Deploying operating systems and applications so that they are compliant with security and regulatory standards is an essential part of any deployment effort. MDT allows you to apply security and compliance configuration templates to the operating system and applications after they are deployed using Group Policy object (GPO) packs.
GPO packs are created by exporting a GPO backup in the Microsoft Security Compliance Manager. These GPO packs are applied by the Apply Local GPO Package task sequence step for task sequences created using the MDT task sequence templates. The Apply Local GPO Package task sequence step runs the ZTIApplyGPOPack.wsf script, which is responsible for applying the GPO packs to the target computer.
Note GPO packs are only used to configure security and compliance configuration settings for Windows operating systems, not the applications running on the operating system. For example, the Internet Explorer or Microsoft Office security and compliance configuration settings in Security Compliance Manager cannot be used as GPO packs.
The following MDT task sequence templates include the Apply Local GPO Package task sequence step:
· Standard Client Task Sequence in LTI, ZTI with Configuration Manager 2012, and ZTI with Configuration Manager 2007 R3
· Standard Server Task Sequence in LTI, ZTI with Configuration Manager 2012, and ZTI with Configuration Manager 2007 R3
· Deploy to VHD Client Task Sequence in LTI
· Deploy to VHD Server Task Sequence in LTI
Note Applying GPO packs affects system behavior and features because of the increased security requirements that GPO packs could configure. The result is that you may lose certain functionality after a GPO pack is applied.
If the security configuration settings that the GPO packs included in MDT provide are too stringent, perform one of the following tasks:
· Modify the existing GPO templates to be less restrictive.
· Provide a custom GPO template that you have created that is less restrictive.
· Disable the Apply Local GPO Package task sequence step in your task sequence.
For example, the GPO pack for Windows 7 can enforce Server Message Block (SMB) configuration settings that could prevent Windows 7 from communicating with other devices running Common Internet File System (CIFS) or SAMBA.
Apply GPO packs templates by performing the following steps:
1. Identify or create the GPO packs required by your organization as described in Identify or Create the GPO Packs.
2. Place the GPO packs in the appropriate MDT folders as described in Place the GPO Packs in the Appropriate MDT Folders.
3. Configure MDT to deploy the GPO packs as described in Configure MDT to Deploy the GPO Packs.