Deploying Local Security Policies at Scale Using RMM Tools

🛡️ Understanding Local Security Policy in Modern IT Environments

The Local Security Policy in Windows provides administrators with the ability to configure a wide range of security-related settings on individual machines. In traditional domain environments, these settings are typically managed centrally through Group Policy on a Domain Controller, rendering the local policy less relevant.

However, in today’s rapidly evolving IT landscape—and amid economic challenges—many organizations are reducing costs and moving away from traditional domain-based infrastructures. As a result, businesses are adopting alternatives such as RMM (Remote Monitoring and Management) tools or lightweight domain solutions like Synology Directory Server. In these scenarios, scripting becomes essential for efficiently managing and securing large numbers of endpoints.

💻 PS Script for Local Security Policy Management

# Check Windows version and edition
$WindowsVersion = (Get-WmiObject -Class Win32_OperatingSystem).Caption
$WindowsEdition = (Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU

# Extract package pulled down from LTShare
Expand-Archive -Path "C:\TEMP\LSPs.zip" -DestinationPath "C:\TEMP\LSPs" -Force

# Define the base file path for Local Security Policies
$PolicyPath = "C:\TEMP\LSPs"

# Check Windows version and edition and apply Local Security Policy
if ($WindowsVersion -like 'Microsoft Windows 10*') {
    switch ($WindowsEdition) {
        48 {
            # Windows 10 Pro edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows10Pro.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        125 {
            # Windows 10 Enterprise edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows10Enterprise.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        default {
            Write-Host "Unsupported Windows 10 edition."
        }
    }
}
elseif ($WindowsVersion -like 'Microsoft Windows 11*') {
    switch ($WindowsEdition) {
        48 {
            # Windows 11 Pro edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows11Pro.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        125 {
            # Windows 11 Enterprise edition
            secedit.exe /configure /db $env:windir\security\SecDbCompany.sdb /cfg "$PolicyPath\Windows11Enterprise.inf" /areas SECURITYPOLICY /overwrite /quiet
        }
        default {
            Write-Host "Unsupported Windows 11 edition."
        }
    }
}
else {
    Write-Host "Unsupported Windows version."
}

🧠 Script Explanation

The PowerShell script above has been tested and is fully functional. When executed on an endpoint, it checks whether the operating system is Windows 10 or 11 and verifies that it’s either the Pro or Enterprise edition—since Home editions do not support Local Security Policy features.

Before running the script, make sure to supply the necessary exported policy files and their paths. You’ll need to download the policy files to the endpoint first.

This script was originally developed for use with ConnectWise Automate. I utilized the LTShare file transfer option to send a zipped package containing the policy files to the client machine prior to running the script.

⚠️ ConnectWise Automate LTShare Tips & Issues

The LTShare feature in ConnectWise Automate can be unreliable at times. If your Automate server is hosted by ConnectWise, follow these steps to get started:

1. Go to ConnectWise University → Support → Automate Resources
2. Navigate to My Server Dashboard → Server Actions → Reset WebDAV Password
3. Follow the on-screen instructions

💡 Important Notes:

For further assistance, consult official ConnectWise documentation or community forums.

The WebClient service in Windows must be set to Automatic.

Occasionally, the mapped drive may fail to connect until you reset the WebDAV password again—a known pain point with ConnectWise.

Once your files are transferred, you’ll rarely need to revisit this setup.

✅ Conclusion

That’s all there is to it—happy scripting and automating! 🚀
With the right setup, managing Local Security Policies across multiple endpoints becomes much easier and more scalable.

🌿 Final Thoughts

As IT environments continue to evolve and budgets tighten, leveraging tools like PowerShell and platforms such as ConnectWise Automate becomes essential for efficient endpoint management. While there may be some setup hurdles—especially with file transfers and LTShare—once configured, these scripts can save significant time and ensure consistent policy enforcement across your network. Stay adaptable, script smart, and keep your systems secure.

WinReflection

My name is Dex, author at WinReflection.

I am a Christian, conservative, truth-seeker, and problem-solver who is not afraid to be vocal about important or controversial issues—silence leads to death. There’s more to life than the worldly status quo, and that’s why many are sad and depressed—they’re suffocating. Truth and purpose can bring fresh air into one’s life, and that’s my mission. My sidebar content should not trigger you, the proof is all there.

📖 John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.