group policy

Deploy Local GPO with MDT 2013

Local Group Policy of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That’s why when Windows is deploying in a non domain environment (you can’t use domain GPO), Administrator has to configure policies directly in the reference Windows image.

In this tutorial we will show you how to push out Local Group Policy settings on Windows 10 during workstation deployment via Microsoft Deployment Toolkit 2013 (MDT 2013).

Deploying Local GPO using MDT 2013

To import/export Local Group Policy settings (created using gpedit.msc) we will use a new command-line utility LGPO.exe, which replaces the no longer supported utility LocalGPO (part of the SCM Security Compliance Manager). LGPO.exe utility allows you to backup and restore the local GPO settings, import the individual components, including advanced auditing files, registry.pol and security templates. It also allows to turn on GP client-side extension (CSE) for the local processing.

Download and extract the archive content to a separate folder on the Windows 10 client (C:\LGPO in this case).

lgpo extract

The archive contains two files:

  • exe
  • pdf

lgpo archive

Now we need to set up some local settings on the reference Windows 10 PC using Group Policy Editor (gpedit.msc).

As an example, we will enable some password policies (Computer Configuration -> Windows Settings -> Account Policies -> Password Policies):

  • Enforce password history: 10 password remember
  • Minimum password length: 6 characters
  • Password must meet complexity requirements: Enable
READ ALSO  How to Enable Use of Saved Credentials for RDP Connection

gpo editor

Also prohibit the use of Microsoft accounts (Computer Configuration -> Windows Settings -> Local Policies -> Security Options)

  • Block Microsoft accounts : Users can’t add or log on with Microsoft accounts

gpo editor properties

Now you should make a backup of the current local GPO settings using LGPO.exe utility. Run command prompt with the Administrative privileges and go to folder c:\LGPO:

cd c:\lgpo

To backup current Local GPO settings, run the following command:

LGPO.exe /b c:\lgpo

Creating LGPO backup in “c:\lgpo\{7F823B9A-0D1C-4F88-BE2F-2FE033D8013E}”

command prompt gpo

Make sure that the folder DomainSysvol and 2 files (Backup.xml and Bkupinfo.xml) is located in this directory:

lgpo backup

Now you need to rename backup folder {7F823B9A-0D1C-4F88-BE2F-2FE033D8013E} for example to W10RefLGPO and copy it to the deployment share on the MDT server.


gpo packs

Also copy Local Group Policy Object utility (LGPO.exe) to the MDT server in the folders DeploymentShare\tools\x86 and x64.

deployment share tools pc

Open the MDT Management Console (DeploymentWorkbench) and proceed to the Deployment Share -> MDT Deployment Share -> Task Sequence. Open the properties of Windows 10 deployment task sequence, and in this case it is Windows 10 x64 Pro Deploy (if this task has not yet been created, use the manual How to Create Windows 10 Deployment Task with MDT). Click on the Task Sequence tab and create two new tasks in the State Restore section (Add -> General -> Run command Line).

READ ALSO  Speed Up Your Linksys WMP600N Card

apply gpo package

The first task: with the help of xcopy command-line tool copy the folder with the backup of the local policy from MDT server to a workstation into the folder %WinDir%\Temp

  • Name: Copy LGPO to Workstation
  • Command Line: xcopy “%DEPLOYROOT%\GPOPacks” %WinDir%\temp\W10RefLGPO /E /I

gpo copy workstation

The second task imports the GPO settings on Windows 10 PC using the utility LGPO.exe

  • Name: Apply GPO using LGPO
  • Command Line: “%DEPLOYROOT%\Tools\%ARCHITECTURE%\LGPO.exe” /g %WinDir%\temp\

gpo apply

Save the changes in the Task Sequence by pressing OK, right click on the root of the DeploymentShare and select Update Deployment Share. Select Optimize the boot image updating process and click on Next.

update deployment

It remains to deploy Windows 10 on a test workstation or a VM. Using the task sequence Windows 10 x64 Pro Deploy and after finishing Windows installation, verify that the system is applied all the previously configured local policies.

You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Boot Straight to the Desktop in Windows 8.1 Boot Straight to the Desktop With the release of Windows 8.1 you now have the option available to you to boot straight to the desktop instead of Metr...
How to deploy Microsoft Office 2016 with SCCM 2012... In this article, we are going to show you how to deploy centralized 32-bit MS Office Professional Plus 2016 version by using System Center Configurati...
Fix File Associations on Windows 10 In this article we are going to take a look at file association issues in Windows and how we can fix and resolve these issues very quickly. We are wor...
Configure Legal Notices on Domain Computers using ... In this article, we are going to show how to configure Legal Notices on domain computer by using Group Policy. So let’s get started. We have our...