How to Apply GPO\Policy Settings from MDT

There's a few options to deploy policy settings to Windows devices from MDT without a Domain being available. These devices could be standalone Wyse thin-clients or kiosks, but require local policies to be configured to prevent the user gaining access to certain features.  

I'm not a big fan of mounting the registry with Reg Load, its limited and time consuming, so its not going to be used.

Local Policies and Group Policies have 2 very distinct set of settings, the 'Windows Settings' and 'Administrative Templates'. Its possible to copy the 'Administrative Templates' in the form of Registry.pol files from one client to another. However this isn't the case with the 'Windows Settings'.

Domain or SCM or Local Policies

The following procedure is for exporting a Domain, Local or SCM policies and applying to a client at deployment. This method works for both Windows Settings and Administrative Template policies.

Download from Microsoft LGPO.EXE and copy to the MDT Server.

For Domain and SCM policies logon to a DC or device with Group Policy Management installed, browse to 'Group Policy Objects', right click and 'Backup' the required GPO, copy the exported policies to the MDT Server.

 

For exporting local polices of a pre-configured client run lgpo.exe /b C:\BackupPolicy. This exports the all policy settings from the client. Now can be restored in the same manner as a exported Domain Policy. 

Open PowerShell_ISE and copy the following script and save to the MDT Server.

<#
.Synopsis

.Description

.Version
#>

$LogNm = "DomainPolicy"  
$dest = "C:\logs\$LogNm"                                                                         
New-Item $dest -ItemType Directory -Force                                
                                     
$src = Split-Path -Parent $myInvocation.MyCommand.path                                               

Copy-item $scr\* $dest -Exclude *.ps1  -Recurse -Force -Verbose -PassThru 

.\lgpo.exe /g C:\Logs\DomainPolicy

From the MDT Server, browse to the Root of the MDT Share %DeployRoot%, then create a new folder under 'Scripts' %ScriptRoot% named 'Custom'. Finally create another folder named 'DomainPolicy'

Copy to 'DomainPolicy', the PS script, exported Domain Policy and LGPO.exe.

Update the MDT client Task Sequence and add a PowerShell script step

When MDT deploys the client, the Domain Policy will be applied. If there are series of GPO's to apply, repeat the above steps, making sure folder name uniqueness when its delivered to the client, the policies will apply in order and merge. Conflicting policies, the winner is the one applied last.

Local Administrative Template Policies

As I mentioned it is possible copy just the 'Administrative Templates' part of a local policy, leaving behind all 'Windows Settings'. As lgpo.exe  /b can export all settings I'll just cover this very quickly.

 

Logon to the client, open 'Local Security Policy' and configure the User and Computer Administrative Templates policies

Browse to 'C:\Windows\System32\GroupPolicy', copy both the User and Machine folders to MDT

Use the following script and the folders to deploy from MDT.

<#
.Synopsis

.Description

.Version
#>

$LogNm = "LocalPolicy"  
$dest = "C:\logs\$LogNm"                                                                         
New-Item $dest -ItemType Directory -Force                                
                                     
$src = Split-Path -Parent $myInvocation.MyCommand.path                                               

Copy-item $scr\* $dest -Exclude *.ps1  -Recurse -Force -Verbose -PassThru 

.\lgpo.exe /m C:\Logs\LocalPolicy\Machine

.\lgpo.exe /u C:\Logs\LocalPolicy\User