This step-by-step tutorial demonstrates how to completely reset all Local Security Policy settings back to their defaults in Windows 11 and Windows 10. Instructions are provided for using the Local Security Policy console, as well as restoring security policy defaults using PowerShell.
The purpose and impacts of Local Security Policy in Windows and its use cases are also explained to assist with troubleshooting and to help you better understand the changes you are making to your Windows PC.
Understanding Windows Local Security Policies
Windows Local Security Policy is the configuration set that defines how the Windows operating system’s security features behave. It covers areas such as authentication, user permissions, auditing, boot security, firewall and network security, as well as many other security settings. Local Security Policy functionality is only available in Pro and Enterprise versions of Windows 11 and Windows 10, and is not available on Home versions of these operating systems.
Local security policies apply only to the individual PC that they are configured on. Security policies can be configured for multiple machines if they are joined to a Windows Active Directory Domain.
Common security-related tasks that can be performed using Local Security Policy include:
- Setting password complexity requirements (like requiring a minimum length and the use of numbers, letters, and special characters).
- Enabling auditing to monitor the actions of users and processes.
- Managing access to resources or functionality, for example, restricting who can shut down the system.
- Managing firewall settings, including allowing certain apps and ports.
While the Windows Settings app and Control Panel offer some access to this functionality, defining Local Security Policies allows you fine-grained control over the security settings of your Windows PC.
Reasons for resetting Local Security Policies in Windows 11 and Windows 10
Generally, you will reset local security policies to their defaults to troubleshoot system issues or revert a change you’ve made yourself. You may also need to revert changes made by third-party software.
Reverting Windows security policies to their defaults will also ensure that any unauthorized modifications to your security configuration are removed. This provides a baseline for security settings that you can then further enhance by re-introducing the security policies you want to retain.
Prerequisites and considerations
To modify or reset Local Security Policy to its defaults, you’ll need to be logged in as an Administrator.
You should also make sure you take a complete backup of your Windows PC, including your operating system and all data, so that you can restore it in case a mistake is made or an error occurs. It is also worth noting that if your PC is part of a Windows Domain, any security policies defined at the domain level will still apply.
How to reset Local Security Policy to default
There are several methods you can employ to restore default security policy settings in Windows 11 and Windows 10:
Using Command Prompt and PowerShell to reset all local security policies to their defaults
Follow these steps to restore Local Security Policy to its default state using the Command Prompt:
- Open the Windows Command Prompt or PowerShell as an Administrator
- Enter the following command:
secedit /configure /cfg %SystemRoot%\inf\defltbase.inf /db defltbase.sdb /verbose
- Reboot your device to apply the changes and fully restore the default security settings
The secedit command is used to read the default security policy settings from defltbase.inf, and apply them. This includes all settings including those relating to passwords, firewall settings, auditing, and user permissions.
Using the Local Security Policy console to revert individual changes
The Security Policy Console does not provide a way to reset all settings at once. However, the below step-by-step instructions show you how to reset individual security policies using the Local Security Policy console:
- Right-click on the Start button and click Run
- Type secpol.msc into the Run dialog and press OK to open the Security Policy console
- In the left navigation pane, navigate through the Account Policies and Local Policies and revert any settings that you have modified
- You will need to consult the documentation for each setting to find out what the default value was, so that you can return it to that value.
If you are attempting to return to a ‘clean slate’, it is recommended to use the Command Line or PowerShell methods detailed above to completely reset all settings, in case you miss something or don’t know what the default value should be.
Using Group Policy Editor to reset individual local security policies
As with the Local Security Policy console, the Local Group Policy Editor can be used to reset individual Local Security Policy settings:
- Open the Local Group Policy Editor
- Navigate to the security policies located at Computer Configuration/Administrative Templates/All Settings and User Configuration/Administrative Templates/All Settings
- Restore each setting to its default based on its documentation
- Reboot your PC
Again, this method is not advisable if you wish to reliably restore your security systems to their default state.
How to verify that Local Security Policy was reset
To confirm the settings have been reset successfully, you can open the template file that contains the default security settings, located at %SystemRoot%\inf\defltbase.inf, and compare them with the settings shown in the Security Policy console.
You can also export the current security policies to a text file in the current directory for easier comparison:
secedit /export /cfg ./current_security_policy.inf /quiet
Note that you must be running PowerShell as an administrator for this command to function correctly.
Once you have your current Local Security Policy settings and the defaults stored as .inf files, you can sort the lines in the file by name and then compare the two files to see what differs. Programming tools like Visual Studio Code make building automated PowerShell workflows like this much easier.
Best practices for managing Local Security Policies
There are a few best practices you can follow when managing Local Security Policies in Windows 11 and Windows 10, to reduce the chance of making a mistake and make sure that your system has a strong security configuration:
- Read the documentation for each setting so that you understand what it does and the implications of changing it from its default state
- Back up before you make changes to make it easy to roll back (especially if you lock yourself out of something)
- If you share your PC with others, enforce strong password policies to make sure that other users are using strong passwords so that your system is harder to compromise
- Enable auditing features to alert you of failed login attempts and configuration changes
- Restrict the privileges of user accounts for inexperienced users
You can also leverage policy templates to copy security policies between computers by exporting the current configuration. To do this, run the secedit /export command shown above, and then restore that file on another system using secedit /configure, and supply the exported file rather than the Windows default defltbase.inf file. Note that you should only import/export from the same version of Windows.
How to manage Windows security policies for multiple devices
Manually exporting and importing Local Security Policy configuration files between Windows devices is an inefficient and error-prone process that will eventually lead to inconsistent and insecure configurations.
NinjaOne provides a complete endpoint management platform for Windows, MacOS, Android, iOS, and Linux devices, providing full oversight of all of your infrastructure, including configuration for Windows 11 and Windows 10 PCs. NinjaOne also alerts you to potential cybersecurity concerns as they happen, allowing you to respond quickly and close off attack vectors by updating your security policies.
