Group Policies in a modern managed environment – GPO to MSI released as Open Source

Today it’s a great day, because we make one of our Syntaro tools available as Open Source to the whole community. GPO to MSI is an easy to use PowerShell script, which allows you to convert the local policy with the help of lgpo.exe or an exported Group Policy to an MSI file. This MSI file can then be deployed with Intune to your clients. Why have we created such a solution? The modern workplace can only be controlled over OMA-MDM policies which do not provide the same settings as a GPO. Because they lack a lot of settings it’s a huge problem in all of the projects. It’s already an issue to configure the security relevant settings which Microsoft defines in their Security Baseline. We know, that OMA-URI provides a way to deploy ADMX settings, but the configuration has to be done per setting with an XML file and overall this is very complicated. And you know me, I like it simple and light.

Use Cases

Imagine if you have domain joined devices and some cloud only devices. With my script you can deploy the same settings to both systems, without doing a reengineering and analysis about how to set a specific setting over OMA-URI.

How to

The usage is simple and can be done in a few minutes by following these checklists. But first of all you have to decide, if you will use an existing GPO Export or if you would like the current local policy. Then download the respective folder from our Modern & Secure Workplace Github Repository.

Only if you would like to use a GPO:

Export a GPO from the GPO Console.

  Only if you would like to use a GPO:

Add the resulting files to the GPO Backup directory of our solution.

Start Powershell.exe with Local Administrative rights.
Execute BuildMsiWithExportedGPO.ps1. It will automatically build the MSI for an x64 System.

If needed, you can also specify the version which should be set in the MSI. So, every time you generate a new MSI, we recommend to also rise the version number.

Grab the MSI from the Results folder and deploy it with Intune.

I hope you like it and it makes your live simpler. We have even more solutions which help in a modern managed environment. Like deploying all types of Win32/Desktops Apps, without limitations to devices over Intune or monitor Windows Defender without SCCM/WDATP.

Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I’m a consultant, trainer and architect formodern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

Enterprise Adminstrator ExpertMCTCMCE
Thomas Kurth
Follow me