Leave GptTmpl.inf handling to LGPO

.gitignore

@@ -1,6 +1,7 @@
 /PolicyAnalyzer*/*
 !/PolicyAnalyzer*/GPO2PolicyRules.exe
 !/PolicyAnalyzer*/*.pdf
+/PolicyRules/*-Local.PolicyRules
 /Temp/
 /*.zip
 /map.cmd

PolicyRules/Win11-CleanInstall.PolicyRules

@@ -116,6 +116,18 @@
 <SecurityTemplate Section="Privilege Rights"><LineItem>SeTimeZonePrivilege=*S-1-5-19,*S-1-5-32-544,*S-1-5-32-545</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
 <SecurityTemplate Section="Privilege Rights"><LineItem>SeCreateSymbolicLinkPrivilege=*S-1-5-32-544</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
 <SecurityTemplate Section="Privilege Rights"><LineItem>SeDelegateSessionUserImpersonatePrivilege=*S-1-5-32-544</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeCreatePermanentPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeCreateTokenPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeDenyBatchLogonRight=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeDenyRemoteInteractiveLogonRight=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeDenyServiceLogonRight=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeEnableDelegationPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeLockMemoryPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeMachineAccountPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeRelabelPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeSyncAgentPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeTcbPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeTrustedCredManAccessPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
 <AuditSubcategory><GUID>{0CCE9213-69AE-11D9-BED3-505054503030}</GUID><Name>IPsec Driver</Name><Setting>0</Setting><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></AuditSubcategory>
 <AuditSubcategory><GUID>{0CCE9212-69AE-11D9-BED3-505054503030}</GUID><Name>System Integrity</Name><Setting>3</Setting><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></AuditSubcategory>
 <AuditSubcategory><GUID>{0CCE9211-69AE-11D9-BED3-505054503030}</GUID><Name>Security System Extension</Name><Setting>0</Setting><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></AuditSubcategory>

README.md

@@ -34,4 +34,12 @@ To extract `PolicyDefinitions` from a Windows ISO:
 
 ## Local policy
 
-Run `.\savelocal.cmd <out-file> <policy-name>` as an Administrator to save the local group policy as a `PolicyRules` file. This will overwrite the contents of `C:\GPO`.
+Run `.\savelocal.cmd <out-file> <policy-name>` or `.\savewin11.cmd` as an Administrator to save the local group policy as a `PolicyRules` file. This will overwrite the contents of `C:\GPO`.
+
+## Updating policy
+
+When `LGPO.exe` and `GPO2PolicyRules.exe` export the local policy, they include many default settings that shouldn't be overwritten when applying the resulting `PolicyRules` file. These settings were manually removed from `Win11.PolicyRules` by doing a three-way comparison between `MSFT-Win11.PolicyRules`, `Win11.PolicyRules`, and `Win11-CleanInstall.PolicyRules` with the Policy Analyzer. Because of this, any changes to the policy have to be merged in manually. To make changes:
+
+1. Use `gpedit.msc` to modify the local policy.
+2. Run `.\savewin11.cmd` to create `Win11-Local.PolicyRules` file.
+3. Copy the relevant settings to `Win11.PolicyRules`.

savelocal.cmd

@@ -14,9 +14,8 @@ goto :eof
 pushd %~dp0
 rmdir /s /q C:\GPO
 mkdir C:\GPO
-.\LGPO\LGPO.exe /b C:\GPO /n "%~2"
+.\LGPO\LGPO.exe /b C:\GPO /n "%~2" /q
 move C:\GPO\{*} C:\GPO\{00000000-0000-0000-0000-000000000000}
-secedit /export /cfg "C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"
 copy /y "%SystemRoot%\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv" "C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\"
 .\PolicyAnalyzer\GPO2PolicyRules.exe C:\GPO "%~1"
 popd

savewin11.cmd

@@ -2,5 +2,5 @@
 setlocal
 
 pushd %~dp0
-.\savelocal.cmd .\PolicyRules\Win11.PolicyRules "Windows 11 Secure Group Policy"
+.\savelocal.cmd .\PolicyRules\Win11-Local.PolicyRules "Windows 11 Secure Group Policy"
 popd