For example, a gpo with settings like this;
- Changing the local admin password
- Interactive logon: Message text for users attempting to log on
- Rename of the local admin account
- Enabling Smart Card requirements
- Enabling BitLocker or other hard disk encryption software with Pre-Boot or Pre-Logon authentication
- etc etc
It's quite easy to solve this by using a WMI filter on the GPO to prevent it from being applied until the OS installation is finished. Just use a filter like this;
And then link it to the GPO.
Done! The GPO's will not break your OS installation anymore and will still be applied and used.
NOTICE! That the GPO will NOT apply to any computer missing that DeploymentLogs folder. So if you have computers in your environment that's been installed in some other fashion than via MDT (SCCM, Specops Deploy etc) your GPO will not be applied to them.
So in a scenario like that, you may want to run a Group Policy Preference (or App Deploy script) to create that folder on all previously installed computers before implementing this.
Updated: Also, if you have created an image that's built with Specops Deploy (MDT) it will already contain the \Windows\Temp\DeploymentLogs folder when it's being deployed ... Guess what will happen? The GPO Filter will find that folder and apply the GPO ...
So, before you do a capture of a client, make sure to manually delete C:\Windows\Temp\DeploymentLogs (and C:\MININT, C:\Sysprep and C:\_SMSTaskSequence folder if any of them exists).