There is no group policy on (untouched) iso. Everything is "not configured" by default. And changes you make to registry doesn't affect Group Policy. You have to choices: -either script: you run an install or post-install script with lgpo commands Basically you save policy settings as a text (that you can even edit in between) then re-create .pol from text and import to new system. For gpolicy security settings it's the same process, but with .cfg file (as well editable) and different commands (secedit). -you mount your Windows iso, open WIM image with 7zip and integrate your .pol files there (that you copy from an "online" system already set). I haven't tried with group policy security settings but might work the same way... Paths: C:\Windows\System32\GroupPolicy (.pol) C:\Windows\security (.sdb) ps lgpo commands are quite straightforward (I use the same link you posted) if you need more LGPO/secedit/GroupPolicy examples, you can find in my Optimization script. I struggled a bit with secedit so hope someone can find some use in it...
I've tried this, and that doesn't seem to have worked: Code: # Prereq Find-Module -Name 'PolicyFileEditor' | Install-Module -Force $TemplateDir = "$PSScriptRoot\PolicyDefinitions" $PolicyDir = "$PSScriptRoot" $WorkDir = New-Item -Path 'C:\Offline' -ItemType Directory -Force $MountDir = New-Item -Path "$WorkDir\Mount" -ItemType Directory -Force $InstallWIM = Get-Item $WorkDir\install.wim Mount-WindowsImage -Path $MountDir -ImagePath $InstallWIM -Index 1 Copy-Item -Path "$TemplateDir\*" -Destination "$MountDir\Windows\PolicyDefinitions" -Recurse 'User', 'Machine' | ForEach-Object { $GPOArgs = @{ Path = "$MountDir\Windows\System32\GroupPolicy\$_\Registry.pol" } $XMLArgs = @{ Path = "$PolicyDir\$_\Registry.xml" } Import-Clixml @XMLArgs | Set-PolicyFileEntry @GPOArgs } I made sure before unmounting, committing and copying the image back to the installation media that both custom templates (in my case for Edge) and modified .pol files were copied successfully, but, after installing the resultant image, none of the group policies were set. It was just a default Windows install.