A local group policy intended for standalone Windows 11 devices. It aims to improve privacy, security, and performance, in that order.
All settings are maintained in a single PolicyRules
file that is applied with LGPO. Security features that send data to Microsoft, such as SmartScreen, are disabled, deviating from Microsoft's Security Baseline. Some settings are only effective on the Enterprise edition.
The target Feature Update version is Windows 11 23H2. This prevents automatic updates to the next release before the policy is updated with new settings.
Run install.cmd
as an Administrator and restart the computer.
Run savelocal.cmd <out-file> <policy-name>
or savewin11.cmd
(creates Win11-Local.PolicyRules
) as an Administrator to save the local group policy as a PolicyRules
file.
Warning: This will overwrite the contents of C:\GPO
.
Download and use the Policy Analyzer to compare PolicyRules
files. Make sure you configure it to use the repository's PolicyDefinitions
directory rather than C:\Windows\PolicyDefinitions
.
When LGPO.exe
and GPO2PolicyRules.exe
export the local policy, they include many default settings that shouldn't be overwritten when applying the resulting PolicyRules
file. There is also a bug in handling (Default)
registry values. These are annoyances that prevent a clean install/save roundtrip and add noise when comparing against Microsoft's Security Baseline. Default settings were manually removed from Win11.PolicyRules
by doing a three-way comparison between it, MSFT-Win11.PolicyRules
, and Win11-CleanInstall.PolicyRules
. To avoid reverting these edits, any updates to the policy must be merged in manually:
- Use
gpedit.msc
to modify the local policy. - Run
savewin11.cmd
to createWin11-Local.PolicyRules
file (not version-controlled). - Diff and copy the relevant settings to
Win11.PolicyRules
.
To update the policy for a new Windows feature release:
- Download and install the new ISO in a Hyper-V VM.
- Configure VM enhanced session settings to redirect the host drive that contains this repository.
- Run
cmd.exe
as an Administrator in the VM. - Map host drive for easier access:
net use Z: \\tsclient\<drive>\<path-to-repo>
- Update and copy over the templates as described in the next section. Update this file with new version information.
- Save an updated
Win11-CleanInstall.PolicyRules
file. - Install the current policy and restart.
- Follow the steps above to update the policy, comparing it against the new security baselines.
Templates contained in the PolicyDefinitions
directory:
- Windows 11 Enterprise 23H2 ISO (22621.2428)
- Windows 11 v23H2 Security Baseline
- Windows Restricted Traffic Limited Functionality Baseline - Windows 11 23H2
- Microsoft Edge (119.0.2151.72)
- Mozilla Firefox (5.4)
Before editing the policy with gpedit.msc
, copy the templates to C:\Windows\PolicyDefinitions
. Overwriting existing files is not recommended because it requires ownership changes, which makes SFC unhappy, which may break Windows Update. In general, it's better to start with a VM running a matching version of Windows. For each new release, the PolicyDefinitions
directory should be rebuilt from scratch by copying the templates over in the listed order to ensure removal of outdated templates.
To extract PolicyDefinitions
from a Windows ISO:
- Mount the ISO file.
- Open
sources\install.wim
with 7-Zip. - Check
[1].xml
for the appropriate image index and build version. - Extract
\<N>\Windows\PolicyDefinitions
.
- Local Administrator is disabled and renamed to LocalAdmin. The password must be set before it can be enabled or you'll get error 7016 in
gpresult /h
report along with "Security has requested to process its policy settings again" message. - Microsoft Account sign-in is disabled. Do not disable "Microsoft Account Sign-in Assistant" service (aka "wlidsvc") as suggested by the Restricted Traffic Baseline. Doing so results in error 0x80070426 when running Windows Update.
- Disabling active Network Connectivity Status Indicator (NCSI) tests breaks Windows Update (0x800704cf), DISM (0x800f0906 or 0x800f081f), and probably other things. Passive-only configuration doesn't fix this, so it's best to leave both passive and active tests enabled. Windows Update error only happens once if Windows was installed without any network connectivity. After a single successful update, disabling NCSI doesn't seem to cause further problems, but DISM will still run into errors. Guess how many days it took to figure this out.
- "Turn off all Windows spotlight features" policy must be applied within 15 minutes after Windows is installed (was true for Windows 10, no longer the case for Windows 11?).
The following registry entries do not have an associated template and are treated as preference-type settings that are not removed automatically when no longer applied by the policy:
DisableWpad=1
andAutoDetect=0
disable automatic proxy detection (WPAD). Do not disable "WinHTTP Web Proxy Auto-Discovery Service" (aka "WinHttpAutoProxySvc") - doing so will break things.HKCU\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32
key restores classic File Explorer context menus.HideFileExt=0
shows all file extensions in File Explorer.ShowSyncProviderNotifications=0
disables sync provider notifications, which are used to show Microsoft ads in File Explorer.ScoobeSystemSettingEnabled=0
disables "Let's finish setting up your device" notification (Settings > System > Notifications > Additional settings > Suggest ways to get the most out of Windows and finish setting up this device).