Flexible Security For Your Peace of Mind

Don’t apply a GPO until OS Deploy is done

(Last updated on September 3, 2018)

You might sometimes want to stop a GPO from being applied until Specops Deploy / OS (MDT) is done. For example, if you have a GPO that changes the Administrator account in any way, (renaming, changing password, disabling) or use GPO to set default Logon Domain, it will prevent MDT from automatically logging in to Windows and finish the installation.It’s possible to stop that GPO from applying until the deployment is finished by using WMI filtering.

(Click for a larger picture)

Create a WMI filter like this:Select * From CIM_Directory Where Name = ‘C:\Windows\Temp\DeploymentLogs’When Specops Deploy / OS (MDT) is done, it creates a folder and copies all Deployment logfiles to the %windir%TempDeploymentLogs directory. So by using a WMI filter to look for that folder it’s possible to only apply the GPO after the folder is created (and OS Deployment is done). It’s possible to do the same inside Specops Deploy / App Targets too, to stop an application from being installed until the whole OS part is done.

One word of caution though. If someone would clean the Temp folder and remove the DeploymentLogs folder logs, that would of course stop the GPO from being applied again!

This may or may not being a problem depending on your environment and what settings are included in the GPO.

I’ve not tried it myself, but I guess it would be possible to set NTFS rights (via GPO’s) on the DeploymentLogs folder to prevent anyone from deleting it.

And this is of course something that Deployment Guru, mr Arwidmark, has made a blog about in the past.


Back to Blog