How to use LGPO tool (Windows Server 2016 - 2022) (Microsoft Security Compliance Toolkit)

The first step of this tutorial is to download the LGPO.exe tool itself, you can download this tool by navigating the Microsoft website or using the following link: https://www.microsoft.com/en-us/download/details.aspx?id=55319. Remember, you cannot use group policy if you are on any Windows Home edition. From here, select the blue "Download" button and it will bring up the following menu:

Tick LGPO.zip and click the blue "Download" button. I have also ticked the Windows 11 Baseline Security zip as I will be using it as an example for the rest of the tutorial, if you wish to use any Windows Security baseline, make sure you tick that as well. After your files have downloaded, extract both of them:

Make sure you have extracted the LGPO zip file, as well as the security baseline zip, if you downloaded one. The extracted folders should contain the following (Also, ignore the fact that I am on Windows 11 for a Windows 2016 - 2022 server tutorial, the instructions are the same and I am using my host machine):

The next step is to open an Administrative Command Prompt. To do this, right click the Windows logo in the bottom left hand-side of your screen and select "Powershell (Administrator)" or search for it in the Windows search bar:

Once you have opened your Powershell terminal, you will need to change to the directory of the LGPO.exe tool (This will be in the extracted LGPO folder, with the default folder name being LGPO_30):

After you've got into the working directory of LGPO we will make a back up of your existing group policy settings. This is so that we can fall back on it in the event of unwanted changes. To do this, enter the following command:

The command above will make a back up of your current group policy configuration in the root of the C: drive. The next command will put the group policy settings into place. You will need to locate the folder that holds the GUID, if you are using a Microsoft security baseline, it will be in the extracted folder. It's important to put the quotation marks around the file location as well:

In this tutorial, the folder is called "{7AFCEE57-FD46-4225-94E7-A80DD57D1A31}" and it contains the security baseline for users. After running the command, you should see the following:

The final step of the tutorial is to run a command that will force the group policy settings to update. To do this, run the following command:

The result of this command should be the following:

The group policy settings are now in place. If you wish to reverse the changes that the group policy object put in place, run the /g command again but with the guid and files location of the back up object and run "gpupdate /force". This will change the group policy settings back to the ones you had before this. If you would like a hand or think I got something wrong, let me know below.

Shoot me an email:

<<< Mobile Version >>>