Scripted addition of Startup/Shutdown (Logon/Logoff) scripts does not work on fresh installation

So far I have a working script that adds a Startup/Shutdown scripts to "Local Computer Policy \ Computer Configuration \ Windows Settings \ Scripts (Startup/Shutdown)".

However, this does not work on a fresh installation.

The workaround is to run gpedit at least once to edit one entry. This will add a bunch of registry keys in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy"

Afterwards the scripts added by me run too.

While writing the question I had a closer look and found the answer. Something had been added to "gPCMachineExtensionNames" in gpt.ini.

gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{DF3DC19F-F72C-4030-940E-4C2A65A6B612}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]

Thanks to the "GUID List of Group Policy Client Extensions" from infrastructureheroes.org I know what it stands for.

• {42B5FAAE-6536-11D2-AE5A-0000F87571E3} ProcessScriptsGroupPolicy
• {40B6664F-4972-11D1-A7CA-0000F87571E3} Scripts (Startup/Shutdown)

Besides adding a logon Script you might need this GUID:

• {40B66650-4972-11D1-A7CA-0000F87571E3} Scripts (Logon/Logoff)

gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{DF3DC19F-F72C-4030-940E-4C2A65A6B612}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]

And now that I already answerd my question I might also mention the other nasty things of this topic.

First, decode UTF-16 scripts.ini. Output every line where nothing was found into a new file. I admit it looks weird but it works. Could it be done differently?

find /v "!doNotFindThis!" < "scripts.ini" > "\scripts.txt"

Possibly like the encoding?

cmd /U /C "type "^"scripts.txt^" >> ^"scripts.ini^""

Notice, this will encode as UTF16-LE but without BOM. It seems of no importance but to have the original UTF16-LE BOM encoding, I keep an empty template file with this encoding and append the content.

Finally a quick note on the gpt.ini version. The one version parameter actually represent two version numbers. In Registry it is hex coded. The first four bytes are the "users" version and the others are the "machine" version., e.g.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0] "Version"=dword:00010001

If you want to incremet both add 0x00010001 or ind decimal 65537

And don't forget to run gpupdate, maybe the /force with you :-)

Now that I have understood it, I manage to find two answers on stackoverflow:

• is-there-any-way-to-programmatically-add-a-startup-script-to-the-local-group-pol
• user-configuration-windows-settings-scriptslogon-logoff