Udostępnij za pośrednictwem


How to Create and Apply a Windows 8 GPOPack

What is a GPOPack?

"A GPOPack is either an export of a GPO Backup or an export from a Gold Master Computer that has all of the settings applied and the LocalGPO tool ran on it with the /Export switch to create a GPOPack ."

What is the LocalGPO Tool?

"This tool is designed to manage local group policies of a computer such as applying a security baseline and exporting the local Group Policy"

Where can i learn more about the LocalGPO Tool and how it works?

"Luckily a fantastic blog post is already available that covers this topic:"   https://blogs.technet.com/b/secguide/archive/2011/07/05/scm-v2-beta-localgpo-rocks.aspx

Requirements:

Security Compliance Manager 3.0 - https://www.microsoft.com/en-us/download/details.aspx?id=16776

MDT 2012 Update 1 - https://www.microsoft.com/en-us/download/details.aspx?id=25175

Or

System Center 2012 Configuration Manager SP1 - https://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx

Windows 8 - https://windows.microsoft.com/en-US/windows-8/meet?woldogcb=0

How to make it work...

1) Open the SCM 3.0 Console and expand Microsoft Baselines > Windows 8 > Windows 8 Computer Settings Compliance 1.0 and export to GPO Backup Folder.

NOTE: The Windows 8 Computer Settings Compliance 1.0 baseline is locked down please test in a lab environment before applying this baseline in your production environment.

2) After your Baseline is Exported copy all items from the GUID "{36b8813c-4544-4365-bc58-cf92a91b04d7}" folder up one level and delete the folder with the GUID leaving an end result like such:

3) Next we need to install the LocalGPO tool from "C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LocalGPO.msi" or your installation directory for SCM 3.0.

4) Once installed we need to copy GPOPack.wsf, LocalPol.exe and LocalSecurityDB.sdb from "C:\Program Files (x86)\LocalGPO\Security Templates" into your GPOPack.

NOTE: Its important to copy from the LocalGPO Directory of SCM 3.0 and not to use the current versions in MDT 2012 Update 1 Version 6.1.2373.0 as they do not fully support Windows 8 without modifying the GPOPack.wsf script itself.

5) Copy your GPOPack into your MDT Toolkit either in your Deployment Share or in your MDT Toolkit Package in System Center 2012 Configuration Manager SP1 in the Templates\GPOPack Directory

6) By default the ZTIApplyGPOPack.wsf script in MDT or a Configuration Manager Task Sequence with MDT Integration will find the GPOPack by the default name of "Win8RTM-MDTGPOPack" and apply it to the machine unless the TS Step was disabled, removed or the ApplyGPOPack Variable is set to NO.

7) If you would like to use a Custom GPOPack name simply provide the name of the folder that you placed in the Templates\GPOPack Directory in the GPOPackPath Variable i.e. GPOPackPath=Win8-CustomGPOPack

8) Additionally you can also use the LocalGPO tool to Export a GPOPack from a Master Image and can follow the above steps to deploy it.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified
in the
Terms of Use .

Comments

  • Anonymous
    January 29, 2016
    Hello all,



    Similar to the article here , if anyone has tried to apply a GPO Pack using MDT
  • Anonymous
    December 11, 2017
    Great guide and well written!The latest version of Microsoft Security Compliance Manager does not include the LocalGPO directory nor do the contents of its .exe include the LocalPol.exe, LocalSecurityDB.sdb, and GPOPack.wsf files. If you're using MDT 2013, you'll need LGPO.exe and a slightly different method to achieve the same goal. I recommend following this guide if you're using MDT 2013 or later:https://theitbros.com/deploy-local-gpo-with-mdt-2013/