Need to change local group policy editor

Hi All,

Is there any command to change/disable one value in local group policy?
I am installing Known Issue Rollback apps for one patch issue, then I need to disable the Known Issue Rollback setting. pls help if anyone know how to do it through command.

Location - local group policy editor/ Administrative templates/ KB5040431 240724_18051 Known Issue Rollback/ Windows 11 (original release) /
Then open, KB5040431 240724_18051 Known Issue Rollback then need to change the setting Not configured to Disabled.

You can use the following procedure for your local secpol changes: wherever that key exists, first try to identify it in the registry, which should be within “HKLM\Software\Policies\Microsoft\Windows\System”; then update the relevant logic and test.

//Relevance
exists value "EnableFontProviders" of keys "HKLM\Software\Policies\Microsoft\Windows\System" of native registry

//Actionscript
waithidden reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableFontProviders" /t REG_DWORD /d 0 /f

Hi @vk.khurava I have checked the mentioned location but there is no registry entry in that location. additionally, I have got location for the entry but there is no changes when I have changed it to disabled manually.

Registry loc entry - HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall{0723EF2D-428D-4BC7-AC63-08A9FFEB02DA}
Application Link - https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F62f671cf-3404-4bd1-884a-b4476ff0bd00%2FWindows%252011%2520(original%2520release)%2520KB5040431%2520240724_18051%2520Known%2520Issue%2520Rollback.msi&data=05|02|chandri.udamala%40hcltech.com|c8850d6b99ff418b77ae08dcb3ac2471|189de737c93a4f5a8b686f4ca9941912|0|0|638582799576476243|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D|0|||&sdata=BPymqb%2BVbffamY4iPP9sIAmnFHjOxCvUTj%2F6iqn%2FtBY%3D&reserved=0

This is not a location for policies; it is intended for program uninstall stings that are installed in Windows.

policy setting is likely stored in the following registry hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

I’m puzzled here; I’ve never encountered such rollback policies, but if they exist, they should be in that position; otherwise, try an extended search.

Hi @vk.khurava I did not find any entries (for KIR) in the given location. also, I am trying to find the registry entries for KIR.
That MSI file given by MS team to fixed something and suggested the below steps for fixed that.

  1. Install KIR MSI package
  2. Set the GP KIR policy to Disabled

Okay, maybe that package is building that policy path; once it is available, it may be allowed to disabled.

If it is still not visible, I suggest contacting the MS Team and asking for a method to modify the setting, which could then be integrated into BigFix.

I have never heard of this type of policy before… but…
I would imagine it would be possible to use the LGPO.exe to backup the setting on the source computer then create a Fixlet that would would deploy the setting using LGPO.exe (or secedit.exe has some overlap and maybe could do it to).

Hi @vk.khurava, MS Team denied they don’t have any command or any ref for registry entries. it may be possible to change through AD.

Hi @DerrickD, actually that policy will come after the KIR (KB5040431 240724_18051 Known Issue Rollback) installation and this is the rollback plan, shared by the MS team.

Even if its from AD, you should be able to see & change it or develop any deployment script to do it that still require reg path or steps to process.

If MS Team is giving some policy change, they should be able to also guide with the process to automate it, I hope they are not thinking you will be doing it manually on each device :slight_smile:

100% agreed on this.

If MS doesn’t provide deployment details, I am pretty sure LGPO.exe should be able to export that one setting. Or you could export the whole Local Security Policy and I imagine it’s in there, just select that part out of the INF. Then apply to a target device and see if it applies. I imagine it should work.

LGPO.exe is included in the Microsoft Security Compliance Toolkit.