GPO central store, Windows 10 or Windows 11 ADMX ?

Normally the best practices is to download the latest version of your Policy Definitions and copy all the .admx files and .adml files for all languages that are enabled to the Policy Definitions folder on the Windows domain controller central store.

If you are not aware with the central store concept check this out : 

https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store

Downloads of the current GPO can be found here : 

ADMX Templates for Windows 10 November 2021 Update [21H2] can be found here https://www.microsoft.com/en-us/download/details.aspx?id=103667
ADMX Templates for Windows 11 October 2021 Update [21H2] can be found here :https://www.microsoft.com/en-us/download/details.aspx?id=103507 

TIP : Nice help page about GPO https://admx.help

After this copy and before Windows 11 you we’re done and was able to configure all the new (and older) settings in the Group Policy editor because of the backward compatibility.

This is not the case anymore with Windows 11 !! I know this is pretty BAD. 
 

From now on it’s possible that new Windows 10 features are not available in Windows 11 ADMX files and that features of Windows 11 are not available in Windows 10 policies.

What to do in a mixed Windows 10 and Windows 11 environment ?

As you maybe aware of, It’s only possible to copy one set of ADMX files to your Domain Central Store so we have to choose between windows 10 or windows 11 .admx files. 

Depending on your install base you should decide which templates fits best in your environment and place them in the central store.

If most of your clients are Windows 10 I would advise to choose the Windows 10 .admx files in your central store. 

If you are in a migration phase from Windows 10 to Windows 11 it’s a more difficult choice.

I recommend to go for the Windows 11 ADMX files and in the case there is a Windows 10 setting that is not manageable via the W11 GPO you could use a registry key (via extensions).

What about GPO management in a mixed environment ?

When the Central store contains Windows 11 ADMX files it’s still possible to configure Windows 10 policy settings. You just need a separate management workstation with the latest Windows 10 version.

  • Deploy a domain joined Windows 10 client. 
  • Install the RSAT Group Policy Management Tools
  • Enable Local Store Override.  
    Your GP edit tools will use the ADMX/ADML files found under c:\windows\policydefinitions instead of the Central Store.
     

To achieve this you have to set this registry key by hand or use powershell to set this key : 

Registry Editor and add following registry value:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy
Value: EnableLocalStoreOverride
Type: REG_DWORD
Data: 1
New-ItemProperty-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy"-Name EnableLocalStoreOverride -Type DWORD -Value 1|Out-Null
  • After installation restart the PC. 
  • Log in with sufficient rights and start Group Policy Management. 

Create or edit a GPO object. It should open the object from the local store, check “…. retrieved from local computer”

This blog does a good comparison between Group policies for Windows 11 and 10 21H2 https://4sysops.com/archives/group-policies-for-windows-11-and-10-21h2-compared/

More information can be found here :

Group Policy Settings Reference Spreadsheet for Windows 10 November 2021 Update [21H2]
https://www.microsoft.com/en-us/download/details.aspx?id=103668

Group Policy Settings Reference Spreadsheet for Windows 10 November 2021 Update [21H2]
https://www.microsoft.com/en-us/download/details.aspx?id=103668

Group Policy Settings Reference Spreadsheet for Windows 11 October 2021 Update (21H2)
https://www.microsoft.com/en-us/download/details.aspx?id=103506

What’s new in Windows client deployment
https://docs.microsoft.com/en-us/windows/deployment/deploy-whats-new

Understanding ADMX policies
https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies

Whats new in GPO
What’s New Group Policy Settings Available In Different Versions Of Windows 10 – HTMD Blog #2 What’s New Group Policy Settings Available In Different Versions Of Windows 10 – HTMD Blog #2 (howtomanagedevices.com)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj899813(v=ws.11)

Group Policy Settings Reference Spreadsheet for Windows 10 May 2021 Update (21H1)
Download Group Policy Settings Reference Spreadsheet for Windows 10 May 2021 Update (21H1) from Official Microsoft Download Center

Windows 10 21H2 and Windows 11 21H2 ADMX files differences.

ADMX nameScopeSettingAvailable only in
AppPrivacyComputerLet Windows apps take screenshots of various windows or displaysWindows 11
AppPrivacyComputerLet Windows apps turn off the screenshot borderWindows 11
AppxPackageManagerComputerArchive infrequently used appsWindows 11
AppxPackageManagerComputerDo not allow sideloaded apps to auto-update in the backgroundWindows 11
AppxPackageManagerComputerDo not allow sideloaded apps to auto-update in the background on a metered networkWindows 11
CloudContentComputerTurn off cloud consumer account state contentWindows 11
CloudContentUserTurn off Spotlight collection on DesktopWindows 11
ControlPanelDisplayComputerPrevent lock screen background motionWindows 11
DataCollectionComputerLimit Diagnostic Log CollectionWindows 11
DataCollectionComputerLimit Dump CollectionWindows 11
DeliveryOptimizationComputerDiscovery Mode: Local DiscoveryWindows 11
DnsClientComputerConfigure DNS over HTTPS (DoH) name resolutionWindows 11
EAIMEUserConfigure Korean IME versionWindows 11
FileSysComputerEnable NTFS non-paged pool usageWindows 11
FileSysComputerNTFS parallel flush thresholdWindows 11
FileSysComputerNTFS parallel flush worker threadsWindows 11
FileSysComputerConfigure NTFS default tierWindows 11
GlobalizationBothRestrict Language Pack and Language Feature InstallationWindows 11
InetResBothReplace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC.Windows 11
NetlogonComputerUse lowercase DNS host names when registering domain controller SRV recordsWindows 11
NewsAndInterestsComputerAllow News and InterestsWindows 11
SamComputerConfiguration settings for the Security Account ManagerWindows 11
SensorsComputerForce instant WakeWindows 11
SensorsComputerForce instant LockWindows 11
SensorsComputerConfigure Lock TimeoutWindows 11
StartMenuBothLocked Start Layout: Re-Apply Layout at every logonWindows 11
StartMenuBothShow or hide “Most used” list from Start menuWindows 11
TaskBarComputerConfigure the Chat icon on the taskbarWindows 11
TenantRestrictionsComputerConfigure Cloud Policy DetailsWindows 11
TerminalServerComputerEnable auto-subscriptionWindows 11
TerminalServerComputerDo not allow location redirectionWindows 11
TerminalServerComputerAllow UI Automation redirectionWindows 11
WindowsDefenderComputerConfigure scheduled task times randomization windowWindows 11
WindowsDefenderComputerDefine the directory path to copy support log filesWindows 11
WindowsDefenderComputerConfigure IP Address ExclusionsWindows 11
WindowsDefenderComputerTurn on script scanningWindows 11
WindowsDefenderComputerAllow Microsoft Defender Antivirus to update and communicate over a metered connectionWindows 11
WindowsDefenderComputerConfigure Network Protection to be allowed to be configured into block or audit mode on Windows ServerWindows 11
WindowsDefenderComputerControl datagram processing for network protectionWindows 11
SandboxComputerAllow vGPU sharing for Windows SandboxWindows 11
SandboxComputerAllow networking in Windows SandboxWindows 11
SandboxComputerAllow audio input in Windows SandboxWindows 11
SandboxComputerAllow video input in Windows SandboxWindows 11
SandboxComputerAllow printer sharing with Windows SandboxWindows 11
SandboxComputerAllow clipboard sharing with Windows SandboxWindows 11
WindowsUpdate <Changes in folder structure>Windows 11
ADMX nameScopeSettingAvailable only in
DataCollectionBothAllow Telemetry: EnhancedWindows 10
DeliveryOptimizationComputerDownload Mode: BypassWindows 10
EAIMEUserTurn on Live StickerWindows 10
EAIMEUserTurn on lexicon updateWindows 10
InetResBothTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows 10
InetResBothReset zoom to default for HTML dialogs in Internet Explorer modeWindows 10
MicrosoftEdgeBothSuppress the display of Edge Deprecation NotificationWindows 10
PrintingComputerLimit print driver installation to AdministratorsWindows 10
TerminalServerComputerSet the Remote Desktop licensing mode: AAD per UserWindows 10
WindowsDefenderComputerScan packed executablesWindows 10

1 thought on “GPO central store, Windows 10 or Windows 11 ADMX ?

Leave a Reply

Your email address will not be published. Required fields are marked *