What's New

MDT 2012 | 2013 “Deploying with GPO Packs”

Posted on August 20, 2013 by BjTechNews in MDT 2010, MDT 2012, MDT 2013, Microsoft, Windows 2008 R2, Windows 7, Windows 8, Windows 8.1 // 3 Comments

There are many new features of MDT but one that I particularly use a lot many time in non-domain infrastructure is the ability to apply GPO Packs created using Security Compliance Manager (SCM) during the deployment process. Microsoft Security Compliance Manager 3.0 is a great tool that allows you to create and manage group policy baselines in an easy to use interface. These polices are then able to be applied at the domain level or as  “Local GPO Packs”. MDT provides four default GPO packs for the following operating systems that are applied by default during deployment. 1.  Windows 7 SP1 | 2. Windows Vista SP2 | 3. Windows 2008 SP2 | 4. Windows 2008 R2 SP1 All GPO packs are stored in the Templates folder within the Distribution Share. For example <Distribution Share>\Templates\GPOPacks\<GPO Pack Folder>. vlcsnap-2013-08-20-13h02m14s207 When you specify your own GPO Pack you must override the default GPO pack using the GPOPackPath variable in the customsettings.ini file. vlcsnap-2013-08-20-13h02m56s115

This is a relative path from the <Distribution Share>\Templates\GPOPacks\ folder. For example
GPOPackPath = BTN-WIN8-MDTGPOPack

vlcsnap-2013-08-20-13h03m57s207
If you do not want to apply any GPO Packs then task sequence step can be skipped by setting the variable ApplyGPOPack to NO in customsettings.ini.

vlcsnap-2013-08-20-13h03m19s87

You can create your own GPO packs using the following process.
1. Use SCM to create an SCM baseline
2. Export the baseline using a GPO backup

Now we need to turn the baseline into a GPO pack, this is a simple process.
3. Open to an existing GPO pack and copy the following files to the backup – GPOPack.wsf, LocalPol.exe, LocalSecurityDB.sdb

vlcsnap-2013-08-20-13h04m21s192

4. Copy the GPO Pack to the <Distribution Share>\Templates\GPOPacks folder

vlcsnap-2013-08-20-13h04m44s171

3. Update the GPOPackPath variable in the customsettings.ini file to point at the new GPO Pack

vlcsnap-2013-08-20-13h05m38s192

About BjTechNews (1065 Articles)
An IT guy trying to learn everything about technology and sharing it with you all. I'm a blogger and video blogger who highlights daily news in the tech industry, promoting tips and hacks for fellow techies.

3 Comments on MDT 2012 | 2013 “Deploying with GPO Packs”

  1. LoXodonte // February 24, 2017 at 9:26 am // Reply

    Use GPO packs as applications. You can install more than one and they are easier to maintain:

    Just run LGPO.exe as an application in MDT:

    -Take your folder output with the DomainSysvol, Backup.xml and bkupinfo.xml files and drop LGPO.exe into it.

    -Create an apply_gpo.bat file and type the following into it:

    @echo off
    SET COMPAT_LAYER=RUNASADMIN
    %~dp0LGPO.exe /g %~dp0

    You may really only need the one line: %~dp0LGPO.exe /g %~dp0

    but what I used there worked.

    Create your app with source files in mdt and run the apply_gpo.bat. Easy to create and maintain as you don’t have to continually edit task sequences.

  2. Louis // January 7, 2017 at 2:16 pm // Reply

    how can I use this and deploy more than one gpopack after the os is installed using mdt, customsettings.ini will only allow one gpopackpath entry

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright © 2024

Discover more from BTNHD

Subscribe now to keep reading and get access to the full archive.

Continue reading