How to Apply GPO\Policy Settings from MDT

There are a few options to deploy policy settings to Windows devices from MDT without a Domain being available. These devices could be standalone Wyse thin-clients or kiosks, but require local policies to be configured to prevent the user from gaining access to certain features.  

I'm not a big fan of mounting the registry with Reg Load, it's limited and time-consuming, so it's not going to be used.

Local Policies and Group Policies have 2 very distinct sets of settings, the 'Windows Settings' and 'Administrative Templates'. It's possible to copy the 'Administrative Templates' in the form of Registry.pol files from one client to another. However, this isn't the case with the 'Windows Settings'.

Domain or SCM or Local Policies

The following procedure is for exporting a Domain, Local or SCM policies and applying to a client at deployment. This method works for both Windows Settings and Administrative Template policies.

Download from Microsoft LGPO.EXE and copy to the MDT Server.

For Domain and SCM policies logon to a DC or device with Group Policy Management installed, browse to 'Group Policy Objects', right click and 'Backup' the required GPO and copy the exported policies to the MDT Server.

For exporting local policies of a pre-configured client run lgpo.exe /b C:\BackupPolicy. This exports all policy settings from the client. Now can be restored in the same manner as an exported Domain Policy. 

Open PowerShell_ISE and copy the following script and save it to the MDT Server.

<#
.Synopsis

.Description

.Version
#>

$LogNm = "DomainPolicy"  
$dest = "C:\logs\$LogNm"                                                                         
New-Item $dest -ItemType Directory -Force                                
                                     
$src = Split-Path -Parent $myInvocation.MyCommand.path                                               

Copy-item $scr\* $dest -Exclude *.ps1  -Recurse -Force -Verbose -PassThru 

.\lgpo.exe /g C:\Logs\DomainPolicy

From the MDT Server, browse to the Root of the MDT Share %DeployRoot%, then create a new folder under 'Scripts' %ScriptRoot% named 'Custom'. Finally create another folder named 'DomainPolicy'

Copy to 'DomainPolicy', the PS script, exported Domain Policy and LGPO.exe.

Update the MDT client Task Sequence and add a PowerShell script step

When MDT deploys the client, the Domain Policy will be applied. If there is a series of GPO's to apply, repeat the above steps, making sure the folder name uniqueness when it's delivered to the client, the policies will apply in order and merge. Conflicting policies, the winner is the one applied last.

Local Administrative Template Policies

As I mentioned it is possible copy just the 'Administrative Templates' part of a local policy, leaving behind all 'Windows Settings'. As lgpo.exe  /b can export all settings I'll just cover this very quickly.

 

Logon to the client, open 'Local Security Policy' and configure the User and Computer Administrative Templates policies

Browse to 'C:\Windows\System32\GroupPolicy', copy both the User and Machine folders to MDT

Use the following script and the folders to deploy from MDT.

<#
.Synopsis

.Description

.Version
#>

$LogNm = "LocalPolicy"  
$dest = "C:\logs\$LogNm"                                                                         
New-Item $dest -ItemType Directory -Force                                
                                     
$src = Split-Path -Parent $myInvocation.MyCommand.path                                               

Copy-item $scr\* $dest -Exclude *.ps1  -Recurse -Force -Verbose -PassThru 

.\lgpo.exe /m C:\Logs\LocalPolicy\Machine

.\lgpo.exe /u C:\Logs\LocalPolicy\User