Gpedit.msc silent value change

[Czennen]

Hi there, I wanna make an automation tool that changes the values in gpedit.msc.

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > App Package Deployment

and enable the following:

-Allow all trusted apps to install

-Allows development of Windows Store applications and installing them directly from an IDE

 

As much as possible we were adviced to use minimal UI.

I'm pretty new to gpedit.msc so any help would be really appreciated, thank you

[orbs]

the simplest way would be to create a settings file with your required settings (that is an .ini file, actually) and import it using the secedit.exe utility.

this, of course, requires administrative rights in effect. i did this once, give me a minute to locate that script...

 

EDIT: i was managing the "Security Settings" policy, which makes import/export quite easy. however i do not see the template you refer to on my machine, which may imply a slightly different approach. is it a custom template? what OS are you on?

Edited August 4, 2015 by orbs

[Czennen]

I'm using windows 10 XD may I see the script you used for the security settings so I can get the gist of it? and an example of what the content of the ini file looks like? ><

[orbs]

ok, here's how it goes: security policy is stored and worked differently then all other policies. for non-security policies, the brute solution is to copy the policy (.pol files) from a machine already configured, to a new machine, and then wait, reboot or "gpupdate /force".

.pol files are stored in system32\grouppolicy\machine and system32\grouppolicy\user folders.

of course, that brute solution may not work. Microsoft has some notorious ways to obfuscate some of it's settings, when they don't want to encourage usage. the Microsoft way would be, of course, "join your machines to a domain". which is a reasonable answer, if you are Microsoft; assuming you are not, start with that brute solution, see how it works.

the solution for the security policy is not applicable for your issue.

[Czennen]

I'm trying for the brute solution, but for some the files doesn't copy >< can you check if there's an error in this code?

 

#RequireAdmin

FileCopy("comment.cmtx","C:\Windows\System32\GroupPolicy\Machine",1)
FileCopy("Registry.pol","C:\Windows\System32\GroupPolicy\Machine",1)
MsgBox(0,"Alert","GPEDIT Fix Done")

 

[orbs]

... for some the files doesn't copy ...

am i to assume that for some, the files DO copy? if so, have you applied the copied policy? if so, does it work?

make sure you have sufficient permissions. #RequireAdmin is not sufficient when it comes to copy over network - and sometimes, not even for local operations.

use full paths for FileCopy(). you never know how some systems are configured.

use trailing backslash for the destination folder in FileCopy().

and most important: check the result of FileCopy() - the return value and the @error status. what do they say? according to that, you should condition the final MsgBox().

[Jon]

Better off using this official tool that lets you use the normal domain GPO editors to create and then converts it into a proper local policy that you can apply. No hacking around required.  

https://gallery.technet.microsoft.com/LocalGPOmsi-Excellent-MS-2593b2eb 

Edited August 4, 2015 by Jon

[orbs]

ok, i saw this maybe an hour ago, figured, "hey, cool! i'll have it installed and running, then i'll test the OP request".

got the latest version (3.0.60) of "Microsoft Security Compliance Manager", which includes LocalGPO.msi, straight from the horse's mouth:

https://www.microsoft.com/en-us/download/details.aspx?id=16776

just - finally - finished installing the bloody thing. on a quite clean Windows 10, it wanted .NET, then it wanted SQL Express, fine. go get it. then i had to install the LocalGPO.msi, which was only extracted by the SCM setup.

now, i'm ok with all that Microsoft scratch-left-ear-with-right-hand-over-the-head thing, as long as it finally works. unfortunately...

 

so, is 3.0.60 the latest version? or has SCM been replaced by some other product for Windows 10? what's going on? google can not suggest any answers, or i'm a bit rusty at the knuckles...

 

 

[jguinch]

If I'm not mistaken, each Administrative Templates entry correspond to a registry value.

Since it's a computer policy, you can write it in the HKLM\Software hive. (to find the registry entries for your need, look at RegShot utility - for example (it's a great tool for comparing 2 registry/files shots).

But if you really want to modify the local policies, Jon's way seems to be the only one...

[Jon]

Ah, I found a post saying the tool has a script that needs to be modified to get it to work on win 10.

There is an updated localgpo.wsf script here: http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx

Then it looks like you have to make it think win 10 is OK in the script by modifying the LocalGPO.wsf and GPOPack.wsf scripts as said here: https://social.technet.microsoft.com/Forums/en-US/e98d8ac5-b091-4209-bc0d-02ba020666e0/localgpo-tool-for-windows-81?forum=compliancemanagement 

Hopefully they'll release a fixed version soon.

[Jon]

If I'm not mistaken, each Administrative Templates entry correspond to a registry value.

Yeah pretty much. For setting HLKM polices I would just find out the corresponding HKLM/Software/Policies key and set that directly. It's the user policies that are an issue. The nice thing about the LocalGPO tool is that you can apply user polices down to the group level. If user then apply, if admin then don't, etc.

Looking at the OP's settings, I'd be fairly certain they are HKLM settings that could be done with a reg key. Let me check.

Edited August 4, 2015 by Jon

[Jon]

Here you go:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx]
"AllowAllTrustedApps"=dword:00000001
"AllowDevelopmentWithoutDevLicense"=dword:00000001

 

[ViciousXUSMC]

Thanks jguinch for mention of RegShot

I have been doing this a hardware way for a long time. 

Question: With a change like say Disable Shutdown, is there a way to force refresh of the environment so it takes effect immediately without reboot/logoff?

I tried EnvUpdate() and a close/open of Explorer.exe  But I think there have been other "forced" update methods that may work for my change.

http://www.pctools.com/guides/registry/detail/146/

 

[jguinch]

I don't know if it's possible, but if it's the case, I would like to know how...