Local Group Policy Object Utility (Windows EXE)

What

LGPO.exe is Microsoft’s Local Group Policy Object ~~Utility~~utility. It lets administrators import, export, and apply local Windows Group Policy settings from the command line. This can be useful when deploying security baselines or ~~LGPO.exe~~local ispolicy ~~a new command-line utility~~settings to ~~automate~~Windows ~~the management of local group policy. It replaces the no-longer-maintained LocalGPO tool~~devices that ~~shipped~~are ~~with~~not ~~the~~managed ~~Security~~through ~~Compliance~~Active ~~Manager~~Directory ~~(SCM),~~Group ~~and the Apply_LGPO_Delta and ImportRegPol tools.~~
Policy.

When/Why

~~Many~~LGPO.exe ~~of the features~~can help ~~import~~apply required local policy settings to ~~your~~Windows devices ~~meeting~~so ~~organization~~they ~~policies~~meet ~~for~~your organization’s security ~~compliance.~~and compliance requirements.

Features:

Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
Export local policy to a GPO backup.
Parse a Registry Policy (registry.pol)pol) file tointo readable "“LGPO ~~text"~~text.” ~~directly~~The tooutput ~~the~~can ~~console or~~be redirected to a ~~file~~file, ~~which can edited~~edited, and imported back into local policy.
Build a new Registry Policy (registry.pol) file from "LGPO text".
Enable group policy client side extensions for local policy processing.

Before you begin

Test LGPO changes on a non-production device first. Run LGPO.exe with administrator privileges. Back up the current local policy before applying new settings. Policy changes may affect security, login behavior, Windows Update behavior, browser settings, or other system behavior depending on the imported policy. Some changes may require gpupdate /force, a sign-out/sign-in, or a reboot.

Example: Deploy LGPO.exe with FileWave

Download LGPO.zip. Add the required policy files to the same Fileset, such as:

registry.pol GptTmpl.inf Audit.csv lgpo.txt Create a Windows script in the Fileset. Example appropriate LGPO command, for example:

LGPO.exe /m "%~dp0registry.pol" /v
gpupdate /force

Associate the Fileset with a test device first. After validation, deploy to the intended device group.

How

The zip file contains the LGPO installer:

~~LGPO.zip~~ LGPO.exe v3.0 - Local Group Policy Object utility

Goal Recommended Command Apply a full GPO backup LGPO.exe /g path Apply machine policy settings LGPO.exe /m path\registry.pol Apply user policy settings LGPO.exe /u path\registry.pol Apply a security template LGPO.exe /s path\GptTmpl.inf Apply advanced audit settings LGPO.exe /a path\Audit.csv Export current local policy LGPO.exe /b path [/n GPO-name] Convert Registry.pol to readable text LGPO.exe /parse /m path\registry.pol Build Registry.pol from LGPO text LGPO.exe /r path\lgpo.txt /w path\registry.pol

LGPO.exe has four modes:

Import and apply policy settings;
Export local policy to a GPO backup;
Parse a registry.pol file to "LGPO text" format;
Build a registry.pol file from "LGPO text".

To apply policy settings, use the LGPO.exe commands below, where one or more of the following (each of which can be repeated):

/g path                             import settings from one or more GPO backups under "path"
/m path\registry.pol     import settings from registry.pol into machine config
/u path\registry.pol      import settings from registry.pol into user config
/s path\GptTmpl.inf     apply security template
/a[c] path\Audit.csv     apply advanced auditing settings; /ac to clear policy first
/t path\lgpo.txt              apply registry commands from LGPO text

/e <name>|<guid>       enable GP extension for local policy processing; specify a GUID, or one of these names:
              **  "zone" for IE zone mapping extension
              **  "mitigation" for mitigation options, including font blocking
              **   "audit" for advanced audit policy configuration
              
/boot                                reboot after applying policies
/v                                       verbose output
/q                                       quiet output (no headers)

~~Some~~The ~~example~~following ~~GPO~~examples ~~policies~~show ~~are~~common ~~listed~~LGPO.exe ~~below to use.~~commands. Be sure you are updating the correct path and names for your GPOs.

To create a GPO backup from local policy:

LGPO.exe /b path [/n GPO-name]

/b path                       Create GPO backup in "path"
/n GPO-name           Optional GPO display name (use quotes if it contains spaces)

To parse a Registry.pol file to LGPO text (stdout):

LGPO.exe /parse [/q] {/m|/u} path\registry.pol

/m path\registry.pol         parse registry.pol as machine config commands
/u path\registry.pol          parse registry.pol as user config commands
/q                                           quiet output (no headers)

To build a Registry.pol file from LGPO text:

LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

/r path\lgpo.txt              Read input from LGPO text file
/w path\registry.pol     Write new registry.pol file

Validate the policy

After deployment, you can validate the result on the Windows device using one or more of the following:

gpupdate /force
gpresult /h C:\Temp\gpresult.html

You can also review the relevant local policy settings using the Local Group Policy Editor, where applicable.

Troubleshooting

Confirm the script is running as administrator or LocalSystem. Confirm paths are correct. When deploying through FileWave, use paths relative to the script location when possible. Use /v for verbose output during testing. Check whether the policy is machine-based or user-based before choosing /m or /u. Reboot the device if the policy requires it. Test rollback or backup procedures before broad deployment.

Microsoft Download Security Compliance Toolkit and Baselines

Digging Deeper

Microsoft Security Compliance Toolkit Documentation