You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Search in All Title Contents

Creating and Applying Custom GPO Packs using MDT 2012 Beta 2 (with or without SCCM 2007/2012)

Nov 27 2011

Applying GPO Packs is one of the many new features in MDT 2012 Beta 2.

GPO Packs is a way to deploy your configurations to non-domain joined computers. The GPO Packs are created with either the LocalGPO utiliy that ships with Microsoft Security Compliance Manager (SCM) v2, or by adding a few files to an exported SCM v2 baseline.

MDT 2012 Beta 2 comes with four built in GPO Packages, and each matching package is applied to the correct OS. Meaning if you for example deploy Windows 7 SP1, the Win7SP1-MDTGPOPack will be applied by default.

  • Win7SP1-MDTGPOPack (146 settings)
  • WinVistaSP2-MDTGPOPack (152 settings)
  • WS2008R2SP1-MDTGPOPack (117 settings)
  • WS2008SP2-MDTGPOPack (129 settings)

Here is what you need to do - high level overview:

  • Step 1 - Installing SCM v2 and the optional LocalGPO tool
  • Step 2 - Configure the SCM baseline
  • Step 3 - Export the SCM baseline
  • Step 4 - Create the GPO Pack
  • Step 5 - Configure MDT 2012 Beta 2 to deploy the GPO Pack

Step 1 - Installing SCM v2 and the optional LocalGPO tool

The SCM v2 setup is pretty straightforward, but it does require .NET Framework 4.0 and a SQL Express database. If you don't have SQL Express installed already, you will get an option to install SQL Express as part of the setup wizard. You should also have Office (or the Word Viewer) installed to be able to read the SCM v2 word documents (guides). SCM v2 is available on this link:

  1. Install .NET Framework 4.0

  2. Install SQL Server 2008 R2 Express

  3. Install SCM v2

  4. Install the LocalGPO tool/script (LocalGPO.msi, available via Start / All Programs / Microsoft Security Compliance Manager / LocalGPO). Note: This utility is only needed if you want to create a GPO Pack from a machine configuration, or apply a GPO Backup to a machine. 

Step 2 - Configure the SCM baseline

In this sample you will create a custom version of the Enterprise Client security recommendations for Windows 7 (The Win7-EC-Desktop 1.0 security baseline) using SCM v2, and apply it to the local machine. Then you will create a GPO Pack from the local machine configuration.

  1. On your virtual machine, start the SCM console.

  2. In the SCM Console, expand the Windows 7 node, select the Win7-EC-Desktop 1.0 security baseline, in the action pane, click Duplicate.

    3.  Change the name and description some something useful, and click Save (I named mine "ViaMonstra Enterprise Desktop Win7").
    4.  Change the policies as needed, in the the below example I enabled the Remote Desktop Connection policy.

The custom baseline in SCM

Step 3 - Export the SCM baseline

  1. After changing the policies in your custom baseline, select your custom baseline, and in the Actions pane, click GPO Backup (folder).

  2. In the Browse For Folder dialog box, select a folder where you want you GPO Backup, I selected C:\GPOBackup on my machine.

The GPO Backup folder

Step 4 - Create the GPO Pack

  1. In your C:\GPOBackup folder, rename the new folder ({49ea86e8-5683-4f4e-814c-6bc7d03d62b1} in my example) to something useful (the name of your baseline for example). I named mine "ViaMonstra Enterprise Desktop Win7".
  2. Go to the <DeploymentShare>\Templates\GPOPacks folder, and copy the following files to C:\GPOBackup\ViaMonstra Enterprise Desktop Win7 

The completed GPO Pack

Step 5 - Configure MDT 2012 Beta 2 to deploy the GPO Package

The default GPO packs are stored in the <DeploymentShare>\Templates\GPOPacks folder. You use the GPOPackPath property to override the default path, the path specified in this property is relative to the Templates\GPOPacks folder.

1. Copy your GPO Pack to the <DeploymentShare>\Templates\GPOPacks folder.

2. Configure the GPOPackPath property with the GPO Pack folder name, in my example

GPOPackPath=ViaMonstra Enterprise Desktop Win7

Note: When setting the GPOPackPath property, MDT will no longer apply its default GPO Packs (unless you actually set the GPOPackPath to one of the default GPO Packs).

Optional Step - Create a GPO Pack using the LocalGPO tool

You can also create GPO Packs using the LocalGPO tool.

You can still use SCM v2 to create the baseline and apply it your machine, or just use the native Local Policy Editor. Anyway, the LocalGPO tool will export what you have on your local machine into a GPO Pack.

1. Create a GPO Pack from a local configuration by starting an elavated command prompt (Run as Administrator) and type following commands

cd /d "C:\Program Files (x86)\LocalGPO"

cscript.exe LocalGPO.wsf /Path:C:\GPOBackup /Export /GPOPack

2. Rename the new folder in C:\GPOBackup to something usefule (the name of your baseline for example). I named mine "ViaMonstra Enterprise Desktop Win7".

3. Verify that the C:\GPOBackup\ViaMonstra Enterprise Desktop Win7 folder contains the following folder and files.


/ Johan



Happy deployment, and thanks for reading!
/ Johan


Blog Archive