Today it’s a great day, because we make one of our Syntaro tools available as Open Source to the whole community. GPO to MSI is an easy to use PowerShell script, which allows you to convert the local policy with the help of lgpo.exe or an exported Group Policy to an MSI file. This MSI file can then be deployed with Intune to your clients. Why have we created such a solution? The modern workplace can only be controlled over OMA-MDM policies which do not provide the same settings as a GPO. Because they lack a lot of settings it’s a huge problem in all of the projects. It’s already an issue to configure the security relevant settings which Microsoft defines in their Security Baseline. We know, that OMA-URI provides a way to deploy ADMX settings, but the configuration has to be done per setting with an XML file and overall this is very complicated. And you know me, I like it simple and light.
Use Cases
Imagine if you have domain joined devices and some cloud only devices. With my script you can deploy the same settings to both systems, without doing a reengineering and analysis about how to set a specific setting over OMA-URI.
How to
The usage is simple and can be done in a few minutes by following these checklists. But first of all you have to decide, if you will use an existing GPO Export or if you would like the current local policy. Then download the respective folder from our Modern & Secure Workplace Github Repository.
 |
Only if you would like to use a GPO:
Export a GPO from the GPO Console. |
| Only if you would like to use a GPO:
Add the resulting files to the GPO Backup directory of our solution. |
|
| Start Powershell.exe with Local Administrative rights. | |
 |
Execute BuildMsiWithExportedGPO.ps1. It will automatically build the MSI for an x64 System.
If needed, you can also specify the version which should be set in the MSI. So, every time you generate a new MSI, we recommend to also rise the version number. |
 |
Grab the MSI from the Results folder and deploy it with Intune. |
I hope you like it and it makes your live simpler. We have even more solutions which help in a modern managed environment. Like deploying all types of Win32/Desktops Apps, without limitations to devices over Intune or monitor Windows Defender without SCCM/WDATP.
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
22 Comments
Lasse · June 15, 2018 at 07:23
Hi
A small question.
Will GPP and the node Windows Settings also be included in the msi?
Are all of the settings in a GPO supported?
Thanks in advance
Lasse
Thomas Kurth · June 22, 2018 at 15:50
No, GPO to MSI is built on LGPO.exe from Microsoft, and that does not support GPP at the moment.
Aaron commented that to a question on his blog: https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
Andy · June 17, 2018 at 22:00
Hi Thomas,
Simple steps and just what I wanted, but upon executing the PS1 PS script with Admin rights, I get the following error message below:
BuildMsiWithLocalGPO.ps1 cannot be
loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at
https:/go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess
aron · September 28, 2018 at 21:46
This is powershell protections
Run “set-executionpolicy -bypass” , accept, and try again
Simon · July 1, 2019 at 09:46
Hi Thomas,
This is a really nice tool!
I am now trying to deploy it on my test environment and have some small issues. I one question on very beginning:
– does it matter what scope is chosen in GPO ? (i mean authenticated users, ect.) or it should not count when msi will be deployed via Intune?
Simon · July 1, 2019 at 10:04
I am asking, because when I am logging with LOCAL account on target machine – application instalation status in Intune throws Error code: 0x80070643. But when I am logging with domain admin error code changes to 0x0
Simon · July 1, 2019 at 10:25
Product: GroupPolicyOverMDM — Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action GPOLoader, location: C:\windows\Installer\MSI519.tmp, command: /g “C:\Program Files\baseVISION\GPOtoMSI\GPOBackup”
Thomas Kurth · July 1, 2019 at 21:54
You can test it by just executing placing your exported GPO in a folder and the execute ‘lgpo.exe /g “%PathToYouFolder%”‘. I assume it has not enough rights or the export was placed in a subfolder.
Thomas Kurth · July 1, 2019 at 21:50
You should install the MSI as System and not with user privilege. It just sets the local policy and for that admin rights are required. If you export a GPO from GPO editor it doesn’t export the ACL. Therefore it always applies to all users on a device.
Simon · July 2, 2019 at 14:48
Ok, I thought that it may be distributed simply like “Line-of-business app”. Thank You for quick response and support!
Thomas Kurth · July 2, 2019 at 20:56
Yes, you can just deploy it as line of business app. Then it should just work. I normally deployed it to the devices and not to users. Then it worked always.
Simon · July 3, 2019 at 14:16
Well, I think I will give up. I am trying to deploy it as “LoB app” in device context – following error is there: 0x80070654
Alfred · July 26, 2019 at 13:01
I cannot run ExportGPO or ImportGPO, both also get the same error
VERBOSE: 2019-07-26 20:00:22+08 INFO Copy Main Wix File and Modify Version
Write-Log : 2019-07-26 20:00:22+08 ERROR Failed to modify main wix config file – [System.Management.Automation.RuntimeException] Method invocation
failed because [System.Object[]] doesn’t contain a method named ‘replace’.
At C:\temp\ExportedGPO\BuildMsiWithExportedGPO.ps1:256 char:14
+ Write-Log <<<< "Failed to modify main wix config file" -Type Error -Exception $_.Exception
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-Log
Please help
Thomas Kurth · July 26, 2019 at 20:35
What PowerShell Version are you using?
Alfred Lee · July 28, 2019 at 16:53
Hi Thomas,
After upgraded to PS v5.1, everything works fine.
Thanks for your help!
Regards,
Alfred
Thomas Kurth · July 28, 2019 at 20:31
Hello Alfred,
Yes, I tested it only on Windows 10 machines. and some functions are requiring PowerShell 5.1. Happy that you could solve it and use my tool :).
Have a nice day.
Regards
Thomas
Alfred Lee · July 27, 2019 at 03:32
Hi Thomas,
Thanks for the great tools.
Is it necessary to run it in Windows 10 environment?
I got the below error when I tried below error in Win7 and Windows server 2012.
VERBOSE: 2019-07-27 10:31:48+08 INFO Copy Main Wix File and Modify Version
Write-Log : 2019-07-27 10:31:48+08 ERROR Failed to modify main wix config file – [System.Management.Automation.RuntimeException] Method invocation
failed because [System.Object[]] doesn’t contain a method named ‘replace’.
At C:\temp\ExportedGPO\BuildMsiWithExportedGPO.ps1:256 char:14
+ Write-Log <<<< "Failed to modify main wix config file" -Type Error -Exception $_.Exception
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-Log
Thanks and Regards,
Alfred
Lee AP · June 14, 2020 at 05:56
Hi Thomas,
This is a really tool but I am having an issue pushing down from Intune. I have created two MSI files with different MSI versions for two different GPOs and created two LOB applications on Intune. I have first one installed and applied successfully but second one does not get installed and applied because Intune thinks that it has already been installed. Is there a way to fix it?
Also I have another question, when it gets installed it is showing as GroupPolicyOverMDM on Control Panel, is there way to change the name to something meaningful per GPO names?
Thanks,
Lee.
Thomas Kurth · June 14, 2020 at 11:05
Hello Lee
The problem is here, that only one local policy is available in Windows. But you can try it by modifying the UpgradeCode and Name in main.x64.wxs/main.x86.wxs. These files are in the wix-config subfolder. Does this help?
Lee AP · June 15, 2020 at 05:23
Hi Thomas,
Thank you so much for quick reply!
I have tested as you suggested and yes it works perfectly, such a great tool.
I have another question, I have deployed User Configuration GPOs and they do not applied on the device. Computer Configuration policies are applied without any issues.
Is there way to achieve this?
Thanks,
Lee.
Thomas Kurth · August 17, 2020 at 06:56
In my cases also the user part was applied. But there is also a new LGPO.exe which has the possibility to get a /u parameter. but to use that the script needs to be modified.
Perhaps this helps.
edgar · August 13, 2020 at 04:48
Hi, I’ve started using the tool recently and it is really good. It kind of bridges the gap between stuff you can’t yet apply from Intune as a config profile.
One question though:
I created a package with Computer and User settings version 1.0.1 and got applied perfectly, then I needed to tweak one of the settings of the gpo and I did that manually in the gpreport.xml file from GPO backup and created a new package version 1.0.2 and pushed to the device from Intune and got installed correctly, but it didn’t modify on the device the settings I changed in the gpreport.xml file.
I would’ve thought that modifying the gpo xml file and recreating the package with a new version would be enough to apply new settings on the device, am I missing something? cheers, Ed