Windows 10 Local Group Policy Deployment from GPO Backup

Just wanted to share a small script i’ve developed for deployment of GPO to windows endpoint Local Group Policy - https://github.com/MoBlue/hardening.
This may assist with security baseline deployment to standalone windows endpoints, bypassing the necessity for a domain. You can create any GPO you want in AD/SCM, backup it up and use the script for deployment.

The script uses Microsoft LGPO to import GPO backup folder to Local Group Policy.

On the way, it copies ADMX/ADML templates to C:\WINDOWS\policyDefinitions.

To use with ITSM, following prerequisites (see README), just copy deploy.py content to a new procedure, edit it with relevant settings and run.
I tested it running as system user, so not sure how it would behave with logged in user (should fail in theory).

Hope you find it helpful, let me know if you think of any improvements (except in the TO DO list).

Thank you very much @grsee for sharing your own Local Group Policy deployment method to the whole C1 community!

Hello @grsee

The script you displayed works like charm! No improvements needed since you have attained vital part and made note of to do tasks. We are glad to hear that you have tested your script in our C1 platform. Hope you know “GPO is not applied when users of that group logged on”, our portal follows the same mechanism. As you tested as System user it will satisfy your needs, but as Logged in user sure it will not experience the changes. You can reach us anytime for any modification and find our scripts heap here :

https://scripts.comodo.com/

Anyways Good job.

Thank you.

Hello @grsee

Firstly I’d like to thank you for creating and sharing your script, it is exactly what I was looking for. Unfortunately I have been unable to execute it successfully and the Execution Log just shows blank lines where I would expect errors to be printed. My assumption is that a permission issue is preventing files from being copied into the windows folders and is also preventing lgpo.exe from doing it’s thing, even though I am using the “System user”. Any input would be greatly appreciated. Thank you!

Edit: I just noticed that there is a space in my rootpath whereas there isn’t any in yours, could that be throwing a wrench in it?

loving this, and will be looking at this deeper as it is something that has been needed for a long time.
Would be nicer if this was a proper feature inside Endpoint Manager and you could configure the policies via the website etc.