# Local Group Policy Object Utility (Windows EXE) ## What LGPO.exe is Microsoft’s Local Group Policy Object utility. It lets administrators import, export, and apply local Windows Group Policy settings from the command line. This can be useful when deploying security baselines or local policy settings to Windows devices that are not managed through Active Directory Group Policy. ## When/Why LGPO.exe can help apply required local policy settings to Windows devices so they meet your organization’s security and compliance requirements. Features: - Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files. - Export local policy to a GPO backup. - Parse a Registry Policy (`registry.pol`) file into readable “LGPO text.” The output can be redirected to a file, edited, and imported back into local policy. - Build a new Registry Policy (registry.pol) file from "LGPO text". - Enable group policy client-side extensions for local policy processing. ## Before you begin - Test LGPO changes on a non-production device first. - Run LGPO.exe with administrator privileges. - Back up the current local policy before applying new settings. - Policy changes may affect security, login behavior, Windows Update behavior, browser settings, or other system behavior depending on the imported policy. - Some changes may require `gpupdate /force`, a sign-out/sign-in, or a reboot. #### Example: Deploy LGPO.exe with FileWave 1. Download [LGPO.zip](https://kb.filewave.com/attachments/442). 2. Add the required policy files to the same Fileset, such as: - `registry.pol` - `GptTmpl.inf` - `Audit.csv` - `lgpo.txt` 3. Create a Windows script in the Fileset. 4. Use the LGPO command that matches the policy file you are deploying, for example: ``` LGPO.exe /m "%~dp0registry.pol" /v gpupdate /force ``` 5. Associate the Fileset with a test device first. 6. After validation, deploy to the intended device group. #### LGPO Policy Example Template Example Template Fileset: - [Example LGPO Template.fileset.zip](https://kb.filewave.com/attachments/521) Use the template variable examples below to apply or remove one Windows local policy value. You only need to set a few environment variables: - apply\_policy.ps1 applies the policy. - remove\_policy.ps1 removes the policy value. #### Example Fileset Contents Example contents: LGPO.exe, apply\_policy.ps1, and remove\_policy.ps1. GeneratedPolicy.txt is created by the script at runtime.

[![ExampleLGPOTemplate.png](https://kb.filewave.com/uploads/images/gallery/2026-05/scaled-1680-/tlN6Ox5CMQyZ9hW1-examplelgpotemplate.png)](https://kb.filewave.com/uploads/images/gallery/2026-05/tlN6Ox5CMQyZ9hW1-examplelgpotemplate.png)

#### Required Variables

FW\_POLICY\_TYPE and FW\_POLICY\_DATA are required when applying a policy. They are not required when removing a policy.

Variable	Example	Notes
FW\_POLICY\_KEY	Software\\Policies\\Microsoft\\Windows\\Installer	Registry policy path. You may also use a full HKLM:\\... path.
FW\_POLICY\_VALUE	DisableMSI	Registry value name.
FW\_POLICY\_TYPE	DWORD	Required for apply. Common values: DWORD, SZ, QWORD, EXPAND\_SZ, MULTI\_SZ.
FW\_POLICY\_DATA	2	Required for apply.

#### Optional Variables

For User policies, include LGPO.exe and use LGPO text import. Direct registry fallback is intended for Computer policies because FileWave often runs scripts as LocalSystem.

Variable	Default	Notes
FW\_POLICY\_SCOPE	Computer	Use Computer for HKLM policy or User for HKCU policy.
FW\_LGPO\_EXE	.\\LGPO.exe	Custom path to LGPO.exe.
FW\_LGPO\_TEXT\_PATH	.\\GeneratedPolicy.txt	Where the generated LGPO text file is written.
FW\_RUN\_GPUPDATE	true	Runs gpupdate.exe /force.
FW\_DIRECT\_REGISTRY\_FALLBACK	true	Directly writes simple Computer policies if enabled.

#### Example: Disable Windows Installer ``` $env:FW_POLICY_KEY = "Software\Policies\Microsoft\Windows\Installer" $env:FW_POLICY_VALUE = "DisableMSI" $env:FW_POLICY_TYPE = "DWORD" $env:FW_POLICY_DATA = "2" .\apply_policy.ps1 ```

To remove the same policy:

``` $env:FW_POLICY_KEY = "Software\Policies\Microsoft\Windows\Installer" $env:FW_POLICY_VALUE = "DisableMSI" .\remove_policy.ps1 ```

How

The attached zip contains LGPO.exe, Microsoft’s Local Group Policy Object utility: [LGPO.zip](https://kb.filewave.com/attachments/442)

Goal	Recommended Command
Apply LGPO text policy	LGPO.exe /t path\\lgpo.txt
Apply a full GPO backup	LGPO.exe /g path
Apply machine policy settings	LGPO.exe /m path\\registry.pol
Apply user policy settings	LGPO.exe /u path\\registry.pol
Apply a security template	LGPO.exe /s path\\GptTmpl.inf
Apply advanced audit settings	LGPO.exe /a path\\Audit.csv
Export current local policy	LGPO.exe /b path \[/n GPO-name\]
Convert Registry.pol to readable text	LGPO.exe /parse /m path\\registry.pol
Build Registry.pol from LGPO text	LGPO.exe /r path\\lgpo.txt /w path\\registry.pol

LGPO.exe has four modes: 1. Import and apply policy settings; 2. Export local policy to a GPO backup; 3. Parse a registry.pol file to "LGPO text" format; 4. Build a registry.pol file from "LGPO text". To apply policy settings, use one or more of the following LGPO.exe options. Each option can be repeated as needed: ``` /g path import settings from one or more GPO backups under "path" /m path\registry.pol import settings from registry.pol into machine config /u path\registry.pol import settings from registry.pol into user config /s path\GptTmpl.inf apply security template /a[c] path\Audit.csv apply advanced auditing settings; /ac to clear policy first /t path\lgpo.txt apply registry commands from LGPO text /e | enable GP extension for local policy processing; specify a GUID, or one of these names: ** "zone" for IE zone mapping extension ** "mitigation" for mitigation options, including font blocking ** "audit" for advanced audit policy configuration /boot reboot after applying policies /v verbose output /q quiet output (no headers) ``` To create a GPO backup from local policy: ``` LGPO.exe /b path [/n GPO-name] /b path Create GPO backup in "path" /n GPO-name Optional GPO display name (use quotes if it contains spaces) ``` To parse a Registry.pol file to LGPO text (stdout): ``` LGPO.exe /parse [/q] {/m|/u} path\registry.pol /m path\registry.pol parse registry.pol as machine config commands /u path\registry.pol parse registry.pol as user config commands /q quiet output (no headers) ``` To build a Registry.pol file from LGPO text: ``` LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v] /r path\lgpo.txt Read input from LGPO text file /w path\registry.pol Write new registry.pol file ``` ## Validate the policy After deployment, you can validate the result on the Windows device using one or more of the following: ``` gpupdate /force gpresult /h C:\Temp\gpresult.html /f ```

You can also review the relevant local policy settings using the Local Group Policy Editor, where applicable. ## Troubleshooting - Confirm the script is running as administrator or LocalSystem. - Confirm paths are correct. When deploying through FileWave, use paths relative to the script location when possible. - Use `/v` for verbose output during testing. - Check whether the policy is machine-based or user-based before choosing `/m` or `/u`. - Reboot the device if the policy requires it. - Test rollback or backup procedures before broad deployment. ## Related Content - [Microsoft Download Security Compliance Toolkit and Baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) ## Digging Deeper - [Microsoft Security Compliance Toolkit Documentation](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10)