Czennen

Gpedit.msc silent value change

14 posts in this topic

Hi there, I wanna make an automation tool that changes the values in gpedit.msc.

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > App Package Deployment

and enable the following:

-Allow all trusted apps to install

-Allows development of Windows Store applications and installing them directly from an IDE

 

As much as possible we were adviced to use minimal UI.

I'm pretty new to gpedit.msc so any help would be really appreciated, thank you :)

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

the simplest way would be to create a settings file with your required settings (that is an .ini file, actually) and import it using the secedit.exe utility.

this, of course, requires administrative rights in effect. i did this once, give me a minute to locate that script...

 

EDIT: i was managing the "Security Settings" policy, which makes import/export quite easy. however i do not see the template you refer to on my machine, which may imply a slightly different approach. is it a custom template? what OS are you on?

Edited by orbs

Share this post


Link to post
Share on other sites

I'm using windows 10 XD may I see the script you used for the security settings so I can get the gist of it? and an example of what the content of the ini file looks like? ><

Share this post


Link to post
Share on other sites

ok, here's how it goes: security policy is stored and worked differently then all other policies. for non-security policies, the brute solution is to copy the policy (.pol files) from a machine already configured, to a new machine, and then wait, reboot or "gpupdate /force".

.pol files are stored in system32\grouppolicy\machine and system32\grouppolicy\user folders.

of course, that brute solution may not work. Microsoft has some notorious ways to obfuscate some of it's settings, when they don't want to encourage usage. the Microsoft way would be, of course, "join your machines to a domain". which is a reasonable answer, if you are Microsoft; assuming you are not, start with that brute solution, see how it works.

the solution for the security policy is not applicable for your issue.

Share this post


Link to post
Share on other sites

I'm trying for the brute solution, but for some the files doesn't copy >< can you check if there's an error in this code?

 

#RequireAdmin

FileCopy("comment.cmtx","C:\Windows\System32\GroupPolicy\Machine",1)
FileCopy("Registry.pol","C:\Windows\System32\GroupPolicy\Machine",1)
MsgBox(0,"Alert","GPEDIT Fix Done")

 

Share this post


Link to post
Share on other sites

... for some the files doesn't copy ...

am i to assume that for some, the files DO copy? if so, have you applied the copied policy? if so, does it work?

make sure you have sufficient permissions. #RequireAdmin is not sufficient when it comes to copy over network - and sometimes, not even for local operations.

use full paths for FileCopy(). you never know how some systems are configured.

use trailing backslash for the destination folder in FileCopy().

and most important: check the result of FileCopy() - the return value and the @error status. what do they say? according to that, you should condition the final MsgBox().

Share this post


Link to post
Share on other sites

ok, i saw this maybe an hour ago, figured, "hey, cool! i'll have it installed and running, then i'll test the OP request".

got the latest version (3.0.60) of "Microsoft Security Compliance Manager", which includes LocalGPO.msi, straight from the horse's mouth:

https://www.microsoft.com/en-us/download/details.aspx?id=16776

just - finally - finished installing the bloody thing. on a quite clean Windows 10, it wanted .NET, then it wanted SQL Express, fine. go get it. then i had to install the LocalGPO.msi, which was only extracted by the SCM setup.

now, i'm ok with all that Microsoft scratch-left-ear-with-right-hand-over-the-head thing, as long as it finally works. unfortunately...

LocalGPO_on_Win10.thumb.png.a0f97d369b41

 

so, is 3.0.60 the latest version? or has SCM been replaced by some other product for Windows 10? what's going on? google can not suggest any answers, or i'm a bit rusty at the knuckles...

 

 

Share this post


Link to post
Share on other sites

If I'm not mistaken, each Administrative Templates entry correspond to a registry value.

Since it's a computer policy, you can write it in the HKLM\Software hive. (to find the registry entries for your need, look at RegShot utility - for example (it's a great tool for comparing 2 registry/files shots).

But if you really want to modify the local policies, Jon's way seems to be the only one...

1 person likes this

Share this post


Link to post
Share on other sites

Ah, I found a post saying the tool has a script that needs to be modified to get it to work on win 10.

There is an updated localgpo.wsf script here: http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx

Then it looks like you have to make it think win 10 is OK in the script by modifying the LocalGPO.wsf and GPOPack.wsf scripts as said here: https://social.technet.microsoft.com/Forums/en-US/e98d8ac5-b091-4209-bc0d-02ba020666e0/localgpo-tool-for-windows-81?forum=compliancemanagement 

Hopefully they'll release a fixed version soon.

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

If I'm not mistaken, each Administrative Templates entry correspond to a registry value.

Yeah pretty much. For setting HLKM polices I would just find out the corresponding HKLM/Software/Policies key and set that directly. It's the user policies that are an issue. The nice thing about the LocalGPO tool is that you can apply user polices down to the group level. If user then apply, if admin then don't, etc.

Looking at the OP's settings, I'd be fairly certain they are HKLM settings that could be done with a reg key. Let me check.

Edited by Jon

Share this post


Link to post
Share on other sites

Here you go:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx]
"AllowAllTrustedApps"=dword:00000001
"AllowDevelopmentWithoutDevLicense"=dword:00000001

 

Share this post


Link to post
Share on other sites

Thanks jguinch for mention of RegShot :)

I have been doing this a hardware way for a long time. 

Question: With a change like say Disable Shutdown, is there a way to force refresh of the environment so it takes effect immediately without reboot/logoff?

I tried EnvUpdate() and a close/open of Explorer.exe  But I think there have been other "forced" update methods that may work for my change.

http://www.pctools.com/guides/registry/detail/146/

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now