Windows 11 GPO lockup

[Johncoool]

So while migrating from an old device running Win 10 home to a new device running Win 11 pro, I faced a strange issue. I am mentioning the version of windows because pro is the one that can be controlled by enterprise.

They are not the same device, so the installation is fresh and all was good on Lenovo V15 a business laptop running Win 11 pro.

I lost access to several parts of the O/S and are now being controlled by an organization. It is controlling what can be added to start up items and unable to edit the power and battery setting in regards to the energy feature. It is greyed out and say that it is managed by an organization.

This is a personal device and has no accounts other than a local account, It is not connected to a school or work accounts.

This issue seems like it started after adding the same account that was being used in Windows 7 or 10 home on Chrome. The chrome account is being used only in the Chrome browser and it is a custom domain corporate account.

But Chrome has no control over the GPO and there are no other accounts.

The account was removed and this did not help. Also reset Chrome to default and that did not help and also removed Chrome and nothing changed.

Also tried many tips from the web to get control back on the O/S.

Before I resort to resetting windows, I need to know the cause. I need to know what is causing this lockup so that it does not happen again. I did not have System restore enabled to double check this.

I tried to use tips from other AI but they did not help at all.

 

[ChatGPT]

Hi Johncoool,
I agree with your instinct: Chrome itself should not be able to apply Windows GPO/MDM policy. A corporate Google/Chrome account can manage Chrome browser policies, but if Windows Settings says “managed by your organization”, that usually comes from one of these:

1. Windows was accidentally registered/enrolled with a work/school tenant.
2. A local policy or registry policy was set by a tweak tool, debloat script, privacy tool, Lenovo/OEM utility, or copied configuration.
3. A provisioning package / Autopilot / MDM remnant exists on the new device.
4. Less likely: the device was previously business-managed before sale or imaging.

The goal is to identify which one before resetting.

1. Check if Windows is Azure/MDM/workplace joined​

Open Command Prompt as your normal user, not elevated first, and run:
dsregcmd /status > "%USERPROFILE%\Desktop\dsregcmd-status.txt"
Then open dsregcmd-status.txt and look for these lines:

AzureAdJoined
EnterpriseJoined
DomainJoined
WorkplaceJoined
TenantName
MdmUrl
MdmTouUrl
MdmComplianceUrl
WamDefaultAuthority

Expected for a personal local-account PC:

AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : NO
WorkplaceJoined : NO
MdmUrl :

If WorkplaceJoined = YES, AzureAdJoined = YES, or there is an MdmUrl, then Windows was connected to an organization at some point.

2. Check Access work or school again​

1. Open Settings.
2. Go to Accounts.
3. Open Access work or school.
4. If anything appears there, select it.
5. Choose Disconnect.
6. Reboot.

Also check:

1. Go to Settings > Accounts > Email & accounts.
2. Remove any account listed under Accounts used by other apps that belongs to the corporate/custom domain.
3. Reboot.

Important: When adding a work account to Windows, Microsoft sign-in screens sometimes include a checkbox like “Allow my organization to manage this device”. If that was ever accepted, Windows can enroll in management even if you mostly use a local account.

3. Check actual Group Policy results​

Run this from an elevated Command Prompt:
gpresult /h "%USERPROFILE%\Desktop\gpresult.html"
Open the generated gpresult.html.
Look for:

Applied Group Policy Objects
Local Group Policy
MDM Policy
Power Management
Start Menu and Taskbar
Logon

If it only shows Local Group Policy, then the issue is probably local policy/registry, not a real company managing the PC.

4. Check the Energy Saver policy specifically​

The Windows 11 energy setting you mentioned can be controlled by policy.
Run:
reg query "HKLM\SOFTWARE\Policies\Microsoft\Power\EnergySaver" /s
If you see this value:
EnableEnergySaver
That explains the greyed-out energy feature. The Group Policy location is:
Computer Configuration > Administrative Templates > System > Power Management > Energy Saver Settings
If using gpedit.msc:

1. Press Win + R.
2. Run:

gpedit.msc

1. Go to:

Computer Configuration > Administrative Templates > System > Power Management > Energy Saver Settings

1. Set any configured Energy Saver policies to Not Configured.
2. Run:

gpupdate /force

1. Reboot.

5. Check common policy registry locations​

Do not delete these blindly. First export them.
Run these commands:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows" /s > "%USERPROFILE%\Desktop\HKLM-Windows-Policies.txt"
reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows" /s > "%USERPROFILE%\Desktop\HKCU-Windows-Policies.txt"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /s > "%USERPROFILE%\Desktop\HKLM-CurrentVersion-Policies.txt"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /s > "%USERPROFILE%\Desktop\HKCU-CurrentVersion-Policies.txt"

Then search those text files for:

Explorer
System
Power
EnergySaver
Run
Startup
Disable
No
Hide
Policy

These locations are where many “managed by organization” messages come from.

6. Check for MDM enrollment remnants​

Run:
reg query "HKLM\SOFTWARE\Microsoft\Enrollments" /s > "%USERPROFILE%\Desktop\Enrollments.txt"
Open Enrollments.txt and look for:

UPN
TenantID
DiscoveryServiceFullURL
EnrollmentType
ProviderID

If you see the corporate domain or an MDM URL, that is a strong sign that the device enrolled or partially enrolled.

7. Create an MDM diagnostic report​

Run this from an elevated Command Prompt:
mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip "C:\Users\Public\Documents\MDMDiagReport.zip"
Then check:
C:\Users\Public\Documents\
If the report shows MDM server details, tenant IDs, or policies, then the cause is not Chrome directly; it is Windows device management/enrollment.

8. Undo path if local policy is the cause​

Before changing policy/registry:

1. Create a restore point.
2. Press Win + R.
3. Run:

SystemPropertiesProtection.exe

1. Enable protection for C: if needed.
2. Click Create.

If you identify local policy as the cause, use gpedit.msc first rather than registry deletion.
After setting policies to Not Configured, run:
gpupdate /force
Then reboot.

My best guess​

Based on your description, the most likely causes are:

1. A work/custom-domain account was added to Windows at some point, not just Chrome, and Windows performed Workplace Join or MDM enrollment.
2. A local policy/registry value was set, possibly by a privacy/tweak script, Lenovo business configuration utility, or one of the “tips from the web.”
3. The Lenovo business laptop has an OEM/business provisioning setting, less common but possible.

The Chrome account alone should not grey out Windows power/startup settings. If Chrome caused anything, it would usually say Chrome is managed by your organization inside Chrome, not in Windows Settings.
If you post the redacted output for only these lines, I can tell you which branch you are on:

AzureAdJoined
EnterpriseJoined
DomainJoined
WorkplaceJoined
TenantName
MdmUrl
MdmTouUrl
MdmComplianceUrl
WamDefaultAuthority

 

[Johncoool]

None of those showed any information that show any reason for the issue. This is a new device and fresh install and there has never been any connection to work or school account at all.

How to find out who is the device registered to? since it was setup by the shop owner.

The issue only showed up after the Chrome connection.

 

[ChatGPT]

Hi Johncoool,
If dsregcmd, MDM diagnostics, and Access Work/School show nothing, then the PC is probably not actively registered to an organization. In that case, the “managed by your organization” message is most likely caused by local policy registry entries, not a live GPO/MDM connection.
But since the shop owner did the setup, there are a few things you can check.

1. Check the Windows “registered owner”​

This only shows the local Windows registration info. It does not prove Microsoft account ownership, but it may show what name/organization was entered during setup.

1. Open Command Prompt as Administrator.
2. Run:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOrganization

You can also check:
winver
If the shop owner entered their name or company, it may appear there.
To change it:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d "Johncoool" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOrganization /t REG_SZ /d "" /f

2. Check whether the shop used a Microsoft account​

1. Go to Settings > Accounts > Your info.
2. Confirm whether it says Local account or a Microsoft account email.
3. Go to Settings > Accounts > Email & accounts.
4. Check Accounts used by other apps.
5. Remove anything you do not recognize.

If it is a local account and nothing is listed there, then the device is likely not tied to the shop owner’s Microsoft account anymore.

3. Check if the device is in Windows Autopilot / provisioning​

This is important on business laptops. A Lenovo V15 sold as a business device could theoretically have been registered in Autopilot by a previous owner or reseller.
Run these commands as Administrator:

reg query "HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot" /s
reg query "HKLM\SOFTWARE\Microsoft\Provisioning\AutopilotSettings" /s
reg query "HKLM\SOFTWARE\Microsoft\Enrollments" /s

Look for values such as:

CloudAssignedTenantId
CloudAssignedTenantDomain
CloudAssignedOobeConfig
TenantId
UPN
EnrollmentType
DiscoveryServiceFullURL

If all of those are empty or missing, Autopilot/MDM is probably not the cause.

4. Generate a full local policy report​

Even if the device is not domain joined, local policies can still exist.
Run:

gpresult /scope computer /h "%USERPROFILE%\Desktop\computer-policy.html"
gpresult /scope user /h "%USERPROFILE%\Desktop\user-policy.html"

Open both files and check whether anything is listed under:

Administrative Templates
Power Management
Start Menu and Taskbar
System
Logon

If the only source is Local Group Policy, then the issue is on the machine itself.

5. Check the exact registry policy causing the lockout​

For your power/energy issue, check:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Power" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows" /s
reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows" /s

For startup-app restrictions, also check:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /s
reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /s
reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /s

If you want easier review, export them to text files:

reg query "HKLM\SOFTWARE\Policies" /s > "%USERPROFILE%\Desktop\HKLM-Policies.txt"
reg query "HKCU\SOFTWARE\Policies" /s > "%USERPROFILE%\Desktop\HKCU-Policies.txt"

Then search the files for:

Power
EnergySaver
Explorer
Startup
Run
Disable
NoControlPanel
NoAddFromStartMenu
NoChanging
Hide

6. Check Chrome policy separately​

Because the timing points to Chrome, check whether the corporate Google account pushed Chrome browser policies.
In Chrome, open:
chrome://policy
Click Reload policies.
If policies appear there, they are Chrome policies. They can affect Chrome, extensions, browser startup, password manager, etc. They should not normally control Windows 11 Power/Battery settings.
Also check the registry:

reg query "HKLM\SOFTWARE\Policies\Google" /s
reg query "HKCU\SOFTWARE\Policies\Google" /s

If those exist, Chrome is managed. But again, that should not grey out Windows Energy Saver or Windows startup-app settings.

7. Check Lenovo utilities​

Since this is a Lenovo business laptop, also check Lenovo Vantage / Commercial Vantage settings.

1. Open Installed apps.
2. Look for:

Lenovo Vantage
Lenovo Commercial Vantage
Lenovo System Interface Foundation
Lenovo Hotkeys
Lenovo Device Intelligence

1. Open Lenovo Vantage/Commercial Vantage.
2. Check power, battery conservation, energy, and enterprise/device-management options.
3. Temporarily uninstall Lenovo Commercial Vantage if present.
4. Reboot and check the Windows settings again.

Lenovo Commercial Vantage is more likely than normal Chrome to apply business-style power policies.

8. Reset local Group Policy only​

If you are sure the PC is not domain/MDM joined, you can reset local policy.
Warning: This removes local Group Policy settings. Create a restore point first.

1. Open Command Prompt as Administrator.
2. Run:

mkdir "%USERPROFILE%\Desktop\PolicyBackup"
xcopy "%SystemRoot%\System32\GroupPolicy" "%USERPROFILE%\Desktop\PolicyBackup\GroupPolicy" /E /H /C /I
xcopy "%SystemRoot%\System32\GroupPolicyUsers" "%USERPROFILE%\Desktop\PolicyBackup\GroupPolicyUsers" /E /H /C /I

1. Then reset local policy:

rd /s /q "%SystemRoot%\System32\GroupPolicy"
rd /s /q "%SystemRoot%\System32\GroupPolicyUsers"
gpupdate /force

1. Reboot.

To undo, copy the backed-up folders back from:
%USERPROFILE%\Desktop\PolicyBackup

My view on the Chrome timing​

The Chrome connection may be a trigger/correlation, but I still doubt Chrome directly changed Windows GPO. More likely one of these happened:

1. The corporate Google account made Chrome show as managed, and Windows already had local policies from setup.
2. The shop/OEM setup included Lenovo/business policy defaults.
3. A web “fix” or tweak changed registry policies after the issue appeared.
4. A hidden provisioning/Autopilot remnant exists, though your earlier checks make this less likely.

The fastest next step is to post the output of these, with any email/domain/TenantId redacted:

reg query "HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Power" /s
reg query "HKLM\SOFTWARE\Policies\Google" /s
reg query "HKCU\SOFTWARE\Policies\Google" /s

Those should tell us whether this is Autopilot/provisioning, Windows local policy, Chrome policy, or Lenovo/OEM behavior.

 

[Johncoool]

Nothing unusual showed up. the only thing the shop owner did is that he activated office. but he does not have GPO.

Vantage was uninstalled. We need to see if there is an energy app that is controlling the settings.

 

[ChatGPT]

Hi Johncoool,
Yes — that is the right direction. If no domain, MDM, Autopilot, or obvious policy source appears, then look for a local power/energy utility, service, driver, scheduled task, or Lenovo leftover.
One important point: a normal app usually cannot grey out Windows Settings unless it writes policy keys, installs a service/driver, or uses an OEM power-management component.

1. Check for remaining Lenovo/power services​

Open PowerShell as Administrator and run:

Get-Service | Where-Object {
    $_.Name -match "lenovo|vantage|power|energy|battery|thermal|imcontroller|utility" -or
    $_.DisplayName -match "lenovo|vantage|power|energy|battery|thermal|imcontroller|utility"
} | Sort-Object DisplayName | Format-Table Name, DisplayName, Status, StartType -Auto

Look especially for:

Lenovo Vantage Service
Lenovo System Interface Foundation
LenovoVantageService
ImControllerService
Lenovo Intelligent Thermal Solution
Power Management
Battery Gauge
Energy Management

If something suspicious appears, do not delete it yet. First set it to manual/disabled for testing.
Example:

Stop-Service "ServiceNameHere" -Force
Set-Service "ServiceNameHere" -StartupType Disabled

Undo:

Set-Service "ServiceNameHere" -StartupType Automatic
Start-Service "ServiceNameHere"

2. Check installed desktop programs​

Run:

Get-ItemProperty `
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", `
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", `
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" `
-ErrorAction SilentlyContinue |
Where-Object {
    $_.DisplayName -match "lenovo|vantage|power|energy|battery|thermal|office|optimizer|tune|manager"
} |
Select-Object DisplayName, Publisher, InstallDate, DisplayVersion |
Sort-Object DisplayName

Post any results that mention power, energy, thermal, battery, optimizer, or Lenovo.

3. Check Microsoft Store/OEM apps​

Run:

Get-AppxPackage |
Where-Object {
    $_.Name -match "lenovo|vantage|power|energy|battery|thermal"
} |
Select-Object Name, Publisher, PackageFullName

Also check provisioned apps:

Get-AppxProvisionedPackage -Online |
Where-Object {
    $_.DisplayName -match "lenovo|vantage|power|energy|battery|thermal"
} |
Select-Object DisplayName, PackageName

4. Check scheduled tasks​

OEM tools often use scheduled tasks even after the main app is removed.
Run:

Get-ScheduledTask |
Where-Object {
    $_.TaskName -match "lenovo|vantage|power|energy|battery|thermal|imcontroller" -or
    $_.TaskPath -match "lenovo|vantage|power|energy|battery|thermal|imcontroller"
} |
Select-Object TaskName, TaskPath, State

If suspicious tasks appear, disable one at a time:
Disable-ScheduledTask -TaskName "TaskNameHere" -TaskPath "\TaskPathHere\"
Undo:
Enable-ScheduledTask -TaskName "TaskNameHere" -TaskPath "\TaskPathHere\"

5. Check startup entries​

Run:

Get-CimInstance Win32_StartupCommand |
Where-Object {
    $_.Name -match "lenovo|vantage|power|energy|battery|thermal|imcontroller" -or
    $_.Command -match "lenovo|vantage|power|energy|battery|thermal|imcontroller"
} |
Select-Object Name, Command, Location, User

Also check in Task Manager:

1. Press Ctrl + Shift + Esc.
2. Open Startup apps.
3. Disable anything related to Lenovo, Power, Energy, Battery, Thermal, or Optimizer.
4. Reboot.

6. Check power configuration report​

This may show what is changing power behavior.
Run:

powercfg /getactivescheme
powercfg /list
powercfg /qh > "%USERPROFILE%\Desktop\powercfg-full.txt"
powercfg /requests

Then run the energy report:
powercfg /energy /duration 60 /output "%USERPROFILE%\Desktop\energy-report.html"
Open:
Desktop\energy-report.html
This will not always identify the exact app, but it can show drivers/services affecting power management.

7. Do a clean boot test​

This is the fastest way to prove whether a third-party service is doing it.

1. Press Win + R.
2. Run:

msconfig

1. Go to Services.
2. Check Hide all Microsoft services.
3. Click Disable all.
4. Open Task Manager > Startup apps.
5. Disable all non-Microsoft startup apps.
6. Reboot.
7. Check whether the greyed-out Energy/Startup settings return.

If the settings unlock after clean boot, then a third-party service/app is responsible.
To undo:

1. Run msconfig.
2. Select Normal startup.
3. Re-enable startup apps.
4. Reboot.

8. Check if Office activation added a work account​

Since the shop owner activated Office, check this carefully.

1. Open any Office app.
2. Go to File > Account.
3. Look under User Information and Connected Services.
4. Remove any account that is not yours.
5. In Windows, go to Settings > Accounts > Email & accounts.
6. Remove any shop/company/work account under Accounts used by other apps.

Office itself should not set Windows power policy, but a business Office/Microsoft 365 sign-in can sometimes add a work account if someone allowed device management.

9. My recommended next test​

Do these in this order:
Get-Service | Where-Object {$_.DisplayName -match "lenovo|vantage|power|energy|battery|thermal|imcontroller"} | Format-Table Name,DisplayName,Status,StartType -Auto
Then:
Get-ScheduledTask | Where-Object {$_.TaskName -match "lenovo|vantage|power|energy|battery|thermal|imcontroller" -or $_.TaskPath -match "lenovo|vantage|power|energy|battery|thermal|imcontroller"} | Select TaskName,TaskPath,State
Then try a clean boot.
If clean boot fixes it, we can narrow it down by re-enabling services in batches. If clean boot does not fix it, the lockout is almost certainly from a registry policy, local GPO, or Windows/Office account registration, not a running energy app.

 

[Johncoool]

I dont want to do a clean boot. sometimes those lock up the system.

Any new user added is locked as soon as connected.

Office is not showing account details but it does give message that it is controlled by org admin and dont have full access to all features.

however, it has been installed since the 1st day and did not see any issues until lately... and it is now installed with same activation on win 11 home and no issues.

I told you that vantage and its services have been removed...

 

[ChatGPT]

Hi Johncoool,
Understood — skip the clean boot. If every new Windows user becomes locked too, that points away from a per-user profile problem and toward a machine-wide policy, usually under HKLM, PolicyManager, or Office/Click-to-Run policy storage.
Also, if Office says “controlled by org admin”, I would stop treating Chrome or Vantage as the main suspect. That usually means Office itself is installed/activated as a business/enterprise-managed Office build or has Office policy keys applied. It may not affect Windows power directly, but it tells us there is an organization policy source somewhere on the machine.

First clarification​

When you say:

“Any new user added is locked as soon as connected”

Do you mean connected to:

Internet?
Chrome account?
Microsoft account?
Office activation?
Wi-Fi?

That detail matters.

1. Check Office activation type​

Open Command Prompt as Administrator and run these one at a time:

cd /d "%ProgramFiles%\Microsoft Office\Office16"
cscript ospp.vbs /dstatus

If that path fails, try:

cd /d "%ProgramFiles(x86)%\Microsoft Office\Office16"
cscript ospp.vbs /dstatus

Look for these lines:

LICENSE NAME
LICENSE DESCRIPTION
KMS
MAK
RETAIL
O365
GRACE

If you see KMS, MAK, Volume, or a company name, the shop likely activated Office using a business/volume method. That would explain the Office “org admin” message.

2. Check Office policy keys​

Run:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Office" /s
reg query "HKCU\SOFTWARE\Policies\Microsoft\Office" /s
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" /s

If the first two return many settings, Office is being policy-controlled locally.
To export for review:

reg export "HKLM\SOFTWARE\Policies\Microsoft\Office" "%USERPROFILE%\Desktop\Office-HKLM-Policies.reg"
reg export "HKCU\SOFTWARE\Policies\Microsoft\Office" "%USERPROFILE%\Desktop\Office-HKCU-Policies.reg"

Do not post product keys or account IDs if they appear.

3. Check Windows PolicyManager, not only Group Policy​

Windows 11 often stores MDM/CSP-style policies here even when normal GPO tools show little.
Run these:

reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device" /s > "%USERPROFILE%\Desktop\PolicyManager-Device.txt"
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\user" /s > "%USERPROFILE%\Desktop\PolicyManager-User.txt"

Then search both text files for:

Power
Energy
EnergySaver
Start
Startup
Explorer
Office
Cloud
Policy

Also run this direct check:

reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Power" /s
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\user\Power" /s

If you see EnableEnergySaver or similar values there, that is likely the Windows power lock.

4. Search the full registry for the energy lock​

This is more targeted than guessing apps.
Run from PowerShell as Administrator:

reg query HKLM /f EnergySaver /s > "$env:USERPROFILE\Desktop\Search-HKLM-EnergySaver.txt"
reg query HKCU /f EnergySaver /s > "$env:USERPROFILE\Desktop\Search-HKCU-EnergySaver.txt"
reg query HKLM /f EnableEnergySaver /s > "$env:USERPROFILE\Desktop\Search-HKLM-EnableEnergySaver.txt"
reg query HKCU /f EnableEnergySaver /s > "$env:USERPROFILE\Desktop\Search-HKCU-EnableEnergySaver.txt"

If Windows says the setting is managed, there is usually a value somewhere like:

EnableEnergySaver
EnergySaverBatteryThresholdOnBattery
EnergySaverBatteryThresholdPluggedIn

5. Check the exact policy source with Event Viewer​

This avoids clean boot.

1. Press Win + R.
2. Run:

eventvwr.msc

1. Go to:

Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

1. Look for recent events around the time the lock started.
2. Also check:

Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational
Look for messages about policy application, registry policy, or CSP policy.

6. Check if Office installed machine-wide policy templates/settings​

Run:
reg query "HKLM\SOFTWARE\Policies\Microsoft" /s | findstr /i "office power energy startup explorer"
Also:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy" /s
If this finds Office and Windows policy values together, the shop’s setup may have applied a local policy package.

7. If Office is the only thing showing “org admin”​

If Office shows controlled by org admin but Windows has no MDM/GPO evidence, then Office may simply be activated with a managed license.
In that case, I would remove Office completely and reinstall clean using your own Microsoft account/license.
Procedure:

1. Download Microsoft’s Office uninstall tool from Microsoft Support.
2. Remove all Office installations.
3. Reboot.
4. Check this folder and remove leftovers if present:

C:\Program Files\Microsoft Office
C:\Program Files (x86)\Microsoft Office

1. Reinstall Office using your own Microsoft account or your own product key.
2. Reboot.
3. Check whether the Windows lock messages remain.

Important: If the Windows lock remains after Office is removed, Office was not the cause. If Office “org admin” disappears but Windows remains locked, then both were separate policy issues.

8. I would not focus on Vantage anymore​

Since you removed Vantage and services, and because new users are affected, this is probably not a normal Lenovo app problem.
The most likely causes now are:

1. Office was activated with a business/volume/admin-controlled license.
2. A local machine policy exists under HKLM or PolicyManager.
3. A shop setup script/provisioning package applied policy.
4. Windows has machine-wide CSP policy remnants even though normal account checks look clean.

Best next output to post​

Please post the results of these only, with any license/account/company info redacted:

cscript ospp.vbs /dstatus
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Power" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Power" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Office" /s

That should tell us whether the lock is coming from Office licensing/policy, Windows CSP PolicyManager, or a normal local registry policy.

 

[Johncoool]

i meant, when a new local account is added it has the exact same right away.

Take a look online and see if anyone faced these issues with Chrome before.

 

[ChatGPT]

Hi Johncoool,
I checked online specifically for Chrome causing Windows 11 itself to show Power/Battery/Startup settings managed by organization. I found many cases of Chrome browser saying “Managed by your organization”, but I did not find credible evidence that simply signing into Chrome with a managed Google account applies Windows OS GPO or locks Windows Power/Battery settings.
What Google documents is this:

• A managed Google/Workspace account can apply Chrome user policies when that account signs into Chrome. Those policies follow the Chrome profile/account, not the whole Windows OS.
• Chrome browser can also be managed on Windows through Chrome registry policy keys, mainly under Software\Policies\Google\Chrome.
• Google’s own help says Chrome management controls Chrome features, extensions, monitoring, and browser behavior. It does not describe controlling Windows power settings.
• Online user reports are mostly about Chrome/Edge browser management messages, often caused by registry policies, extensions, security tools, or unwanted software.

So based on your latest detail:

“when a new local account is added it has the exact same right away”

That strongly suggests a machine-wide Windows policy, not a Chrome profile policy.

What the Chrome timing likely means​

The Chrome sign-in may have been the event where you first noticed it, but if a brand-new local Windows account is affected immediately, then the setting is probably under:

HKLM
Local Group Policy
PolicyManager
Provisioning
Security baseline
Office/device policy remnants

Not under the Chrome user profile.

Check Chrome policy source anyway​

In Chrome, open:
chrome://policy
Look at the Source column.
Common meanings:

Platform = Windows registry/local policy
Cloud = Google Admin/Chrome cloud policy
Cloud User = policy from the signed-in Google Workspace account

If the policies are Cloud User, they came from the corporate Google account and should only control Chrome.
If the policies are Platform, Windows registry keys are controlling Chrome.
Also open:
chrome://management
If it says the browser is managed, that confirms Chrome policy exists. It still does not prove Windows OS policy came from Chrome.

Remove Chrome policies for testing only​

This will not reset Windows power policy, but it will prove whether Chrome policy is separate.
Create a restore point first.

1. Open Command Prompt as Administrator.
2. Export the Chrome policy keys:

reg export "HKLM\SOFTWARE\Policies\Google" "%USERPROFILE%\Desktop\Google-HKLM-Policies.reg"
reg export "HKCU\SOFTWARE\Policies\Google" "%USERPROFILE%\Desktop\Google-HKCU-Policies.reg"
reg export "HKLM\SOFTWARE\WOW6432Node\Policies\Google" "%USERPROFILE%\Desktop\Google-WOW6432-Policies.reg"

1. Delete Chrome policy keys:

reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /f
reg delete "HKCU\SOFTWARE\Policies\Google\Chrome" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome" /f

1. Restart Chrome.
2. Go back to:

chrome://policy

1. Click Reload policies.

Undo is simple: double-click the .reg backups you exported.

Now check the actual Windows lock​

Because new local users are affected immediately, run this from Command Prompt as Administrator:

reg query "HKLM\SOFTWARE\Policies" /f EnergySaver /s
reg query "HKLM\SOFTWARE\Policies" /f Power /s
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager" /f EnergySaver /s
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager" /f Power /s

Also run:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Power" /s
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Power" /s

If anything returns under these areas, that is much more relevant than Chrome.

Check whether Chrome installed a machine enrollment token​

This is the only Chrome-related machine-wide thing worth checking:

reg query "HKLM\SOFTWARE\Policies\Google\Chrome" /v CloudManagementEnrollmentToken
reg query "HKCU\SOFTWARE\Policies\Google\Chrome" /v CloudManagementEnrollmentToken

If present, Chrome browser itself may be enrolled in Chrome Enterprise management. Google documents that removing Chrome browser management on Windows involves clearing Chrome registry settings and the CloudManagementEnrollmentToken.
But again: that would manage Chrome, not Windows Energy Saver.

My current conclusion​

I would treat this as two possibly separate issues:

1. Chrome/Office says managed by organization because those apps are using managed accounts, managed licenses, or app-specific policy.
2. Windows 11 Power/Startup settings are locked because a machine-wide Windows policy exists somewhere under HKLM, PolicyManager, or local policy storage.

Chrome is probably not the root cause of the Windows lock unless some third-party companion/security/malware component wrote Windows policy keys at the same time.

Best next thing to post​

Please post only the output of:

reg query "HKLM\SOFTWARE\Policies" /f EnergySaver /s
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager" /f EnergySaver /s
reg query "HKLM\SOFTWARE\Policies\Google\Chrome" /s

Redact any domain, token, email, tenant ID, or license info.

 

[Johncoool]

check if bios settings can take over the energy in the O/S

 

[ChatGPT]

Hi Johncoool,
Yes, BIOS/UEFI can influence power and energy behavior, but with an important distinction:
BIOS can control hardware-level power/thermal behavior, but it normally should not make Windows Settings say “managed by your organization.” That wording usually comes from policy, not BIOS.

What BIOS/UEFI can control​

BIOS/UEFI or the embedded controller can affect:

• CPU power limits
• Fan/thermal mode
• Battery charging behavior
• Modern Standby / sleep support
• Wake-on-LAN / USB wake
• Performance vs efficiency bias
• Whether the OS or firmware controls CPU power states

Lenovo documentation shows some firmware modes can let the OS directly control CPU P-states, while other modes let system hardware control them autonomously. It also notes some low-level power/performance settings can become greyed out depending on the selected preset mode.
Lenovo also has Intelligent Cooling / Intelligent Thermal Solution features that interact with Windows power modes, and Lenovo recommends installing the correct Intelligent Thermal Solution driver after reinstalling Windows because defaults can change after a Windows reinstall.

What BIOS usually cannot do​

BIOS usually cannot directly cause this Windows message:
Some settings are managed by your organization
That message is usually triggered by:

HKLM\SOFTWARE\Policies
HKCU\SOFTWARE\Policies
HKLM\SOFTWARE\Microsoft\PolicyManager
Local Group Policy
MDM/CSP policy
Provisioning package

So BIOS may affect the actual power behavior, but the organization/admin lock message still points to Windows policy or OEM management software/driver policy.

Check Lenovo BIOS power settings​

Before entering BIOS, save your BitLocker recovery key if BitLocker/device encryption is enabled. BIOS changes can sometimes trigger a recovery prompt.

1. Shut down the laptop fully.
2. Power it on.
3. Immediately press F1, F2, or use the Lenovo Novo button if your V15 has one.
4. Enter BIOS/UEFI Setup.
5. Look for sections like:

Config > Power
Power
Thermal
Intelligent Cooling
Performance
CPU Power Management
Battery
Always On USB
Wake on LAN
Modern Standby

1. If there is a setting like OS Optimized Defaults, leave it enabled unless Lenovo support says otherwise.
2. If there is CPU Power Management, set it to Enabled.
3. If there is Intelligent Cooling Boost, test with it Disabled first.
4. If there is a thermal/performance mode, set it to Balanced or Default.
5. Save and exit.

Test by loading BIOS defaults​

This is safe compared with random registry edits.

1. Enter BIOS/UEFI.
2. Choose:

Load Setup Defaults
Restore Defaults
Optimized Defaults

1. Save and exit.
2. Boot Windows.
3. Check the greyed-out Energy setting again.

If BIOS was causing a hardware-level conflict, defaulting BIOS may help. If the Windows message remains unchanged, the cause is almost certainly Windows policy, not BIOS.

Check Windows power firmware support​

Run this from Command Prompt as Administrator:
powercfg /a
This shows which sleep/power states firmware exposes to Windows.
Also run:
powercfg /energy /duration 60 /output "%USERPROFILE%\Desktop\energy-report.html"
Open:
Desktop\energy-report.html
Look for driver, firmware, or power-management warnings.

Check Lenovo ITS driver​

Since Vantage was removed, the remaining piece may be the Lenovo driver layer, not the Vantage app.
Check Device Manager:

1. Right-click Start.
2. Open Device Manager.
3. Expand System devices.
4. Look for Lenovo power/thermal/system interface entries.
5. Check whether anything like this exists:

Lenovo Intelligent Thermal Solution
Lenovo System Interface Foundation
Lenovo Power Management
ACPI Power Management

For Lenovo V15 models, Lenovo lists an Intelligent Thermal Solution driver for Windows 11 on some V14/V15 generations.

My conclusion​

BIOS can definitely affect energy/performance behavior, but it is unlikely to be the source of the “managed by organization” wording.
The best BIOS-related test is:

1. Load BIOS defaults.
2. Install/update Lenovo BIOS and the correct Lenovo ITS/System Interface drivers from Lenovo Support.
3. Recheck Windows Energy settings.
4. If the lock remains, go back to checking HKLM policy and PolicyManager.

I would not reinstall Windows yet. First confirm whether BIOS defaults or Lenovo power/thermal drivers change anything.

 

[Johncoool]

is there a way to reset all GPO to default?

 

[ChatGPT]

Hi Johncoool,
Yes. You can reset Local Group Policy back to default. Since this is a personal Windows 11 Pro device and you said it is not joined to work/school/domain/MDM, this is safe enough if done carefully.
Important: This resets local policy settings. It does not uninstall apps, remove accounts, or reset Windows. But if something was deliberately configured through local policy, it will be cleared.

1. Create a restore point first​

1. Press Win + R.
2. Run:

SystemPropertiesProtection.exe

1. Select your Windows drive, usually C:.
2. Click Create.
3. Name it something like:

Before local GPO reset

2. Back up current local policy folders​

Open Command Prompt as Administrator and run:

mkdir "%USERPROFILE%\Desktop\GPO-Backup"
xcopy "%SystemRoot%\System32\GroupPolicy" "%USERPROFILE%\Desktop\GPO-Backup\GroupPolicy" /E /H /C /I
xcopy "%SystemRoot%\System32\GroupPolicyUsers" "%USERPROFILE%\Desktop\GPO-Backup\GroupPolicyUsers" /E /H /C /I

If it says a folder does not exist, that is okay.

3. Reset Local Group Policy​

Still in Command Prompt as Administrator, run:

rd /s /q "%SystemRoot%\System32\GroupPolicy"
rd /s /q "%SystemRoot%\System32\GroupPolicyUsers"
gpupdate /force

Then reboot.

4. Reset local security policy too​

Some restrictions are stored in the local security database, not only the normal GPO folders.
After reboot, open Command Prompt as Administrator again and run:
secedit /configure /cfg "%windir%\inf\defltbase.inf" /db defltbase.sdb /verbose
Then reboot again.

5. Check if the lock is gone​

After reboot, check:

Settings > System > Power & battery
Settings > Apps > Startup

If the “managed by your organization” message disappears, the cause was local GPO/security policy.

6. If it still remains, check policy registry keys​

Resetting local GPO folders does not always remove every direct registry policy that an app/script created.
Run these after the reset:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Power" /s
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Power" /s
reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows" /s
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows" /s

If those still show power/startup restrictions, the lock is coming from registry policy or PolicyManager, not the normal local GPO files.

7. Optional: reset all local policy registry cache​

Only do this if the normal reset did not work.
Back up first:

reg export "HKLM\SOFTWARE\Policies" "%USERPROFILE%\Desktop\HKLM-Policies-Backup.reg"
reg export "HKCU\SOFTWARE\Policies" "%USERPROFILE%\Desktop\HKCU-Policies-Backup.reg"

Then you can remove the policy branches:

reg delete "HKLM\SOFTWARE\Policies" /f
reg delete "HKCU\SOFTWARE\Policies" /f
gpupdate /force

Reboot.
Warning: This removes policy settings for Windows, Chrome, Edge, Office, and other apps that store policies there. Since this is a personal machine, that may be fine, but keep the .reg backups.

My recommendation​

Do it in this order:

1. Create restore point.
2. Back up GroupPolicy and GroupPolicyUsers.
3. Delete those two folders.
4. Run gpupdate /force.
5. Reboot.
6. Run secedit.
7. Reboot again.
8. Check Power/Battery and Startup.

If the issue survives that, it is probably not normal GPO anymore; it is likely a direct registry policy, PolicyManager, provisioning remnant, or Office/Chrome enterprise policy key.