From 5f36f79a5d69ddfa3bd927d5fde0958a8d684781 Mon Sep 17 00:00:00 2001
From: Maxim Khitrov <max@mxcrypt.com>
Date: Thu, 16 Nov 2023 09:25:20 -0500
Subject: [PATCH] Leave GptTmpl.inf handling to LGPO

---
 .gitignore                                 |  1 +
 PolicyRules/Win11-CleanInstall.PolicyRules | 12 ++++++++++++
 README.md                                  | 10 +++++++++-
 savelocal.cmd                              |  3 +--
 savewin11.cmd                              |  2 +-
 5 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index ec016cd..a3fdf9b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 /PolicyAnalyzer*/*
 !/PolicyAnalyzer*/GPO2PolicyRules.exe
 !/PolicyAnalyzer*/*.pdf
+/PolicyRules/*-Local.PolicyRules
 /Temp/
 /*.zip
 /map.cmd
diff --git a/PolicyRules/Win11-CleanInstall.PolicyRules b/PolicyRules/Win11-CleanInstall.PolicyRules
index 0da79ab..19ad158 100644
--- a/PolicyRules/Win11-CleanInstall.PolicyRules
+++ b/PolicyRules/Win11-CleanInstall.PolicyRules
@@ -116,6 +116,18 @@
 <SecurityTemplate Section="Privilege Rights"><LineItem>SeTimeZonePrivilege=*S-1-5-19,*S-1-5-32-544,*S-1-5-32-545</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
 <SecurityTemplate Section="Privilege Rights"><LineItem>SeCreateSymbolicLinkPrivilege=*S-1-5-32-544</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
 <SecurityTemplate Section="Privilege Rights"><LineItem>SeDelegateSessionUserImpersonatePrivilege=*S-1-5-32-544</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeCreatePermanentPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeCreateTokenPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeDenyBatchLogonRight=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeDenyRemoteInteractiveLogonRight=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeDenyServiceLogonRight=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeEnableDelegationPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeLockMemoryPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeMachineAccountPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeRelabelPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeSyncAgentPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeTcbPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
+<SecurityTemplate Section="Privilege Rights"><LineItem>SeTrustedCredManAccessPrivilege=</LineItem><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></SecurityTemplate>
 <AuditSubcategory><GUID>{0CCE9213-69AE-11D9-BED3-505054503030}</GUID><Name>IPsec Driver</Name><Setting>0</Setting><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></AuditSubcategory>
 <AuditSubcategory><GUID>{0CCE9212-69AE-11D9-BED3-505054503030}</GUID><Name>System Integrity</Name><Setting>3</Setting><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></AuditSubcategory>
 <AuditSubcategory><GUID>{0CCE9211-69AE-11D9-BED3-505054503030}</GUID><Name>Security System Extension</Name><Setting>0</Setting><SourceFile>C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv</SourceFile><PolicyName>Windows 11 23H2 Clean Install</PolicyName></AuditSubcategory>
diff --git a/README.md b/README.md
index 10a47ce..3850d13 100644
--- a/README.md
+++ b/README.md
@@ -34,4 +34,12 @@ To extract `PolicyDefinitions` from a Windows ISO:
 
 ## Local policy
 
-Run `.\savelocal.cmd <out-file> <policy-name>` as an Administrator to save the local group policy as a `PolicyRules` file. This will overwrite the contents of `C:\GPO`.
+Run `.\savelocal.cmd <out-file> <policy-name>` or `.\savewin11.cmd` as an Administrator to save the local group policy as a `PolicyRules` file. This will overwrite the contents of `C:\GPO`.
+
+## Updating policy
+
+When `LGPO.exe` and `GPO2PolicyRules.exe` export the local policy, they include many default settings that shouldn't be overwritten when applying the resulting `PolicyRules` file. These settings were manually removed from `Win11.PolicyRules` by doing a three-way comparison between `MSFT-Win11.PolicyRules`, `Win11.PolicyRules`, and `Win11-CleanInstall.PolicyRules` with the Policy Analyzer. Because of this, any changes to the policy have to be merged in manually. To make changes:
+
+1. Use `gpedit.msc` to modify the local policy.
+2. Run `.\savewin11.cmd` to create `Win11-Local.PolicyRules` file.
+3. Copy the relevant settings to `Win11.PolicyRules`.
diff --git a/savelocal.cmd b/savelocal.cmd
index 96213fc..badba9d 100644
--- a/savelocal.cmd
+++ b/savelocal.cmd
@@ -14,9 +14,8 @@ goto :eof
 pushd %~dp0
 rmdir /s /q C:\GPO
 mkdir C:\GPO
-.\LGPO\LGPO.exe /b C:\GPO /n "%~2"
+.\LGPO\LGPO.exe /b C:\GPO /n "%~2" /q
 move C:\GPO\{*} C:\GPO\{00000000-0000-0000-0000-000000000000}
-secedit /export /cfg "C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"
 copy /y "%SystemRoot%\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv" "C:\GPO\{00000000-0000-0000-0000-000000000000}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\"
 .\PolicyAnalyzer\GPO2PolicyRules.exe C:\GPO "%~1"
 popd
diff --git a/savewin11.cmd b/savewin11.cmd
index 5e488d9..16f6a0a 100644
--- a/savewin11.cmd
+++ b/savewin11.cmd
@@ -2,5 +2,5 @@
 setlocal
 
 pushd %~dp0
-.\savelocal.cmd .\PolicyRules\Win11.PolicyRules "Windows 11 Secure Group Policy"
+.\savelocal.cmd .\PolicyRules\Win11-Local.PolicyRules "Windows 11 Secure Group Policy"
 popd