group policy

Deploy LGPO with MDT 2013


Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That’s why when Windows is deploying in a non domain environment (you can’t use domain GPO), Administrator has to configure policies directly in the reference Windows image.

In this tutorial we will show you how to push out LGPO (Local Group Policy) settings on Windows 10 during workstation deployment via Microsoft Deployment Toolkit 2013 (MDT 2013).

Deploying LGPO using MDT 2013

To import/export Local Group Policy settings (created using gpedit.msc) we will use a new command-line utility LGPO.exe, which replaces the no longer supported utility LocalGPO (part of the SCM Security Compliance Manager). LGPO.exe utility allows you to backup and restore the local GPO settings, import the individual components, including advanced auditing files, registry.pol and security templates. It also allows to turn on GP client-side extension (CSE) for the local processing.

Download LGPO.zip and extract the archive content to a separate folder on the Windows 10 client (C:\LGPO in this case).

lgpo extract

The archive contains two files:

  • lgpo.exe
  • lgpo.pdf

lgpo.exe

Now we need to set up some local settings on the reference Windows 10 PC using Group Policy Editor (gpedit.msc).

As an example, we will enable some password policies (Computer Configuration -> Windows Settings -> Account Policies -> Password Policies):

  • Enforce password history: 10 password remember
  • Minimum password length: 6 characters
  • Password must meet complexity requirements: Enable
READ ALSO  Event ID 7000 - Service Control Manager

lgpo editor

Also prohibit the use of Microsoft accounts (Computer Configuration -> Windows Settings -> Local Policies -> Security Options)

  • Block Microsoft accounts : Users can’t add or log on with Microsoft accounts

lgpo export

Backup LGPO settings

Now you should make a backup of the current Local GPO settings using LGPO.exe utility. Run command prompt with the Administrative privileges and go to folder c:\LGPO:

cd c:\lgpo

To backup current Local GPO settings, run the following command:

LGPO.exe /b c:\lgpo

Creating LGPO backup in “c:\lgpo\{7F823B9A-0D1C-4F88-BE2F-2FE033D8013E}”

lgpo.exe command prompt

Make sure that the folder DomainSysvol and 2 files (Backup.xml and Bkupinfo.xml) is located in this directory:

lgpo backup

Now you need to rename backup folder {7F823B9A-0D1C-4F88-BE2F-2FE033D8013E} for example to W10RefLGPO and copy it to the deployment share on the MDT server.

\\srv-mdt1\deploymentshare$\GPOPacks

mdt gpo pack windows 10

Also copy Local Group Policy Object utility (LGPO.exe) to the MDT server in the folders DeploymentShare\tools\x86 and x64.

gpo pack windows 10

Now open the MDT Management Console (DeploymentWorkbench) and proceed to the Deployment Share -> MDT Deployment Share -> Task Sequence. Open the properties of Windows 10 deployment task sequence, and in this case it is Windows 10 x64 Pro Deploy (if this task has not yet been created, use the manual How to Create Windows 10 Deployment Task with MDT). Click on the Task Sequence tab and create two new tasks in the State Restore section (Add -> General -> Run command Line).

READ ALSO  How to Backup and Restore Windows 10 Firewall Settings

apply gpo pack

The first task: with the help of xcopy command-line tool copy the folder with the backup of the local policy from MDT server to a workstation into the folder %WinDir%\Temp.

  • Name: Copy LGPO to Workstation
  • Command Line: xcopy “%DEPLOYROOT%\GPOPacks” %WinDir%\temp\W10RefLGPO /E /I

copy gpo pack

Import Local GPO settings

The second task is to import Local GPO settings on Windows 10 PC using the utility LGPO.exe

  • Name: Apply GPO using Local GPO
  • Command Line: “%DEPLOYROOT%\Tools\%ARCHITECTURE%\LGPO.exe” /g %WinDir%\temp\

run gpo pack

Save the changes in the Task Sequence by pressing OK, right click on the root of the DeploymentShare and select Update Deployment Share. Select Optimize the boot image updating process and click on Next.

apply local gpo package mdt 2013

Now it remains to deploy Windows 10 on a test workstation or a VM. Using the task sequence Windows 10 x64 Pro Deploy and after finishing Windows installation, verify that the system is applied all the previously configured local policies.


You may also like:

How to Allow Saved Credentials for RDP Connection When you are connecting to remote system using native Microsoft RDP client (mstsc.exe), you have the ability to save login credentials in order to not...
Integrate WSUS Offline Updater with MDT 2013 to De... In this article we will show you how to install updates offline gained using WSUS Offline Updater, inside MDT 2013 task sequences to deploy fully patc...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Deploy Windows 10 with MDT 2013 and WDS In this article we will show you how to install and configure WDS role, MDT 2013 and Windows ADK on Windows Server 2012 R2 and use it to network PXE (...
Applications deployment by Make and Model using MD... In this article we will show you guys how to configure your SQL database within MDT 2013 Update 1 and configure it to start using the Make and Model s...
  • Jesse Mitchell

    If you capture the default image and use it for deployment, would the Local GPO be applied or does the sysprep remove the newly created policies?

    • Sysprep doesn’t remove local Group Policy Administrative Template settings. This settings are stored in the registry and Sysprep doesn’t change this part of the registry. But if you link GPO to local user, you should change the name of the policy folder in the “C:WindowsSystem32Group Policy Users” to match new user SID after Sysprep.

  • Justin Loebel

    No luck for me. I suspect I have some sort of permission issue though all other Task Sequences operate without error. FROM smsts.log

    Failed to run the action: Copy LGPO to Workstation.
    The system cannot open the file. (Error: 00000004; Source: Windows)

    The execution of the group (State Restore) has failed and the execution has been aborted. An action failed.
    Operation aborted (Error: 80004004; Source: Windows)

    Task sequence execution failed with error code 80004005

    Litetouch.log:

    Litetouch deployment failed, Return Code = -2147467259 0x80004005

    • Justin Loebel

      I believe I may have found the source of my issues. Do not copy/paste the command line from this article directly as the quotes themselves are not plain ASCii, it will translate to crap in your MDT error output.
      I may also be having issues with the suggested copy/read location within the WindowsTemp folder, testing to alt location…

      • Justin Loebel

        Receiving “Incorrect Function” now in TS.

        • Justin Loebel

          Just run LGPO.exe as an application in MDT:

          -Take your folder output with the DomainSysvol, Backup.xml and bkupinfo.xml files and drop LGPO.exe into it.

          -Create an apply_gpo.bat file and type the following into it:

          @echo off
          SET COMPAT_LAYER=RUNASADMIN
          %~dp0LGPO.exe /g %~dp0

          You may really only need the one line: %~dp0LGPO.exe /g %~dp0

          but what I used there worked.
          Create your app with source files in mdt and run the apply_gpo.bat. Easy to create and maintain as you don’t have to continually edit task sequences.

          • Øystein Kolbenstvedt

            did’nt work. application with the appy_gpo.bat just returned an unexpected return code 2. Any suggestions?

          • Justin Loebel

            been awhile since I looked at this but I checked the command in my bat file, looks like this:

            @echo off
            SET COMPAT_LAYER=RUNASADMIN
            start %~dp0LGPO.exe /g %~dp0

            The bat file lives in the same directory as DomainSysvol, Backup.xml, Bkupinfo.xml, and LGP0.exe

          • Øystein Kolbenstvedt

            Thanks for your reply, but I actually got it working right now using task sequence… As explained in your first answer, do not copy/paste. Wrote the commands manually and it worked like a charm 🙂

          • Justin Loebel

            nice 🙂

          • Øystein Kolbenstvedt

            Exactly what I had aswell, but its working now with ts so I’m happy 🙂