Skip to content

Instantly share code, notes, and snippets.

@dhackney

dhackney/fix-group-policy-change-brick.md

Last active February 10, 2018 22:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dhackney/9b3e002965a1cfc6b2e4c974253b1f7b to your computer and use it in GitHub Desktop.
Save dhackney/9b3e002965a1cfc6b2e4c974253b1f7b to your computer and use it in GitHub Desktop.
Download ZIP
How to fix a Win10 system bricked by changing a Group Policy
Raw
fix-group-policy-change-brick.md

How to fix a Win10 system bricked by changing a Group Policy

Scenario:
Change a Group Policy and it bricks the system
"Restore from System Restore Point" fails or there are no recent restore points

Challenge:
There is no access to the GUI Group Policy Editor from the command prompt of a bricked system

Recovery Method:
Use command line tools to restore the group policy to its original form

Example:
This example uses the Group Policy "Virtualization Based Protection of Code Integrity", which works OK when enabled on a Dell Latitude E7440 using a Samsung 850 Pro but bricks a Dell Latitude 7490 using a Samsung 960 Pro M.2 NVMe SSD and the Samsung NVMe driver

The path in the Group Policy Editor to this policy is:
Group Policy Management Console -> Computer Configuration -> Administrative Templates -> System -> Device Guard -> Turn On Virtualization Based Security

Steps to fix a Win10 system bricked by enabling Group Policy "Virtualization Based Protection of Code Integrity" - registry key "HypervisorEnforcedCodeIntegrity":
.
.
*** Using a working system: ***

  1. Download the Microsoft Security Compliance Toolkit 1.0 : https://www.microsoft.com/en-us/download/confirmation.aspx?id=55319

  2. Unzip the LGPO.zip file

  3. Copy the LGPO.exe utility to the root directory of a USB flash drive, e.g. D:, E:\

  4. Release and remove the USB flash drive
    .
    .
    .
    *** On the bricked system: ***

  5. Insert the USB drive

  6. Turn on the bricked system

  7. Using the "automatic recovery" menu options of the failed boot or a system recovery USB/DVD, open a Command Prompt:
    Troubleshoot -> Advanced Options -> Command Prompt

  8. cd to the root directory of the USB drive (you may need to attempt several drives to discover it, depending on your system, e.g. cd D:, cd E:, cd F:, etc.)
    Example:
    Run the command:

    cd e:\

  9. Copy the "Registry.pol" file to the root directory of the USB flash drive
    Copy from:
    C:\Windows\System32\GroupPolicy\Machine\Registry.pol
    to
    the root directory of the USB drive, e.g. E:\
    Example:
    Run the command:

    copy C:\Windows\System32\GroupPolicy\Machine\Registry.pol E:\

  10. exit the Command Prompt:
    Run the command:

    exit

  11. Using the menu option, select "Turn off your PC"

  12. When the sytem has powered off, remove the USB flash drive
    .
    .
    .
    *** On the working system: ***

  13. Put USB flash drive into the working system

  14. Using File Explorer, rename the Registry.pol file to: registry-policy-initial-state.pol

  15. Open a Command Prompt

  16. cd to the root directory of the USB flash drive, e.g. D:, E:, F:\

  17. Extract the Group Policies into an LGPO text file:
    Run the command:

    LGPO /parse /q /m .\registry-policy-initial-state.pol > registry-policy-initial-state-lgpo.txt

  18. On the USB flash drive, open the registry-policy-initial-state-lgpo.txt file in a text editor

  19. Using a text editor, replace the "HypervisorEnforcedCodeIntegrity" entry with the following contents:

Old text:

Computer  
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard  
HypervisorEnforcedCodeIntegrity  
DWORD:1

New text:

; disable "Virtualization Based Protection of Code Integrity"  
Computer  
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard  
HypervisorEnforcedCodeIntegrity  
DWORD:0  
  
; deselect "Require UEFI Memory Attribute Table"  
Computer  
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard  
HVCIMATRequired  
DWORD:0

  1. Save the file onto the root directory of the USB flash drive as:

    registry-policy-changed-state-lgpo.txt

  2. Using the Command Prompt, create a fixed policy file
    Run the command:

    LGPO.exe /r .\registry-policy-changed-state-lgpo.txt /w .\Registry.pol

  3. Release and remove the USB flash drive from the working system
    .
    .
    .
    *** On the bricked system: ***

  4. Put the USB flash drive into the bricked system

  5. Turn on the bricked system

  6. Using the "automatic recovery" of the failed boot or a system recovery USB/DVD, open a command prompt:
    Troubleshoot -> Advanced Options -> Command Prompt

  7. cd to the root directory of the USB drive (you may need to attempt several drives to discover it, depending on your system, e.g. cd D:, cd E:, cd F:, etc.)
    Example:
    Run the command:

    cd e:\

  8. Copy the fixed "Registry.pol" policy file to the bricked system
    Copy from:
    the root directory of the USB flash drive, e.g. D:, E:,
    To
    C:\Windows\System32\GroupPolicy\Machine\Registry.pol
    Example:
    Run the command:

    copy E:\Registry.pol C:\Windows\System32\GroupPolicy\Machine\Registry.pol

  9. exit the Command Prompt:
    Run the command:

    exit

  10. Using the menu option, select "Exit and continue to Windows 10"

The system should boot normally

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment