This module sets Advanced Security Policy settings on Windows.




4,664 latest version

5.0 quality score

Version information

  • 2.1.1 (latest)
released Apr 5th 2018
This version is compatible with:
  • Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.7.0 < 6.0.0
  • windows

Start using this module


kpn/advanced_security_policy — version 2.1.1 Apr 5th 2018


Table of Contents

  1. Module Description
  2. Setup - The basics of getting started with advanced_security
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module


This module sets and enforces the advanced security policies for windows. We used Paul Cannons Local Security Policy as a 'blueprint' to read the policies from a template.

Module Description

This module uses LGPO.exe (v2.2) to configure the advanced security policies on Windows. LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. It can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files.


Setup Requirements

This module requires:

  • ADMX and ADML files with the policy settings to be set (in C:\Windows\PolicyDefinitions)
  • LGPO.exe needs to be installed in C:\Windows\System32 (Add the following code)
      include advanced_security_policy

What advanced_security_policy affects

  • Advanced security policies.
  • C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Beginning with advanced_security_policy

To start using advanced_security_policy, simply include the module and add the defined type statements in your profile. Then configure the policies you want to set. (for example in hiera)



policy(resource) name (required)

Type: 'String'
Default: '$title'
Values: Any valid advanced security subcategory
Description: The policy name matches the name in the policy editor


Type: 'String'
Default: 'present'
Values: 'present' or 'absent'
Description: When a policy is set, ensure will be 'present'. If a policy is to be set as 'not configured' then ensure must be set to 'absent'.


Type: 'String'
Values: 'enabled', 'disabled' or a value Description: This is the value to be set for the policy. This can be 'enabled', 'disabled' or a value to be set.


Example: Setting multiple security policies

  advanced_security_policy {'Turn off Autoplay':
    policy_value => '255',

  advanced_security_policy {Configuration of wireless settings using Windows Connect Now':
    policy_value => 'disabled'

  advanced_security_policy {'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)':
    policy_value => 'enabled',

  advanced_security_policy {'Security: Specify the maximum log file size (KB)':
    ensure         => 'absent',


Defined Types

  • advanced_security_policy


  • securitypolicy


This is where you list OS compatibility, version compatibility, etc.

This module works on:

  • Windows 2008 R2
  • Windows 2012 R2
  • Windows 2016


You can contribute by submitting issues, providing feedback and joining the discussions.

Go to:

If you want to fix bugs, add new features etc:

  • Fork it
  • Create a feature branch ( git checkout -b my-new-feature )
  • Apply your changes and update rspec tests
  • Run rspec tests ( bundle exec rake spec )
  • Commit your changes ( git commit -am 'Added some feature' )
  • Push to the branch ( git push origin my-new-feature )
  • Create new Pull Request