locked
SCM and MDT RRS feed

  • Question

  • Hello, I have installed security compliance manager on my WDS/MDT server. It is possible to import the cab file or security settings into MDT for an image?
    Tuesday, November 15, 2011 8:24 PM

Answers

  • Yes and no.  MDT is not natively aware of the SCM security packages so no.  However, I think you can still achieve your objective.  Make sure you are using the current version of SCM which was released to web and leverage the localgpo tool to build a transportable package.  The trick is that you cannot use LocalGPO and execute it over the network.  So perhaps you can stage the localgpo on the file syste of reference image like c:\tools and then add a task sequence in the build to run the command to install localgpo.

    Supporting link

    http://blogs.technet.com/b/secguide/archive/2011/07/05/scm-v2-beta-localgpo-rocks.aspx

    Thursday, November 17, 2011 11:54 AM
  • As I mentioned in post above.  I am not aware that MDT will natively be aware of CAB files exported from SCM.  However, you can install the LocalGPO on the SCM server and create pack file to make it transportable.  Take a looy at thread above, you just have to copy the LocalGPO to the image before MDT runs command as it cannot be executed via UNC.
    Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
    • Proposed as answer by James Xiong Tuesday, November 22, 2011 1:32 AM
    • Marked as answer by James Xiong Tuesday, November 22, 2011 1:32 AM
    Friday, November 18, 2011 11:19 AM

All replies

  • Hi,

     

    From the problem description, I understand that you would like to import the CAB files or security settings into MDT for an image. And I noticed that you are using the Microsoft Security Compliance Manager. This tool lets you to quickly configure and manage your computers, traditional datacenter and private cloud using Group Policy and SCCM.

     

    There are two options to import CAB files or security settings:

     

    Option 1:

    ------------

    We could import the CAB file or security settings via SCCM (Microsoft System Center Configuration Manager).

     

    Option 2:

    ------------

    We could use MDT 2012 (Beta2), MDT 2012 beta2 integrates with configuration templates from the Security Compliance Manager (SCM) tool to ensure a secure Windows Installation from the beginning of the deployment.

     

    You could join the beta review program for Microsoft Deployment Toolkit (MDT) 2012 and download the latest version of the MDT 2012 Beta2 according to the link below:

     

    Title: Microsoft Deployment Toolkit 2012 (Beta 2)

    URL: https://connect.microsoft.com/site14/Microsoft%20Deployment%20Toolkit

     

    Based on the statements above, we could import the CAB file or security settings via the option 2 method.

     

    Regards,

    James
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, November 17, 2011 8:02 AM
  • Yes and no.  MDT is not natively aware of the SCM security packages so no.  However, I think you can still achieve your objective.  Make sure you are using the current version of SCM which was released to web and leverage the localgpo tool to build a transportable package.  The trick is that you cannot use LocalGPO and execute it over the network.  So perhaps you can stage the localgpo on the file syste of reference image like c:\tools and then add a task sequence in the build to run the command to install localgpo.

    Supporting link

    http://blogs.technet.com/b/secguide/archive/2011/07/05/scm-v2-beta-localgpo-rocks.aspx

    Thursday, November 17, 2011 11:54 AM
  • I have a command script that installs the local gpo only. My problem is writing a script to import the GPO. It nevers works. Do you have an example of a script or a way I can get it to apply the GPO?
    Thursday, November 17, 2011 1:48 PM
  • At the bottom of the link provided above it gives an example on how to export the GPO as Pack file.  Then example to import/install localgpo on another machine.  Does that not work?
    Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
    Thursday, November 17, 2011 2:15 PM
  • This works fine from a local computer. I need help with trying to execute this using MDT in a task sequence.
    Thursday, November 17, 2011 2:58 PM
  • MDT will try to execute the command using UNC which I do not think will work.  Place the exported pack file to C:\tools or something in the reference wim, upon deployment create a step in the task sequence which runs the command C:\tools\etc etc to install the local GPO oer link above.  Are you saying you are using a clean install process and that you are not using a sysreppped wim?  If that is the case, you made need to run a command of some sort to copy the package from the share locally and then execute it.
    Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
    Thursday, November 17, 2011 5:04 PM
  • It's a clean install. I've update to the MDT 2012 beta. How do I import the cab file from SCM?
    Thursday, November 17, 2011 10:28 PM
  • As I mentioned in post above.  I am not aware that MDT will natively be aware of CAB files exported from SCM.  However, you can install the LocalGPO on the SCM server and create pack file to make it transportable.  Take a looy at thread above, you just have to copy the LocalGPO to the image before MDT runs command as it cannot be executed via UNC.
    Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
    • Proposed as answer by James Xiong Tuesday, November 22, 2011 1:32 AM
    • Marked as answer by James Xiong Tuesday, November 22, 2011 1:32 AM
    Friday, November 18, 2011 11:19 AM