Group Policies in a modern managed environment – GPO to MSI released as Open Source

Today it’s a great day, because we make one of our Syntaro tools available as Open Source to the whole community. GPO to MSI is an easy to use PowerShell script, which allows you to convert the local policy with the help of lgpo.exe or an exported Group Policy to an MSI file. This MSI file can then be deployed with Intune to your clients. Why have we created such a solution? The modern workplace can only be controlled over OMA-MDM policies which do not provide the same settings as a GPO. Because they lack a lot of settings it’s a huge problem in all of the projects. It’s already an issue to configure the security relevant settings which Microsoft defines in their Security Baseline. We know, that OMA-URI provides a way to deploy ADMX settings, but the configuration has to be done per setting with an XML file and overall this is very complicated. And you know me, I like it simple and light.

Use Cases

Imagine if you have domain joined devices and some cloud only devices. With my script you can deploy the same settings to both systems, without doing a reengineering and analysis about how to set a specific setting over OMA-URI.

How to

The usage is simple and can be done in a few minutes by following these checklists. But first of all you have to decide, if you will use an existing GPO Export or if you would like the current local policy. Then download the respective folder from our Modern & Secure Workplace Github Repository.

Only if you would like to use a GPO:

Export a GPO from the GPO Console.

  Only if you would like to use a GPO:

Add the resulting files to the GPO Backup directory of our solution.

Start Powershell.exe with Local Administrative rights.
Execute BuildMsiWithExportedGPO.ps1. It will automatically build the MSI for an x64 System.

If needed, you can also specify the version which should be set in the MSI. So, every time you generate a new MSI, we recommend to also rise the version number.

Grab the MSI from the Results folder and deploy it with Intune.

I hope you like it and it makes your live simpler. We have even more solutions which help in a modern managed environment. Like deploying all types of Win32/Desktops Apps, without limitations to devices over Intune or monitor Windows Defender without SCCM/WDATP.

Thomas Kurth

Thomas Kurth

I’m a consultant, trainer and architect formodern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.
Enterprise Adminstrator ExpertMCTCMCE

17 Comments

Lasse · June 15, 2018 at 07:23

Hi
A small question.
Will GPP and the node Windows Settings also be included in the msi?
Are all of the settings in a GPO supported?

Thanks in advance

Lasse

Andy · June 17, 2018 at 22:00

Hi Thomas,

Simple steps and just what I wanted, but upon executing the PS1 PS script with Admin rights, I get the following error message below:

BuildMsiWithLocalGPO.ps1 cannot be
loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at
https:/go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess

    aron · September 28, 2018 at 21:46

    This is powershell protections

    Run “set-executionpolicy -bypass” , accept, and try again

Simon · July 1, 2019 at 09:46

Hi Thomas,
This is a really nice tool!
I am now trying to deploy it on my test environment and have some small issues. I one question on very beginning:
– does it matter what scope is chosen in GPO ? (i mean authenticated users, ect.) or it should not count when msi will be deployed via Intune?

    Simon · July 1, 2019 at 10:04

    I am asking, because when I am logging with LOCAL account on target machine – application instalation status in Intune throws Error code: 0x80070643. But when I am logging with domain admin error code changes to 0x0

      Simon · July 1, 2019 at 10:25

      Product: GroupPolicyOverMDM — Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action GPOLoader, location: C:\windows\Installer\MSI519.tmp, command: /g “C:\Program Files\baseVISION\GPOtoMSI\GPOBackup”

        Thomas Kurth · July 1, 2019 at 21:54

        You can test it by just executing placing your exported GPO in a folder and the execute ‘lgpo.exe /g “%PathToYouFolder%”‘. I assume it has not enough rights or the export was placed in a subfolder.

    Thomas Kurth · July 1, 2019 at 21:50

    You should install the MSI as System and not with user privilege. It just sets the local policy and for that admin rights are required. If you export a GPO from GPO editor it doesn’t export the ACL. Therefore it always applies to all users on a device.

      Simon · July 2, 2019 at 14:48

      Ok, I thought that it may be distributed simply like “Line-of-business app”. Thank You for quick response and support!

        Thomas Kurth · July 2, 2019 at 20:56

        Yes, you can just deploy it as line of business app. Then it should just work. I normally deployed it to the devices and not to users. Then it worked always.

          Simon · July 3, 2019 at 14:16

          Well, I think I will give up. I am trying to deploy it as “LoB app” in device context – following error is there: 0x80070654

Alfred · July 26, 2019 at 13:01

I cannot run ExportGPO or ImportGPO, both also get the same error

VERBOSE: 2019-07-26 20:00:22+08 INFO Copy Main Wix File and Modify Version
Write-Log : 2019-07-26 20:00:22+08 ERROR Failed to modify main wix config file – [System.Management.Automation.RuntimeException] Method invocation
failed because [System.Object[]] doesn’t contain a method named ‘replace’.
At C:\temp\ExportedGPO\BuildMsiWithExportedGPO.ps1:256 char:14
+ Write-Log <<<< "Failed to modify main wix config file" -Type Error -Exception $_.Exception
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-Log

Please help

    Thomas Kurth · July 26, 2019 at 20:35

    What PowerShell Version are you using?

      Alfred Lee · July 28, 2019 at 16:53

      Hi Thomas,

      After upgraded to PS v5.1, everything works fine.

      Thanks for your help!

      Regards,

      Alfred

        Thomas Kurth · July 28, 2019 at 20:31

        Hello Alfred,

        Yes, I tested it only on Windows 10 machines. and some functions are requiring PowerShell 5.1. Happy that you could solve it and use my tool :).

        Have a nice day.

        Regards
        Thomas

Alfred Lee · July 27, 2019 at 03:32

Hi Thomas,

Thanks for the great tools.

Is it necessary to run it in Windows 10 environment?

I got the below error when I tried below error in Win7 and Windows server 2012.

VERBOSE: 2019-07-27 10:31:48+08 INFO Copy Main Wix File and Modify Version
Write-Log : 2019-07-27 10:31:48+08 ERROR Failed to modify main wix config file – [System.Management.Automation.RuntimeException] Method invocation
failed because [System.Object[]] doesn’t contain a method named ‘replace’.
At C:\temp\ExportedGPO\BuildMsiWithExportedGPO.ps1:256 char:14
+ Write-Log <<<< "Failed to modify main wix config file" -Type Error -Exception $_.Exception
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-Log

Thanks and Regards,

Alfred

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe
Hosting sponsored by:
Archive