via a GPO Pack? Example: Today we have a GPO that has 100 settings (including 'setting x') We create a GPO Pack for this GPO and apply it across our environment Tomorrow we remove 'setting x' from that GPO How do revert that single setting (in local policy) back to a not configured state?Anonymous
January 01, 2003
Hi Catharsis, I don't really have any more guidance to offer, however I would definitely recommend that you post the question to the Microsoft forum for the LocalGPO tool, there are lots of experts who manage the forum - social.technet.microsoft.com/.../threads Thanks, BenAnonymous
January 01, 2003
Hi Catharsis, How exactly are you creating and capturing your own GPO's? The error shouldn't be in the GPO Pack application process so maybe it is caused by how you are capturing the GPO. Thanks, BenAnonymous
January 01, 2003
Hi fearofweapons, The GPO pack needs to be in the folder <Distribution Share>TemplatesGPOPacksWin7-HighSecurity. The GPO Packs can also be created using an export process from an existing machine. See this blog post by Johan for further details - www.deploymentresearch.com/.../Creating-and-Applying-Custom-GPO-Packs-using-MDT-2012-Beta-2-with-or-without-SCCM-2007-2012.aspx Thanks, BenAnonymous
January 01, 2003
I'm creating my own.Anonymous
January 01, 2003
Hi Catharsis, Unfortunately don't have a suggestion as to what could be causing this issue. Are you using the GPO packs that came with MDT or are you creating your own GPOPack? Thanks, BenAnonymous
January 01, 2003
Because I'm not applying this on a domain-joined machine, does that have something to do with it? I have been reading some on the LocalGPO tool, and I think maybe that's what I have to use. But it sounds like I have to install it on every single machine. That's totally impractical. The point is that it would be applied during/at the end of deployment. Starting Monday I will be spending two weeks imaging about 700 computers. I really wish I had the answer to this question now to save our technicians time during the next three weeks.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
I would recommend changing the setting at the domain level as the settings in the local GPO pack will be overridden by domain GPO's. Thanks, BenAnonymous
January 01, 2003
I'm creating it in SCM. I duplicated the baseline Win7 one, emptied it, and added in what I need for our requirements. There is a mix of User Rights Assignments, Security Options, Auditing, etc. Only USR gets applied.Anonymous
January 01, 2003
I'm revisiting this six months later, but I'm having the exact same problems as before: It only applies User Rights Assignment settings and nothing else. Any ideas anyone? silenceAnonymous
January 01, 2003
Six months later I'm revisiting this with Windows 8. I'm still encountering the problem I listed above. Any help or clue at all would be awesome. I'm doing everything the instructions for these new GPOPacks tell me to do, but I only have User Right Assignment settings being applied, but nothing else.Anonymous
January 01, 2003
I love this idea. However, after the long, painful process of recreating the policy from scratch in SCM and following the instructions on this page, I found that the only settings that carried over were only User Rights Assignment. Security Options and Audit Policy settings were the regular Windows 7 default. I made a LOT of changes in all three sections.Anonymous
January 01, 2003
The comment has been removedAnonymous
December 02, 2011
Ben, nice to see you posting again. Two questions...
- When you say a relative path would the exmaple you give resolve to <Distribution Share>TemplatesGPOPacks folderWin7-HighSecurity or would it resolve to <Distribution Share>TemplatesGPOPacksWin7-HighSecurity ? Not clear in your post.
- Can GPO packs be created out side of SCM? Not all orgs use SCM, mine uses a Novell product, but it would be good to be able to apply GPO packs at build time.
Anonymous
December 02, 2011
Excellent! Applying security settings is one of the biggest pains when developing a new base image. Is there a migration path, upgrade option when going from MDT 2010 to 2012?Anonymous
December 03, 2011
Hi Ben, thanks for explaining and documenting this new feature!Anonymous
May 21, 2012
I am relatively new to MDT and love the idea of applying GPO packs during an unattended installation, as my computing group uses a few very specific policies to access servers that don't normally cooperate with Windows. However, if you set GPOPackPath in CustomSettings.ini, won't it use the same GPO for every task sequence? If my deployment share or media includes 4 different task sequences for 4 different OS's, how would I tell MDT to use a different custom GPO pack for each task sequence?Anonymous
July 01, 2012
you right but after deployment a found several troubleshoot caused by this GPO local for example i can't modifier setting for my Windows update and Windows can't find a "résidentiel group" and we don't have the right to acces of any of PCs in my network my question is if i disable this feature from the task sequences what the resulte ?Anonymous
January 23, 2013
I have a problem. The default Microsoft baseline GPO security kills port 139. Does anyone know how to revert all the extra settings the default baseline security adds? I tried reverting back by taking the GPO from a fresh DVD install on windows 7 and nothing. So would love to hear some good news from the deployment experts. Please enlighten me on this one, cuz I'm fresh out of options.Anonymous
October 24, 2013
Installation fails with error 1603. Basically, Security compliance manager doesn't work.Anonymous
May 28, 2014
The Excel Spreadsheet attached to this article saved me a ton of time. When copying over the MDT from one server to the next I didn't bring over the customsettings.ini file and it applied these GPO packs. What a mind boggle.Anonymous
June 25, 2014
Is there support for Win8.1 GPO packs? Looks like the ZTIApplyGPOPack has code for Win8, but none for 8.1; also MDT2013 doesn't come with GPOPacks for Win8 or Win8.1 -- is this oversight (like the wireless settings:http://keithga.wordpress.com/2013/10/18/mdt-2013-fails-to-deploy-unattended-on-win-8-1-with-wi-fi-network-card/ ), or will it explicitly NOT work for some reason in Win8/8.1?Anonymous
September 30, 2014
What is the best way to apply a specific GPO to a specific task? Is it in the script file?