How to use LGPO.exe to modify lgpo settings (with lgpo examples)

Updated: Jun 2021
– Easier method to deploy with /t
– Added example to set lgpo to “Not Configured”

Have a need to update just a few local GPO settings on your client machines? Maybe you’ve deployed a full CIS Baseline and just to tweak just one or two things. Or maybe SCCM isn’t properly reverting WSUS settings when disabling software updates. If so, making a few updates with lgpo.exe is simple. Here is how you can change a handful of lgpo settings on your client machines without having to re-deploy an entire LGPO baseline. I’ve included several lgpo examples as well. 

The Process

1. Download LGPO from the Microsoft Security Compliance Toolkit 1.0 here
2. Extract the zip and copy it to a folder. I’ll use C:Temp
3. Open cmd as administrator and change directory to c:\Temp
4. Make any changes to local group policy via gpedit.msc
5. Take a backup by running this command:
lgpo.exe /b C:\Temp /n “Backup”

Picture

6. This exports the LGPO into a folder with a GUID. I would recommend re-naming to something easier. Example, “LGPO_Backup”
7. Now you are going to want to parse this backup into a text file. Run this command:
LGPO.exe /parse /m C:\Temp\LGPO_Backup\DomainSysvol\GPO\Machine\registry.pol >> C:\Temp\lgpo.txt

Picture

Note: You can also do this for “user” settings as well by loading the registry.pol in DomainSysvol\GPO\User\registry.pol.

This text file will contain every setting configured. Delete the ones you don’t want and then find the ones you do want and edit those. In my example I want to allow users to add applications to the “public” firewall profile as its currently being blocked. I edited by text file to look like this:

; ----------------------------------------------------------------------
; PARSING Computer POLICY
; Source file:  C:\Temp\LGPO_Backup\DomainSysvol\GPO\Machine\registry.pol

Computer
Software\Policies\Microsoft\WindowsFirewall\PublicProfile
AllowLocalIPSecPolicyMerge
DWORD:1

Computer
Software\Policies\Microsoft\WindowsFirewall\PublicProfile
AllowLocalPolicyMerge
DWORD:1

; PARSING COMPLETED.
; ----------------------------------------------------------------------

9. Once you have made your changes, you simply need to apply the .txt file with /t switch (new in version LGPO 2.2 or newer)
LGPO.exe /t C:\Temp\lgpo.txt

Note that if you are apply user level settings, you will need to use the /u switch.

LGPO Example for setting “Not Configured”

If you want to simply revert some settings to “Not Configured” you will need to add a “DELETE” to each setting you want to delete. In the following lgpo example, I want to revert WSUS settings so that Windows Updates can be managed by Windows Update for Business.

; ----------------------------------------------------------------------
; PARSING Computer POLICY
; Source file:  C:\Temp\LGPO_Backup\DomainSysvol\GPO\Machine\registry.pol

Computer
Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer
DELETE

Computer
Software\Policies\Microsoft\Windows\WindowsUpdate
WUStatusServer
DELETE

Computer
Software\Policies\Microsoft\Windows\WindowsUpdate
UpdateServiceUrlAlternate
DELETE

Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
UseWUServer
DELETE

; PARSING COMPLETED.
; ----------------------------------------------------------------------

Save the file, and apply with the /t command

Launch GPedit.msc and you will see that the WSUS setting is correct set to be “Not Configured”

I also verified that the specific registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate are removed as well.

Don’t forget you can see all of these commands in the LPGO.pdf that goes along with the download. You can also leverage the actions CLEAR or DELETEALLVALUES to do slightly different behavior.

Conclusion

Now you know how to tweak local group policy using LPGO.exe. The examples provided should give a baseline on how you can use this in your organization. The last thing remaining is to deploy this package with a management tool such as SCCM or Workspace ONE.

32 thoughts on “How to use LGPO.exe to modify lgpo settings (with lgpo examples)”

  1. Many thanks for this article, you are a life saver! Our proxy settings were being deleted for some reason, despite having set registry settings or specifying manual settings, using this web page as a guide i was able to parse the pol file and discovered this little nasty command:
    “Software\Policies\Microsoft\Internet Explorer\Control Panel **del.Proxy REG_SZ”

    I am not sure how it got there, but as soon as i deleted it all our proxy setting problems were resolved. You’re a legend!

    Reply
  2. Dear Team,
    Currently I am using LGPO tool for Group Policy Backup and Restore.
    I need help on Registry Settings Backup Parameters list.
    I need a complete list of Registry Settings and Group Policy settings which are getting Backed up during Group Policy Backup through LGPO tool. I am creating Registry Dictionary which contains Registry Key and it’s description. I want this list for the same. I have already collected registry list from Registry.pol file but apart from this Machine and User Registry.pol file, I need details of Registry Settings which shall I consider while creating Registry Dictionary.

    May I request you to please do the needful.
    Awaiting for your valuable response.
    Thank you in Advance.

    Reply
    • Looking at the lgpo.txt file should give you all of the registry paths that are getting set as part of lgpo. Is that what you are asking?

      Reply
  3. I got this error while importing backup config to another machine:
    D:\>LGPO /m D:\Windows10v1.6.0\lgpo-user-l1.pol
    LGPO.exe v2.2 – Local Group Policy Object utility

    Import Machine settings from registry.pol: D:\Windows10v1.6.0\lgpo-user-l1.pol
    Unable to initialize Local GPO processing:

    No such interface supported

    (Error # 2147500034 = 0x80004002)

    Reply
    • Paste screenshot? Possible issue is that you are trying to import “user” settings but using the “/m” switch, which is for machine. Make sure you use the correct switch depending on what settings you are wanting to apply.

      Reply
  4. I am migrating from SCCM to Workspace ONE and would like to know if this key (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU) is needed at all or how to configure. SCCM sets a local policy with the WSUS server settings. I would lie to know what the configuration of this key should be for WS1.

    Reply
    • So if you use Workspace ONE and windows updates, you’ll be transitioning to Windows Update for Business which pulls everything from MS’s cloud and therefore this key will interfere with that. Normally if you exclude collections from Software Updates this key gets automatically removed. If you set it with GPO or LGPO then you’ll need to update those accordingly to not include that key. Keep in mind there is a way to use WS1 and WSUS together (in a way). MDM sets the key to use WSUS instead of Microsoft Update. In that case, this registry key will still be used.

      Reply
  5. Hi, thanks to the very userful article. About the group policy of user, could I backup a specified non-administrator user and restore to other computer?

    Reply
  6. Brooks – I’ve downloaded the LGPO file, however my custom GPO is failing with the following:

    C:\ProgramData\Airwatch\LGPO\LGPO.exe is not signed by Microsoft and Could be security risk. Please validate the executable is authentic and provide one that is signed for use.

    Reply
  7. GREAT GREAT GREAT ! You saved my life…. The only post which REALLY explainS how to use LGPO.

    And now I have a question :
    How in the templgpo.txt reset a value to its default/not configured, instead of applying a value ?

    Thank you.

    Reply
    • Thank you! You should be able to go into gpedit.msc and flip the value back to not-configured and then re-export. You can also reset ALL lgpo following this article: https://www.tenforums.com/tutorials/68549-reset-local-group-policy-editor-settings-default-windows-10-a.html.
      I added a new section at the bottom on how to revert settings to “Not Configured”. You simply have to add a CLEAR command under each value and then apply the txt file with the /t switch.

      Reply
    • To set a gpo setting to “not configured”, you just delete that entry from parsed text file, for example you remove the below section from the exported text file, then you build a new registry.pol file as per article

      Computer
      Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      NoAutorun
      DWORD:1

      Reply
      • I added a new section at the bottom on how to revert settings to “Not Configured”. You simply have to add a CLEAR command under each value and then apply the txt file with the /t switch.

        Reply
  8. Thank you so much Brooks!! I have been referring back to this page every time I need to make adjustments to the local GPO. Your instructions are so easy to follow. I was only able to set states back to “not configured” following your advice to delete the files out of C:\Windows\System32\GroupPolicy. Someone in the replies suggested setting them to delete in the parsed text and then converting to pol, but that has never worked for me. It’s almost like it skips over applying them (no effect).

    Reply
  9. Hi I have a quick question. I am in the process of building 600 workstations and each one will need GPOs creating for the admin and user accounts via the MMC snap in tool. I notice that the LGPO is only used for local group policies. Can I use LGPO to export group policy users and import this onto the 600 workstations as this will save me so much time. I have searched high and low all over the Internet and have hit a brick wall with this.

    Many thanks 🙂

    Reply
    • So you certainly can do this yes but you’ll need a management platform of some type to deploy out the LPGO pack. Workspace ONE can certainly do this along with MEM, Bigfix, or any other PC management tool. But, since you have to deploy this to 600 workstations, why not just put all this in GPO as that is what GPO is designed to do (distribute out policy to many devices). This is assuming they are domain joined though.

      Reply
  10. Thanks for the response, I work for the MOD so that’s one thing we can’t do is create a domain due to the nature of where these clients will be deployed. I will look into this workspace ONE though, thankyou.

    Reply

Leave a Comment