Windows 11 secure group policy for standalone devices
A local group policy intended for standalone Windows 11 devices. It aims to improve privacy, security, and performance, in that order.
All settings are maintained in a single PolicyRules
file that is applied with LGPO. Security features that send data to Microsoft, such as SmartScreen, are disabled, deviating from Microsoft's Security Baseline. Some settings are only effective on the Enterprise edition.
The target Feature Update version is Windows 11 23H2. This prevents automatic updates to the next release before the policy is updated with new settings.
Run install.cmd
as an Administrator and restart the computer.
Run savelocal.cmd <out-file> <policy-name>
or savewin11.cmd
(creates Win11-Local.PolicyRules
) as an Administrator to save the local group policy as a PolicyRules
file.
Warning: This will overwrite the contents of C:\GPO
.
Download and use the Policy Analyzer to compare PolicyRules
files. Make sure you configure it to use the repository's PolicyDefinitions
directory rather than C:\Windows\PolicyDefinitions
.
When LGPO.exe
and GPO2PolicyRules.exe
export the local policy, they include many default settings that shouldn't be overwritten when applying the resulting PolicyRules
file. There is also a bug in handling (Default)
registry values. These are annoyances that prevent a clean install/save roundtrip and add noise when comparing against Microsoft's Security Baseline. Default settings were manually removed from Win11.PolicyRules
by doing a three-way comparison between it, MSFT-Win11.PolicyRules
, and Win11-CleanInstall.PolicyRules
. To avoid reverting these edits, any updates to the policy must be merged in manually:
gpedit.msc
to modify the local policy.savewin11.cmd
to create Win11-Local.PolicyRules
file (not version-controlled).Win11.PolicyRules
.To update the policy for a new Windows feature release:
cmd.exe
as an Administrator in the VM.net use Z: \\tsclient\<drive>\<path-to-repo>
Win11-CleanInstall.PolicyRules
file.Templates contained in the PolicyDefinitions
directory:
Before editing the policy with gpedit.msc
, copy the templates to C:\Windows\PolicyDefinitions
. Overwriting existing files is not recommended because it requires ownership changes, which makes SFC unhappy, which may break Windows Update. In general, it's better to start with a VM running a matching version of Windows. For each new release, the PolicyDefinitions
directory should be rebuilt from scratch by copying the templates over in the listed order to ensure removal of outdated templates.
To extract PolicyDefinitions
from a Windows ISO:
sources\install.wim
with 7-Zip.[1].xml
for the appropriate image index and build version.\<N>\Windows\PolicyDefinitions
.gpresult /h
report along with "Security has requested to process its policy settings again" message.The following registry entries do not have an associated template and are treated as preference-type settings that are not removed automatically when no longer applied by the policy:
DisableWpad=1
and AutoDetect=0
disable automatic proxy detection (WPAD). Do not disable "WinHTTP Web Proxy Auto-Discovery Service" (aka "WinHttpAutoProxySvc") - doing so will break things.HKCU\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32
key restores classic File Explorer context menus.HideFileExt=0
shows all file extensions in File Explorer.ShowSyncProviderNotifications=0
disables sync provider notifications, which are used to show Microsoft ads in File Explorer.ScoobeSystemSettingEnabled=0
disables "Let's finish setting up your device" notification (Settings > System > Notifications > Additional settings > Suggest ways to get the most out of Windows and finish setting up this device).