What's New

MDT 2012 | 2013 “Deploying with GPO Packs”

There are many new features of MDT but one that I particularly use a lot many time in non-domain infrastructure is the ability to apply GPO Packs created using Security Compliance Manager (SCM) during the deployment process. Microsoft Security Compliance Manager 3.0 is a great tool that allows you to create and manage group policy baselines in an easy to use interface. These polices are then able to be applied at the domain level or as  “Local GPO Packs”. MDT provides four default GPO packs for the following operating systems that are applied by default during deployment. 1.  Windows 7 SP1 | 2. Windows Vista SP2 | 3. Windows 2008 SP2 | 4. Windows 2008 R2 SP1 All GPO packs are stored in the Templates folder within the Distribution Share. For example <Distribution Share>\Templates\GPOPacks\<GPO Pack Folder>. vlcsnap-2013-08-20-13h02m14s207 When you specify your own GPO Pack you must override the default GPO pack using the GPOPackPath variable in the customsettings.ini file. vlcsnap-2013-08-20-13h02m56s115

This is a relative path from the <Distribution Share>\Templates\GPOPacks\ folder. For example

If you do not want to apply any GPO Packs then task sequence step can be skipped by setting the variable ApplyGPOPack to NO in customsettings.ini.


You can create your own GPO packs using the following process.
1. Use SCM to create an SCM baseline
2. Export the baseline using a GPO backup

Now we need to turn the baseline into a GPO pack, this is a simple process.
3. Open to an existing GPO pack and copy the following files to the backup – GPOPack.wsf, LocalPol.exe, LocalSecurityDB.sdb


4. Copy the GPO Pack to the <Distribution Share>\Templates\GPOPacks folder


3. Update the GPOPackPath variable in the customsettings.ini file to point at the new GPO Pack


About BjTechNews (1056 Articles)
An IT guy trying to learn everything about technology and sharing it with you all. I'm a blogger and video blogger who highlights daily news in the tech industry, promoting tips and hacks for fellow techies.

3 Comments on MDT 2012 | 2013 “Deploying with GPO Packs”

  1. Use GPO packs as applications. You can install more than one and they are easier to maintain:

    Just run LGPO.exe as an application in MDT:

    -Take your folder output with the DomainSysvol, Backup.xml and bkupinfo.xml files and drop LGPO.exe into it.

    -Create an apply_gpo.bat file and type the following into it:

    @echo off
    %~dp0LGPO.exe /g %~dp0

    You may really only need the one line: %~dp0LGPO.exe /g %~dp0

    but what I used there worked.

    Create your app with source files in mdt and run the apply_gpo.bat. Easy to create and maintain as you don’t have to continually edit task sequences.

  2. how can I use this and deploy more than one gpopack after the os is installed using mdt, customsettings.ini will only allow one gpopackpath entry

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: