Windows 2012 R2 Group Policy Settings including MSS Settings

Firstly, if you have a Windows 2008 domain and want to set Windows 2012 R2 specific Group Policy settings for the Windows 2012 R2 members servers you will be adding to the domain then you will need to use the “Group Policy Management” feature from a Windows 2012 R2 server. To do this provision a Windows 2012 R2 server into you domain and install the “Group Policy Management” feature, see Installing Group Policy Management on Windows Server 2012 R2.

If you also want to set the Microsoft Security Settings prefixed with MSS based on the CIS Security Benchmarks from http://www.cisecurity.org/ then these are not included be default. They can added by running a script from the “Microsoft Security Compliance Manager”, you can do this as follows: –

Download the “Microsoft Security Compliance Manager” from http://technet.microsoft.com/en-gb/library/cc677002.aspx.

You will not want to fully install the package as it installs Microsoft SQL Express and other stuff you don’t really want. However, start the installation by running the downloaded Security_Compliance_Manager_Setup.exe which will unpack the installation files to a temporary directory such as C:\ adb01aff27798ababea02738a9f4.

Once the files have been unpacked open data.cab from the temporary directory and extract the file GPOMSI, rename this file LocalGPO.msi.

You can now cancel the “Microsoft Security Compliance Manager” installation; it should remove the temporary directory and the unpacked files.

Install LocalGPO.msi on the Windows 2012 R2 Server, at the “Welcome” screen press “Next>”

Select “I accept the terms in the License Agreement” and click “Next>”

The “LocalGPO Tool” feature should already be selected to be installed so click “Next>“.

Click “Install“.

Click “Finish” once the installation has completed.

You will now have a “LocalGPO Command-Line” application, run this as an administrator.

From this command line run the command

    cscript LocalGPO.wsf /ConfigSCE

Unless Microsoft have added support for Windows 2012 R2 to this package by the time you read this then when you run the above command you will get an error messages stating that you are running it on an unsupported Operating System. To get around this issue edit LocalGPO.wsf (you can do this by opening it with Notepad). Go to the line in the ChkOSVersion routine that reads (think this is line 480):

If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

Insert before this line the following:

If(Left(strOpVer,3) = “6.3”) and (strProductType <> “1”) then
strOS = “WS12”

And then insert Else at the start of the line

If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

To change it to

ElseIf(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

So that the whole section now reads:

If(Left(strOpVer,3) = “6.3”) and (strProductType <> “1”) then
    strOS = “WS12”
ElseIf(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then
    strOS = “WS12”
ElseIf(Left(strOpVer,3) = “6.2”) and (strProductType = “1”) then
    strOS = “Win8”
ElseIf(Left(strOpVer,3) = “6.1”) and (strProductType <> “1”) then
    strOS = “WS08R2”
ElseIf(Left(strOpVer,3) = “6.1”) and (strProductType = “1”) then
    strOS = “Win7”
ElseIf(Left(strOpVer,3) = “6.0”) and (strProductType <> “1”) then
    strOS = “WS08”
ElseIf(Left(strOpVer,3) = “6.0”) and (strProductType = “1”) then
    strOS = “VISTA”
ElseIf(Left(strOpVer,3) = “5.2”) and (strProductType <> “1”) then
    strOS = “WS03”
ElseIf(Left(strOpVer,3) = “5.2”) and (strProductType = “1”) then
    strOS = “XP”
ElseIf(Left(strOpVer,3) = “5.1”) and (strProductType = “1”) then
    strOS = “XP”
Else
strMessage = DisplayMessage(conLABEL_CODE002)
Call MsgBox(strMessage, vbOKOnly + vbCritical, strTitle)
Call CleanupandExit
End If

Once you have changed the LocalGPO.wsf script as detailed above close the “LocalGPO Command-line” and stat it again and run

    cscript LocalGPO.wsf /ConfigSCE

It should now work and you should end up with the MSS settings available to set in a Group Policy Object