none
LocalGPO Tool for Windows 8.1

    Question

  • I've downloaded the latest SCM 3.0 but the LocalGPO tool will not work.  It tells me that windows 8.1 is not supported.  Is there an update that I am missing or a work around?

    Thanks,

    Peter

    Thursday, October 24, 2013 7:34 PM

All replies

  • I was able to enable the MSS settings by editing the LocalGPO script. Specifically the Chkosversion function.

    If(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then strOS = "WS12" ElseIf(Left(strOpVer,3) = "6.2") and (strProductType = "1") then strOS = "Win8" ElseIf(Left(strOpVer,3) = "6.1") and (strProductType <> "1") then strOS = "WS08R2" ElseIf(Left(strOpVer,3) = "6.1") and (strProductType = "1") then strOS = "Win7" ElseIf(Left(strOpVer,3) = "6.0") and (strProductType <> "1") then strOS = "WS08" ElseIf(Left(strOpVer,3) = "6.0") and (strProductType = "1") then strOS = "VISTA" ElseIf(Left(strOpVer,3) = "5.2") and (strProductType <> "1") then strOS = "WS03" ElseIf(Left(strOpVer,3) = "5.2") and (strProductType = "1") then strOS = "XP" ElseIf(Left(strOpVer,3) = "5.1") and (strProductType = "1") then strOS = "XP" Else 'strMessage = DisplayMessage(conLABEL_CODE002) 'Call MsgBox(strMessage, vbOKOnly + vbCritical, strTitle) 'Call CleanupandExit strOS = "Win8" End If

    Essentially I just told it that the OS was Windows 8 and to not give off any errors in the function. Chances are this is not supported but it worked for my needs.
    • Proposed as answer by Marcel Brabetz Thursday, August 21, 2014 4:01 PM
    Wednesday, November 13, 2013 6:19 PM
  • Thanks Conrad,

    worked like hell :-)

    As some further hints for following readers:

    When using localgpo and exporting with the option "/gpopack" you also have to modify the gpopack.wsf in nearly the same way:

    This changes worked for me:

     'Checks whether the operating system is Windows XP or _
            'Windows Server 2003 or Windows Vista or Windows Server 2008 or _
            'Windows 7 or Windows Server 2008 R2
    
            If(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then 
    	   strOS = "WS12"
            ElseIf(Left(strOpVer,3) = "6.2") and (strProductType = "1") then 
    	   strOS = "Win8"
            ElseIf(Left(strOpVer,3) = "6.1") and (strProductType <> "1") then 
    	   strOS = "WS08R2"
            ElseIf(Left(strOpVer,3) = "6.1") and (strProductType = "1") then 
    	   strOS = "Win7"
            ElseIf(Left(strOpVer,3) = "6.0") and (strProductType <> "1") then 
    	   strOS = "WS08"
            ElseIf(Left(strOpVer,3) = "6.0") and (strProductType = "1") then 
    	   strOS = "VISTA"
            ElseIf(Left(strOpVer,3) = "5.2") and (strProductType <> "1") then
    	   strOS = "WS03"
            ElseIf(Left(strOpVer,3) = "5.2") and (strProductType = "1") then 
    	   strOS = "XP"
            ElseIf(Left(strOpVer,3) = "5.1") and (strProductType = "1") then 
    	   strOS = "XP"
            Else
              If Not(WScript.Arguments.Named.Exists("Silent")) Then
                'strMessage = "GPOPacks only work on Windows XP Professional, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012"
                'Call MsgBox(strMessage, vbOKOnly + vbCritical, strTitle)
    	  strOS = "Win8"
    		End If
             ' Call CleanupandExit 
    	strOS = "Win8"
            End If



    Marcel Brabetz

    Thursday, August 21, 2014 4:08 PM
  • Hi Peter

    Download the latest security baseline from here:

    http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx

    The Zip File includes an updated Version of the LocalGPO script in \SCM_Win81-WS2012R2-IE11-Baselines-FINAL\Win81-WS2012R2-IE11-Baselines\Local_Script\MSS_Extension

    Funny, unlike with the SCM Installation which includes an LocalGPO.msi installer, there is no installer included in that zip. I guess this will come with the next SCM Version.

    Patrick

    Wednesday, September 03, 2014 9:05 PM
  • Thank Conrad and Marcel.  I was also able to use the code below for Windows 10.  Thus far it seems to be working.  Also note that I started with the Windows 8.1 baseline referenced by Patrick and built the Windows 10 baselines from it. 

    ElseIf(Left(strOpVer,3) = "6.4") and (strProductType = "1") then 
       strOS = "Win10" 'Technical Preview builds prior to 9926
    ElseIf(Left(strOpVer,4) = "10.0") and (strProductType = "1") then 
       strOS = "Win10" 'Technical Preview 2 build 9926 (and probably above)
    

    • Edited by Chad Simmons Friday, February 20, 2015 8:28 PM code formatting update
    Friday, February 20, 2015 8:26 PM
  • Patrick is right, the updated LocalGPO.wsf for Windows 8.1 and Server 2012 R2 can be found at the link he posted. I had worked around this for a while by adding similar code so that the captions matched Win8 and WS12. 

    However, GPOPack.wsf, though present in the same download, is not up-to-date. You can copy and paste the OS version caption detection from LocalGPO.wsf to "fix it" (unsupported of course, but I've done this enough times to for my personal confidence to feel it is okay to do... YMMV.)

    But for Windows 10 I have not yet located any official updates. RTM and Threshold2 baselines were released but neither has any .WSF scripts within. See this link, where there is a fork at the top to choose either Win10 RTM or Threshold2 baselines:

    http://blogs.technet.com/b/secguide/archive/2015/10/08/security-baseline-for-windows-10-draft.aspx

    Looks like what Chad has suggested would bypass the version check, but elsewhere in the code the OS caption is analyzed to determine various points of execution. You'd have to add "Win10" at these points, and even then, the OS is sufficiently different from 8.1-era that I am not confident in this approach without reviewing the whole script.

    Cheers.



    Thursday, February 25, 2016 5:09 PM
  • Since I last posted here I dug a little more and realized there's support for Windows 10 local GPO now provided in LGPO.exe, included at the TechNet link below. Download the zip file. There is a PDF inside with instructions.

    See: http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1511-quot-threshold-2-quot-final.aspx

    Unpack the zip file and look in the Local_Script\Tools folder.

    Friday, April 01, 2016 8:53 PM