MDT 2012 – Apply Local GPO through Task sequence – Part I



Hello World,

In this previous post, I talked you about the project of my friend where he needed to deploy Internet Kiosk workstations but where no deployment/automation solution was provided. He had to define and make available a deployment infrastructure and methodology in order to deploy the image through the organization. One of the challenging part was the lock down process of the workstation.  Indeed, the Kiosk computer were not joined into a domain and we had to define and implement local gpo in order to completely lock down the configuration.

If you remember, in this previous post, we had simply capture the image (a hybrid image) which contained the local GPO settings and updates. We have then imported this image and created a task sequence which would add the additional software needed by the Kiosk Computer.    I have to say that this is an easy method to go and a valid one.

In MDT 2012,  You can apply GPO pack during a task sequence.  the GPOPack is simply a backup of local GPO that can be re-applied to target systems using task sequences. By default, MDT 2012 comes with some default MDT GPO Packs.

In this post, we will explain how you coud create such GPO packs. Let’s go

Get the localgpo.msi Tool

Microsoft has provided a tool that can be used to perform backup and restore of local gpo.  The name of the tool has you might guess is localgpo.msi.  This tool is now part of the Security Compliance Manager (SCM) which requires you to install sql database.  Because we do not want to install the full blown version of the SCMv3, we will show you how to extract the localgpo.msi tool from the scm installer.    Follow these steps

1.  Download the Security Compliance Manager Version 3.0 (if you want to have support for Windows 8/2012). You can find the package here

2.  from a command prompt (with elevated privileges), go to the folder where you have download the exe file and issue the following command Security_Compliance_Manager_setup.exe /extract.   You will be prompted to specify a location where to extract the files.  Choose you location and Press OK


Click on Picture for better Resolution

3.  When the extraction operation is complete,  go to the folder where the extracted files are located.  You should see something like the screenshot below.


Click on Picture for better Resolution

4. Double-click on the file (if you have windows 7) and you will have access to the content of the cab file.  Locate the GPOMSI file and copy/paste it on the system where you want to backup/restore and simply capture GPO Settings.


Click on Picture for better Resolution

5.Rename the GPOMSI as GPOMSI.MSI  and should be ready to install the tool on the reference machine where you need to capture the gpo settings.

Install the Local Gpo Tool

To install the tool, you will simply double-click the msi package and the installation wizard will start.

1. In the Welcome page; Press  Next


Click on Picture for better Resolution

2. In the License agreement page, accept and Press Next


Click on Picture for better Resolution

3. In the feature to install, accept default  or change the default location path and Press Next


Click on Picture for better Resolution

4. In the ready to install page, Press Install


Click on Picture for better Resolution

5. Wait for the installation to process


Click on Picture for better Resolution

6. in the Completing page, Press Close


Click on Picture for better Resolution

You have successfully installed the tool….

Learn to know how to use the Local Gpo Tool

The localgpo tool is a command line based utility. To see the available options, you should open a command prompt (with elevated privileges), move to the location where the tool is located (default is %systemdrive%\Program files (x86)\LocalGPO ).

From the command prompt, type the following command cscript localgpo.wsf  and you will see the available switches and how to use the tool


Click on Picture for better Resolution

The main operations you will be performing on the target machine are the following

Backup Local GPO

To Backup Local GPO to a specified folder, you will type something like this

cscript LocalGPO.wsf /Path:C:\GPObackups /Export 

Create GPO Pack to be used with MDT 2012

cscript LocalGPO.wsf /Path:C:\GPObackups /Export /GPOPack 

Restore Local GPO

cscript LocalGPO.wsf /Path:C:\GPObackups\{GPO Backup GUID}

To Manually apply GPOPack (not using MDT 2012)

You can create GPOpack and use them without an MDT 2012 infrastructure.  A GPOPack is simply a “compiled” version of the backup which could be re-installed by double-clicking the GPOPack.wsf file created by the tool.   If you double-click the gpopack.wsf file, you will have a popup box that you will confirm that the gpo have been applied. To get rid of this popup box, you can use the /silent switch.

 But we will see this in more details in the next part of this post (If I ever succeeded in writing it )

Final Notes

That’s it for this post !  In this short post, we have shown where to get the tool and how to install it.  We have also quickly seen how to use the tool in order to perform backup/restore local GPO Backup.  In the next part of the post, we will demonstrate with a concrete example how to use the tool and the small tip and tricks you have to know in order to use the tool in an efficient way


Till next Time

See ya

Leave a Reply