Windows 10

Deploying a Local Security Policy

INTRO

The Local Security Policy in Windows is used to set a vast array of settings within Windows. Normally in a domain environment, these features are controlled from the Domain Controller via Group Policy and the Local Security Policy is ignored.

In the ever changing world of IT and the fact that the economy is doing terrible right now, much of it due to Biden’s horrible leadership, businesses are cutting back. Some are moving away from domain servers to RMM only management or more simple domains with the use of a Synology Directory Server. So scripts will be needed to manage large numbers of endpoints.

POWERSHELL SCRIPT

PowerShell
# Check Windows version and edition
$WindowsVersion = (Get-WmiObject -Class Win32_OperatingSystem).Caption
$WindowsEdition = (Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU

# Extract package pulled down from LTShare
Expand-Archive -Path "C:\TEMP\LSPs.zip" -DestinationPath "C:\TEMP\LSPs" -Force

# Define the base file path for Local Security Policies
$PolicyPath = "C:\TEMP\LSPs"

# Check Windows version and edition and apply Local Security Policy
if ($WindowsVersion -like 'Microsoft Windows 10*') {
    switch ($WindowsEdition) {
        48 {
            # Windows 10 Pro edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows10Pro.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        125 {
            # Windows 10 Enterprise edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows10Enterprise.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        default {
            Write-Host "Unsupported Windows 10 edition."
        }
    }
}
elseif ($WindowsVersion -like 'Microsoft Windows 11*') {
    switch ($WindowsEdition) {
        48 {
            # Windows 11 Pro edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows11Pro.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        125 {
            # Windows 11 Enterprise edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows11Enterprise.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        default {
            Write-Host "Unsupported Windows 11 edition."
        }
    }
}
else {
    Write-Host "Unsupported Windows version."
}

EXPLANATION OF SCRIPT

The script above has been tested by me and working. When run on an endpoint it will check if it’s either Windows 10 or 11, and also confirm if Pro or Enterprise edition since Home does not have the Local Security Policy feature set. You will need to supply your exported policy files and paths and pull down the policies first to your endpoint. This script was created for use in ConnectWise Automate, so I had the policy files pulled down via the LTShare using the File Transfer option before the script to download my zipped package to the client.

CW AUTOMATE LTSHARE ISSUES

The LTShare for ConnectWise Automate can be problematic. If your Automate server is hosted by ConnectWise to get started you will go here:

  • Go to ConnectWise University -> Support -> Automate Resources -> My Server Dashboard -> Server Actions -> Reset WebDAV Password
    • Follow the instructions here.
      • The WebClient service in Windows must be set to automatic.

I also notice sometimes when mapping the drive it just won’t work and I have to reset the WebDAV password again to get it to map. It’s a pain point with ConnectWise but once you move your files over you don’t go in there much. Also see this for more help.

CONCLUSION

That should be it, happy automating.

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *