none
Local gpoup configured in deployed/captured image MDT2013 RRS feed

  • Question

  • Hi.

    during GPO troubleshooting my colleague found bunch of LOCAL GPOs as winning in Resultant of W7 machine... (see screenshot).
      Our workstations park is W7. They are deployed from MDT2013. I created last image that was captured from clean Windows 7 Pro VM (installation source MS Volume License ISO).
      Sure that I didn't touch Local GPOs before capturing. It was a virgin W7 install. The guy compared Resultant GPO for computers deployed from previous image and not seeing these winning Local GPOs. So he kind of blames my new image...
      I just took a quick look on winning GPO and see that they are actually doing good job from security perspective.
      The question:
      what could be the mystery of these Local GPOs? Were they coming from? 

    I got a response on one of GPOs forum that mentions SYSPREP:

    "Did you Sysprep the image BEFORE deploying?  I have something in the back of my mind that Sysprep reverts GPOs back to OOB Experience.  Just can't remember for certain about it though. "

    Sure I didn't configure tens of Local GPOs on source machine before capturing :). No these GPOs on machines deployed from MDT2012. Could it be SYSPREP of MDT2013 that ?

    Unfortunately, interface not allows to upload a screenshot (100KB file). Tried from different networks.

      Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis



    • Edited by pob579 Sunday, July 19, 2015 10:41 AM
    Thursday, July 16, 2015 12:22 PM

Answers

  • MDT 2013 doesn't include the GPO Packs like 2012 did so that 'shouldn't' happen.  However if it is happening what Dan said will resolve the issue.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by pob579 Monday, July 20, 2015 3:32 PM
    Thursday, July 16, 2015 6:50 PM
    Moderator
  • I forgot but when I recently upgraded my computer to solid state I used MDT to deploy the OS. I'm not joined to the domain (to avoid policies). I just ran GPresult and I have no enforced or disabled policies on my machine. My co-worker had imaged his machine recently with a different image but also off the domain. I had him run it and other than two policies I set on that image there were no other policies applied.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Marked as answer by pob579 Monday, July 20, 2015 3:32 PM
    Friday, July 17, 2015 2:36 PM

All replies

  • The answer probably is you probably didn't add ApplyGPOPack=NO to your custom settings. You could also remove or disable it in the task sequence. MDT will apply a GPO that is pretty secure but can break things.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Thursday, July 16, 2015 3:04 PM
  • MDT 2013 doesn't include the GPO Packs like 2012 did so that 'shouldn't' happen.  However if it is happening what Dan said will resolve the issue.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by pob579 Monday, July 20, 2015 3:32 PM
    Thursday, July 16, 2015 6:50 PM
    Moderator
  • In TS related to the image in question Apply GPO Pack is greyed out. I have a good habit to do it at first place after TS creation. The only option I can think is that I didn't do it the first day after task creation. But for sure I didn't touch it for at least 2 month. May be the machines that were found with Local GPO enabled were deployed first day when/if TS was not tweaked yet (I could do it one day later). I have to check one freshly deployed machine to be sure.

    Interesting to know that what Ty says:

    "MDT 2013 doesn't include the GPO Packs like 2012 did so that 'shouldn't' happen"

    So if after checking newly deployed machine Local GPO will be in place it will be a real mystery....

    To be continued...

    Thanks!


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Thursday, July 16, 2015 8:35 PM
  • If you upgraded from a previous MDT version I think it would have kept them, otherwise yeah looks like a fresh install of MDT 2013 doesn't have the GPO packs. A few years ago I made the mistake of not disabling the GPO pack back when they were included.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Thursday, July 16, 2015 9:26 PM
  • Dan, it fresh MDT2013 installation...

    Now, knowing that there is no actual GPO pack even if it is not disabled (and in my case it is) it should not affect local GPOs I even more frustrated :).

    I will check Monday a newly deployed machine. Just to be sure... May be GPOs were  changed during capture?

    I will check my golden capture.

    If you have time check plz one of your's machines deployed from MDT. May be they all have these local GPOs configured.

    Cannot upload here on forum for 2 days... See plz the Resultant screenshot on my onedrive...

    http://1drv.ms/1I7mwQf


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, July 17, 2015 12:55 AM
  • Since I use MDT to deploy Windows when creating a reference image, I'll take a look at the GPOs. I'm not sure if I will have time today/this weekend. They are shutting power off to all our buildings later today and through the weekend due to some renovations.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, July 17, 2015 1:25 PM
  • Thanks. Interesting to know. May be set of Local GPOs is a default now.

    And then the assumption that I got from one of GPOs forums has a point:

    "Did you Sysprep the image BEFORE deploying?  I have something in the back of my mind that Sysprep reverts GPOs back to OOB Experience.  Just can't remember for certain about it though. "


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, July 17, 2015 2:18 PM
  • I forgot but when I recently upgraded my computer to solid state I used MDT to deploy the OS. I'm not joined to the domain (to avoid policies). I just ran GPresult and I have no enforced or disabled policies on my machine. My co-worker had imaged his machine recently with a different image but also off the domain. I had him run it and other than two policies I set on that image there were no other policies applied.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Marked as answer by pob579 Monday, July 20, 2015 3:32 PM
    Friday, July 17, 2015 2:36 PM
  • All of my images sysprep before they are captured, but then again anyone should be running sysprep before capturing an image you plan to deploy.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, July 17, 2015 2:39 PM
  • so I have just to check Monday newly deployed machine from MDT on which Apply Local GPO pack is disabled from the beginning on fresh MDT2013 install. Like I told there is very little chance that I turned off this TS item day after task creation and the machines with Local GPO appeared were deployed during this one day.

    Let me see Monday.

    Thanks Dan.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, July 17, 2015 4:19 PM