Share via

How to determine true Enabled/Disabled state of local policies (as shown in gpedit.msc)

Omer Yanay 0 Reputation points
2025-06-15T09:35:33.7166667+00:00

Hello,

I’m working on a local (non-domain) Windows 10-IOT machine and trying to programmatically determine whether specific local group policies are actually enabled or disabled — exactly as they appear in gpedit.msc.

I’ve tried reading the corresponding registry values under HKLM\SOFTWARE\Policies or HKCU\SOFTWARE\Policies, but many policies are misleading due to inverted logic. For example, a policy named "DisableX" may have a value of 0, which in practice means it's not disabled — i.e., the feature is active — even though the policy name is negative. This makes it extremely difficult to reliably infer the true policy state.

I also tried using the gpresult command, but it always returns “State: Enabled” for all policies, even when the group policy editor (gpedit.msc) clearly shows a policy as disabled. It only changes the value field, not the state.

What I’m trying to achieve is:

  • A reliable way to get the actual Enabled/Disabled state of each policy, as shown in gpedit.msc
  • Ideally, the same interpretation logic used by the PolicyAnalyzer tool (from the Security Compliance Toolkit), which correctly displays policy state as Enabled/Disabled in its UI and CSV export.

My goal is to do this entirely through code or scripts — no UI interaction.

Thank you very much,

Omer Yanay

Windows for business | Windows Server | Directory services | Deploy group policy objects
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 90 Reputation points Independent Advisor
    2025-08-08T11:15:49.5366667+00:00

    Dear Omer Yanay,

    Thank you for reaching out. I understand you're seeing the message:

    "Account has been locked. Contact your support person to unlock it, then try again."

    This typically occurs when Microsoft detects unusual activity or multiple failed login attempts. Since you're using a personal Microsoft account and don’t have access to an IT support team, here are steps you can follow to unlock your account:

    1. Go to the Microsoft Account Recovery Page:

       https://account.live.com/password/reset

    1. Choose “I think someone else is using my Microsoft account” and follow the prompts to verify your identity.
    2. If you're unable to reset your password or unlock the account through that page, please visit:

       https://support.microsoft.com/account-recovery

    1. You may be asked to provide:

       - The email address associated with your account

       - A backup email or phone number (if previously set up)

       - Any recent activity or details to confirm ownership

    If you continue to experience issues, you can also contact Microsoft Support directly:

    https://support.microsoft.com/contactus

    Please let me know once you've tried these steps or if you need further assistance.

    Best regards, 

    Domic Vo

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.