There are many new features of MDT but one that I particularly use a lot many time in non-domain infrastructure is the ability to apply GPO Packs created using Security Compliance Manager (SCM) during the deployment process.
Microsoft Security Compliance Manager 3.0 is a great tool that allows you to create and manage group policy baselines in an easy to use interface. These polices are then able to be applied at the domain level or as “Local GPO Packs”.
MDT provides four default GPO packs for the following operating systems that are applied by default during deployment. 1. Windows 7 SP1 | 2. Windows Vista SP2 | 3. Windows 2008 SP2 | 4. Windows 2008 R2 SP1
All GPO packs are stored in the Templates folder within the Distribution Share. For example <Distribution Share>\Templates\GPOPacks\<GPO Pack Folder>.
When you specify your own GPO Pack you must override the default GPO pack using the GPOPackPathvariable in the customsettings.ini file.
This is a relative path from the <Distribution Share>\Templates\GPOPacks\ folder. For example GPOPackPath = BTN-WIN8-MDTGPOPack
If you do not want to apply any GPO Packs then task sequence step can be skipped by setting the variable ApplyGPOPack to NO in customsettings.ini.
You can create your own GPO packs using the following process.
1. Use SCM to create an SCM baseline
2. Export the baseline using a GPO backup
Now we need to turn the baseline into a GPO pack, this is a simple process.
3. Open to an existing GPO pack and copy the following files to the backup – GPOPack.wsf, LocalPol.exe, LocalSecurityDB.sdb
4. Copy the GPO Pack to the <Distribution Share>\Templates\GPOPacks folder
3. Update the GPOPackPath variable in the customsettings.ini file to point at the new GPO Pack
An IT guy trying to learn everything about technology and sharing it with you all. I'm a blogger and video blogger who highlights daily news in the tech industry, promoting tips and hacks for fellow techies.
3 Comments on MDT 2012 | 2013 “Deploying with GPO Packs”
Use GPO packs as applications. You can install more than one and they are easier to maintain:
Just run LGPO.exe as an application in MDT:
-Take your folder output with the DomainSysvol, Backup.xml and bkupinfo.xml files and drop LGPO.exe into it.
-Create an apply_gpo.bat file and type the following into it:
@echo off
SET COMPAT_LAYER=RUNASADMIN
%~dp0LGPO.exe /g %~dp0
You may really only need the one line: %~dp0LGPO.exe /g %~dp0
but what I used there worked.
Create your app with source files in mdt and run the apply_gpo.bat. Easy to create and maintain as you don’t have to continually edit task sequences.
Great stuff. Thank you for sharing and adding it here 🙂
how can I use this and deploy more than one gpopack after the os is installed using mdt, customsettings.ini will only allow one gpopackpath entry