How to Reset Local Security Policy Settings to Default in Windows 11 & 10

Aseem Kishore
·
4 min read

Help Desk Geek is reader-supported. We may earn a commission when you buy through links on our site. Learn more.

Man typing on a laptop at a wooden desk; a sticky note reading RESET sits beside a mug, with a settings window open on screen.

Leftover Group Policy restrictions from a previous domain environment can block you from installing printers, changing passwords, or even logging in normally, and simply removing the PC from the domain doesn’t clear them. One secedit command resets every local security policy back to Windows defaults.

Before You Start: Back Up First

Resetting local security policy touches password rules, audit settings, user rights, and firewall behavior. Take a full system backup or at minimum export your current policy before running anything.

  1. Press Windows + R, type secpol.msc, and press Enter to open Local Security Policy.
  2. Click Action > Export Policy and save the .inf file somewhere safe.
Local Security Policy window (secpol.msc) open in Windows 11, with the Action menu expanded showing the Export Policy option

Fix #1: Reset Local Security Policy with secedit (Windows 11 and 10)

This single command reads Windows’ built-in default security template (defltbase.inf) and applies it to your system, overwriting any custom or domain-inherited policy settings.

  1. Click Start, type cmd, then right-click Command Prompt and select Run as administrator.
Windows 11 Start menu search showing
  1. Copy and paste the following command, then press Enter:
secedit /configure /cfg %SystemRoot%\inf\defltbase.inf /db defltbase.sdb /verbose
Administrator Command Prompt in Windows 11 with the secedit command entered and output text showing the reset process running
  1. Wait for the command to finish — it processes every security setting in the registry and takes a minute or two. You’ll see a stream of status lines as it works.
  2. Restart your PC to apply the changes.

After rebooting, open secpol.msc and verify the settings look like clean Windows defaults — no unusual password length requirements, no locked-down user rights assignments.

Fix #2: Reset Individual Policies Manually via secpol.msc

If you only need to undo a few specific settings rather than wiping everything, the Local Security Policy console lets you revert individual items without touching the rest.

  1. Press Windows + R, type secpol.msc, and press Enter.
  2. Navigate to the policy category causing the problem — for example, Account Policies > Password Policy.
  3. Double-click the specific setting you want to revert.
  4. Set it back to its documented Windows default value (Microsoft’s Security Baselines documentation lists every default), then click OK.
Local Security Policy (secpol.msc) in Windows 11 with Account Policies/> Password Policy expanded and a policy properties dialog open showing the default value

Fix #3: Enable Local Security Policy on Windows Home Edition

Windows 11 Home and Windows 10 Home don’t include Local Security Policy Manager by default — secpol.msc will throw an error if you try to open it. You can add it back using DISM.

  1. Click Start, type cmd, right-click Command Prompt, and select Run as administrator.
  2. Run this command to install the Group Policy Client Tools package:
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")
  1. Then run this command to install the Group Policy Client Extensions:
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")
  1. Restart your PC, then try opening secpol.msc again. It should load normally now.
  2. Once it’s open, run the secedit command from Fix #1 to reset all policies to default.
Administrator Command Prompt in Windows 11 Home with the DISM FOR loop command running and package installation output visible

Fix #4: Diagnose Policies That Keep Coming Back (GPO Conflicts)

If your security policies reset themselves after every reboot, a domain Group Policy Object (GPO) is overriding your local settings — the secedit reset won’t stick until you find and fix the conflict.

  1. Click Start, type cmd, right-click Command Prompt, and select Run as administrator.
  2. Run the Group Policy Results tool to see which GPOs are actively applying:
gpresult /h C:\GPReport.html
  1. Open C:\GPReport.html in your browser.
  2. Look for the Winning GPO column next to any policy that shouldn’t be applied — this identifies exactly which GPO is overriding your local settings.
  3. If the PC is still joined to a domain, contact your domain administrator to correct or remove the conflicting GPO. If it should be off the domain, remove it via Settings > System > About > Rename this PC (advanced) > Change and set it to a workgroup.
GPReport.html open in a browser showing the Applied GPOs section with the Winning GPO column highlighted for a conflicting policy entry

When None of These Work

If the secedit command errors out and DISM can’t restore the Group Policy tools, your Windows installation may have underlying corruption. Run sfc /scannow followed by DISM /Online /Cleanup-Image /RestoreHealth in an elevated Command Prompt, then try Fix #1 again. If the corruption is severe, an in-place upgrade repair install of Windows 11 is the cleanest path forward without losing your files.

Conclusion

The secedit command in Fix #1 resolves this for the vast majority of cases — it takes under two minutes and a single reboot. If policies keep reverting after that, you’re dealing with an active GPO conflict (Fix #4) rather than a stale local policy, which is a different problem entirely and worth investigating before assuming something is broken.