How to individually modify and deploy local GPO settings (LGPO)

If you use lgpo.exe to deploy a local group policy “pack” to your client machines, you’ve definitely run into the need to make changes later. You can certainly makes changes to your reference machine, take a new backup, and re-deploy the whole thing to your client machines but that means you are re-deploying every setting you have configured. This makes it a little more impactful to the client due to the number of changes you are re-configuring as well as the fact that older versions of Windows 10 are not compatible with lgpo backups made on newer versions. Here is a way to simply change one or two changes to your client machines without having to re-deploy the entire LGPO pack.

The Process

1. Ensure you have downloaded lgpo.exe from MS’s website here
2. Copy to a folder. I’ll use C:Temp
3. Open cmd prompt as administrator and change directory to c:Temp
4 Make any changes to local group policy via gpedit.msc
5. Take a backup by running this command:
lgpo.exe /b C:\Temp /n “Backup”


6. This exports the LGPO into a folder with a GUID. I would recommend re-naming to something easier. Example, “LGPO_Backup”
7. Now you are going to want to parse this backup into a text file.
LGPO.exe /parse /m C:\Temp\LGPO_Backup\DomainSysvol\GPO\Machine\registry.pol >> C:\Templgpo.txt


Note: You can also do this for “user” settings as well by loading the registry.pol in DomainSysvol\GPO\User\registry.pol. This text file will contain every setting configured. Delete the ones you don’t want and then find the ones you do want and edit those. In my example I want to allow users to add applications to the “public” firewall profile as its currently being blocked. I edited by text file to look like this:

9. Once you have made your changes, you will need to build a new registry.pol file that you can use to import. Run this command:
LGPO.exe /r C:\Temp\lgpo.txt /w C:\Temp\registry_new.pol

10. Next, import the settings to ensure the changes have taken effect (flip back the settings in gpedit.msc, run import, and then close/reopen gpedit.msc)
LGPO.exe /m C:\Temp\registry_new.pol

Note that if you are apply user level settings, you will need to use the /u switch.

This Post Has 27 Comments

  1. Ryan

    Pictures are not showing up on the site. We are looking to do the same thing from Workspace One.

    1. Brooks Peppin

      Thank you! I just recently migrated platforms and not all the images came over properly. Updating it soon…

  2. Bobby


    I think the links to the pictures are broken on this page.

    1. Brooks Peppin

      Thank you! I just recently migrated platforms and not all the images came over properly. Updating it soon…

  3. Jeremy

    Note: user policy operations require a /u instead of a /m

    1. Brooks Peppin

      Ah yes thanks for pointing this out. Article is updated.

  4. Mike W

    Many thanks for this article, you are a life saver! Our proxy settings were being deleted for some reason, despite having set registry settings or specifying manual settings, using this web page as a guide i was able to parse the pol file and discovered this little nasty command:
    “Software\Policies\Microsoft\Internet Explorer\Control Panel **del.Proxy REG_SZ”

    I am not sure how it got there, but as soon as i deleted it all our proxy setting problems were resolved. You’re a legend!

    1. Brooks Peppin

      Great! Glad to hear it has been helpful for you.


    Dear Team,
    Currently I am using LGPO tool for Group Policy Backup and Restore.
    I need help on Registry Settings Backup Parameters list.
    I need a complete list of Registry Settings and Group Policy settings which are getting Backed up during Group Policy Backup through LGPO tool. I am creating Registry Dictionary which contains Registry Key and it’s description. I want this list for the same. I have already collected registry list from Registry.pol file but apart from this Machine and User Registry.pol file, I need details of Registry Settings which shall I consider while creating Registry Dictionary.

    May I request you to please do the needful.
    Awaiting for your valuable response.
    Thank you in Advance.

    1. Brooks Peppin

      Looking at the lgpo.txt file should give you all of the registry paths that are getting set as part of lgpo. Is that what you are asking?

  6. bob

    when i parse i do not see windows settings or admin templates. I am running lgpo as administrator …

    1. Brooks Peppin

      Not quite sure what you are asking here. What are you seeing? Is the file empty?

  7. Phu Ha

    I got this error while importing backup config to another machine:
    D:\>LGPO /m D:\Windows10v1.6.0\lgpo-user-l1.pol
    LGPO.exe v2.2 – Local Group Policy Object utility

    Import Machine settings from registry.pol: D:\Windows10v1.6.0\lgpo-user-l1.pol
    Unable to initialize Local GPO processing:

    No such interface supported

    (Error # 2147500034 = 0x80004002)

    1. Brooks Peppin

      Paste screenshot? Possible issue is that you are trying to import “user” settings but using the “/m” switch, which is for machine. Make sure you use the correct switch depending on what settings you are wanting to apply.

  8. ADUSer

    Great article from bookspeppin.Using command prompt changing group policy is a good thing.Thanks for Sharing this article

  9. Rob S

    Brooks! Thank you!

    Wonderful post. It is a lifesaver!

  10. Homer

    I am migrating from SCCM to Workspace ONE and would like to know if this key (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU) is needed at all or how to configure. SCCM sets a local policy with the WSUS server settings. I would lie to know what the configuration of this key should be for WS1.

    1. Brooks Peppin

      So if you use Workspace ONE and windows updates, you’ll be transitioning to Windows Update for Business which pulls everything from MS’s cloud and therefore this key will interfere with that. Normally if you exclude collections from Software Updates this key gets automatically removed. If you set it with GPO or LGPO then you’ll need to update those accordingly to not include that key. Keep in mind there is a way to use WS1 and WSUS together (in a way). MDM sets the key to use WSUS instead of Microsoft Update. In that case, this registry key will still be used.

  11. Alex

    Hi, thanks to the very userful article. About the group policy of user, could I backup a specified non-administrator user and restore to other computer?

    1. Brooks Peppin

      I would think you can. Did you try it?

  12. paul baranouski

    Brooks – I’ve downloaded the LGPO file, however my custom GPO is failing with the following:

    C:\ProgramData\Airwatch\LGPO\LGPO.exe is not signed by Microsoft and Could be security risk. Please validate the executable is authentic and provide one that is signed for use.

    1. Brooks Peppin

      Hmm. Where is this error showing? In UEM console or on the client?

  13. Fred

    GREAT GREAT GREAT ! You saved my life…. The only post which REALLY explainS how to use LGPO.

    And now I have a question :
    How in the templgpo.txt reset a value to its default/not configured, instead of applying a value ?

    Thank you.

    1. Andrei

      To set a gpo setting to “not configured”, you just delete that entry from parsed text file, for example you remove the below section from the exported text file, then you build a new registry.pol file as per article


  14. Peggy

    Thank you so much Brooks!! I have been referring back to this page every time I need to make adjustments to the local GPO. Your instructions are so easy to follow. I was only able to set states back to “not configured” following your advice to delete the files out of C:\Windows\System32\GroupPolicy. Someone in the replies suggested setting them to delete in the parsed text and then converting to pol, but that has never worked for me. It’s almost like it skips over applying them (no effect).

    1. Brooks Peppin

      Glad it’s helpful!

Leave a Reply