Need LocalGPO.msi RRS feed

  • Question

  • Hello all,

    My ultimate goal is to have the MSS settings be present in gpedit (or equivalent) so I can configure them and have the settings deployed to a bunch of systems. (We have the infrastructure in place to do this already via GPOs—the trouble is the MSS settings.) A hackish way to do it is at http://www.cupfighter.net/index.php/2010/11/missing-mss-setting-windows-2008/, but I'd like to try to do it the right way.

    The right way to do this, apparently, is to install the Security Compliance Manager. All I need is the LocalGPO.msi, which is supposed to give me a LocalGPO.wsf that I can use to get the MSS settings to appear in gpedit. (Ref. http://social.technet.microsoft.com/Forums/sk/winserverGP/thread/6fadb463-1f26-4594-b01e-eea8bf82e9cb, for instance.)

    I am having great difficulty installing SCM 2.5 and have decided to give up. I have a W2K3 domain controller that we build GPOs in and export from (using GPMC). Evidently this type of environment isn't well-supported by SCM because SQL Server Express doesn't install nicely. I don't really feel like deploying a full SQL install since this seems like a ridiculous amount of overhead for me to get a single script.

    So, here's my question: is there a way to rip apart the Security_Compliance_Manager_Setup.exe file to pull out the parts I need to get MSS settings? Or should I just hand-craft an administrative template to get the right settings? My other option would be to deploy registry settings, but on the off-chance they'll be overwritten by GPOs, this is really a last resort. Or, am I going about this completely wrong and there's some much easier way to get the MSS settings to show in gpedit?

    - Brian

    Tuesday, July 31, 2012 10:04 PM


All replies

  • I don't believe installing SCM (and the associated SQL install) is supported on a domain controller. Give it a try on a member server or a client and then grab the LocalGPO.msi.
    • Marked as answer by spakov Tuesday, August 7, 2012 11:36 PM
    Tuesday, August 7, 2012 7:25 PM
  • Yep, that's the way to go, I guess. Thanks.
    Tuesday, August 7, 2012 11:37 PM
  • Jim is correct, that's the best way for most folks. You can manually update the GPO tools, as described in this other recent thread: http://social.technet.microsoft.com/Forums/en-US/compliancemanagement/thread/dd66dd86-0c08-4f19-8000-b2bb75e37b4f, but copying the installer for LocalGPO to the other systems is less complex.



    Kurt Dillard http://www.kurtdillard.com

    • Marked as answer by Kurt Dillard Friday, August 10, 2012 8:36 PM
    Friday, August 10, 2012 8:06 PM
  • You can decompress Security_Compliance_Manager_Setup.exe (e. g. using 7-Zip) and then extract the GPOMSI as LocalGPO.msi from the data.cab
    • Proposed as answer by Chris Hacks Friday, March 20, 2015 9:02 AM
    Friday, March 20, 2015 8:59 AM
  • Thanks! That was by far the easiest. Could not install the whole SCM for love nor money but just wanted the GPO bit.
    Thursday, July 30, 2015 5:58 AM
  • Someone had configured a GPO with these settings and they weren't showing up. To get them to show up, this is exactly what I did:

    Download the Security_Compliance_Manager_Setup.exe (V3 or better)

    Do not run this but extract the files using 7-zip.

    From the extracted files locate data.cab and extract it using 7-zip

    From the extract data.cab files locate the file GPOMSI and rename it to localgpo.msi.

    Run this msi to install it.

    Once installed, go to the program menu and run the localgpo command line (runas administrator).

    Ensure the GPMC is closed whilst you do the next step.

    Once the command prompt pops up, type localgpo.wsf  /configsce

    Next time you edit the computer security settings you should notice the new settings under the security options.

    Friday, July 31, 2015 12:57 AM
  • I used the 7-zip method from above to extract the MSI without doing a full install of compliance manager. Great tip!


    After installing the MSI I tried to run the localgpo.wsf /configsce but it gave me an error on the OS version check portion of the script due to windows 2012R2 being used.  I commented out the oschk portion of the script per a tip I found on the internet. The script processed  further but was still failing for me...



    Here's what I did, after closing the policy editor


    1. Used the 7-zip tip above
    1. Install the MSI to get the files referenced below for [values] and [strings]
    1. Browse to %systemroot%\inf
    1. Take ownership of sceregvl.inf and set full permissions as your logged on account
    1. edit sceregvl.inf using notepad.
    2. Scroll down to [Register Registry Values] part and copy the contents of "C:\Program Files (x86)\LocalGPO\SCE Update\Values-sceregvl.txt" (installed with the MSI) under [Register Registry Values]
    3. Now browse to [Strings] part and copy the contents of " C:\Program Files (x86)\LocalGPO\SCE Update\Strings-sceregvl.txt" (installed with the MSI) under [Strings].
    1. Save sceregvl.inf
    2. from an elevated command prompt, run “regsvr32 scecli.dll”
    3. The MSS Settings will now be visible in policy management console. 


    ( credit to arnavsharma (dot) net for some of the steps above.  I needed the IPv6 version of the MSS settings so I had to tweak his process a bit)

    • Edited by PDXJL Thursday, January 14, 2016 11:13 PM clarified an item
    Thursday, January 14, 2016 11:11 PM
  • I couldn't get 7-zip to extract the files properly on v3.0.60 so I opened CMD prompt and just put the filename with a /x at the end (Security_Compliance_Manager_Setup.exe /x) and it asked me where I wanted to extract the files. Then I was able to get GPOMSI out of the data.cab file.
    Monday, March 7, 2016 8:44 PM