Microsoft’s Local Group Policy Object (LGPO) utility is a standalone command-line executable that assists administrators in automating the management of a computer’s local security policy. The tool uses a combination of Group Policy Template (GptTmpl.inf) files, Registry Policy (registry.pol) files, and Audit Policy (audit.csv) files to apply desired configuration settings to targeted endpoints. In this article, you will learn how to use Microsoft’s LGPO utility to baseline a Windows 10 system configuration using DISA’s Group Policy Objects (GPO).
1. Prerequisites for Configuration Backup
This article is meant to convey information that teaches you how to baseline the configuration of a Windows 10 system using DISA GPOs. If you’d like to follow along with any of the demonstrations, you will need the following:
- A Windows 10 system
- Administrator rights on the Windows 10 system
Proceed with Caution!
The commands that are used in this article will apply configuration changes to the target computer. It is recommended that the commands within this article are run on a test system or a virtual machine. The examples provided throughout this tutorial were generated using Windows Sandbox.
2. About Microsoft’s LGPO Utility
LGPO.exe functions as a standalone executable program that can be run directly from the command-line. LGPO.exe does not install additional software on your system to perform its tasks. LGPO.exe has four (4) core modes:
- Export local policy to a backup
- Import and apply policy settings
- Parse a registry.pol file to LGPO text format
- Build a registry.pol file from LGPO text
Additional information on how to use the LGPO utility can be found within the LGPO.pdf file that comes embedded within the LGPO.zip download.
3. Downloading Microsoft’s LGPO Utility
The LGPO utility is part of Microsoft’s Security Compliance Toolkit. To download the LGPO bundle:
- Navigate to the Microsoft Security Compliance Toolkit download page.
- Click Download.
- Select LGPO.zip and then click Next.
- Extract the contents of the LGPO.zip archive.
4. Downloading DISA’s Windows 10 GPO Bundle
DISA packages preconfigured Group Policy Object (GPO) templates to assist with the STIG implementation process. To download DISA’s GPO bundle:
- Navigate to the DoD Cyber Exchange’s Group Policy Objects download page.
- Click the GPO title under GPO Downloads. In the following screenshot, you will see that the GPO title is Group Policy Objects (GPOs) – July 2022:
- Be patient as the GPO bundle download completes.
- Extract the contents of the DISA GPO .zip archive:
5. Preparing Your System
If you want to follow along, please use the following steps to mirror the setup of the system that was used to create this article:
- Open a PowerShell session as an Administrator.
- Use the following command to create a new directory named LGPO:
#Create the C:\LGPO directory.
mkdir C:\LGPO - Copy the LGPO.exe executable file from your Downloads directory to C:\LGPO
- Copy the DoD Windows 10 v[x]r[x] from the unzipped DISA GPO archive to C:\LGPO
- Change your directory location to C:\LGPO using the cd command:
#Change directory location to C:\LGPO.
cd C:\LGPO - Issue the dir command to list the contents of C:\LGPO and confirm that LGPO.exe and the DoD Windows 10 v[x]r[x] directory are listed:
Nice job! Your system is ready to go! In the next section, you will use LGPO to back up your system’s current configuration.
6. Exporting Local Security Policy to a Backup with LGPO
Before applying a new policy, it is best practice to create a backup of your system’s current configuration. LGPO enables this functionality with the /b switch:
- Open a PowerShell session as an Administrator.
- Backup your system’s current configuration using LGPO’s /b switch. The following command will create and store a configuration backup within C:\LGPO:
#Backup the system’s current configuration to C:\LGPO using LGPO’s /b switch.
C:\LGPO\LGPO.exe /b C:\LGPO - Confirm that the command completes without error:
Great work! The configuration backup process is now complete! If you’re following along, your configuration backup will be stored in C:\LGPO.
In the next section, you will baseline the configuration of your Windows 10 system using DISA GPOs.
7. Apply Local Security Policy using LGPO
Now that you’ve obtained a backup of your system’s local policy, it is time to apply the new configuration. You can import settings from one or more GPOs using LGPO’s /g switch:
NOTE: DISA’s Windows 10 GPO contains placeholders that require organization-specific values for the following User Rights Assignments:
- Deny access to this computer from the network: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
- Deny log on as a batch job: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
- Deny log on as a service: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
- Deny log on locally: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
- Deny log on through Remote Desktop Services: ADD YOUR ENTERPRISE ADMINS,ADD YOUR DOMAIN ADMINS
Insert your custom values before or after executing the commands identified below.
- Open a PowerShell session as an Administrator.
- Apply the DoD Windows 10 v[x]r[x] GPO using LGPO’s /g switch:
#Apply the DoD Windows 10 v[x]r[x] configuration using LGPO’s /g switch.
#NOTE: You may need to modify the version and revision (v[x]r[x]) numbers. At the time of this writing, the DoD Windows 10 GPO is v2r4.
C:\LGPO\LGPO.exe /g “C:\LGPO\DoD Windows 10 v2r4” - Confirm that the command completes without error:
NOTE: If the aforementioned organization-specific User Rights Assignments were not modified within C:\LGPO\DoD Windows 10 v2r4\GPOs\{AD8929AD-5491-4E51-A04E-6588E76D85B6}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf prior to executing the script, LGPO would report the following error:
This error can be ignored if received.
Congratulations! You’ve successfully applied the DoD Windows 10 GPO to your system!
Unleashing the Magic of Microsoft’s LGPO
This blog post taught you how to backup local policy configuration and apply a new configuration using DISA’s DoD Windows 10 GPO! What else can you automate using LGPO? Run LGPO.exe with the /? switch to find out! Apply Configuration With Microsoft’s LGPO Utility.