Group Policy – Use a Custom Security Template in a Group Policy to Globally Manage the LxssManager Service

This article explains how to create a custom security template from a workstation machine and then import that template into a group policy object to globally manage the LxssManager service for multiple workstations.┬áIn my environment, the option to manage this service via GPO was not natively available. It’s possible that ADMX templates are available for this, but I just manually created a template from my workstation in order to get the policy up and running quickly.

Note: these steps can be followed to create all kinds of security templates and group policies, and are not restricted to just system services.

Dependencies

Before following the steps below, I installed the WSL feature on my workstation by completing the following steps:

  1. Open Applications and Features (appwiz.cpl)
  2. Click ‘Turn Windows Features on or off’
  3. Scroll down in the list and check the box for ‘Windows Subsystem for Linux’
  4. Click Ok
  5. Reboot the workstation when prompted

This installs WSL (and more specifically the LxssManager service, which is necessary in order to complete the steps below).

Creating the Security Template

On the machine that is running WSL:

  1. Open mmc.exe
  2. Add the Security templates Snap-in
  3. Expand the Security Templates object and right-click the path to your current user’s security templates directory. Click New Template…
  4. Provide a name and description for the security template
  5. The new security template will appear under your current user’s security templates directory. Expand the object and navigate to ‘System Services’.
  6. In the list, find the service you want to configure (in my case, LxssManager). Right-click the service and click Properties
  7. Check the ‘Define this policy setting in the template’ check box.
  8. Select the appropriate service startup mode and assign Security permissions as necessary
  9. Click Apply/Ok to close out of the Properties window.
  10. Right-click the security template object in the navigation tree and click Save. Alternatively, you can just close the MMC.exe window, and Windows will prompt you to save your edited security template.
  11. If necessary, move this file to a location accessible by a machine that has the Remote Server Administration Tools installed.

Importing the Security Template into a Group Policy Object

On a machine that has RSAT installed, open the Group Policy Management Console (gpmc.msc) as a Domain Administrator.

  1. Create a new Group Policy Object and name it. Or open (edit) an existing policy that you want to use.
  2. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings.
  3. Right-click on Security Settings and click Import Policy…
  4. Find the security template file that you created in the section above, select it and click Open.
  5. Open ‘System Services’ and verify that you see the ‘LxssManager’ service.
  6. If necessary, make any additional edits to the service’s properties.
  7. Close the GPO editor and if not done already, apply the GPO to the appropriate Organizational Unit (OU).

Testing the GPO

Group Policies update on domain machines every 90-120 minutes, but if you want to speed up the process:

On a machine that resides under the targeted OU, you can quickly update it’s group policies with the following command:

gpupdate /force

You can also view which polices are currently applied to the machine using the following command. In order to view Computer policies, the shell will have to be opened as a local administrator user.

gpresult /r

If all worked as expected, the LxssManager service should have received the settings specified in the group policy (verify in services.msc). If you are unable to view the LxssManager service, you may need to open services.msc as a local administrator user or modify the Security settings for the LxssManager service in the group policy object you created.