Each Windows PC contains its own set of administrative templates for group policies. However, they can be better managed in a central location. This is all the more true when ADMX files are added for several applications. Updating templates in the Group Policy Central Store can be tricky, though.

If you edit a GPO in the group policy editor, it retrieves the available settings from the ADMX files that ship with Windows under %SystemRoot%\PolicyDefinitions.

Cumbersome local administration ^

If you use several workstations with different versions of Windows to manage group policies, then you will either have different templates everywhere, or you will have to update them to the same version on all PCs.

In addition, ADMX templates are needed not only for the management of Windows, but also for Office, Microsoft Edge, Chrome, and other third-party applications. These are each subject to their own update cycles and must also be updated regularly on each PC.

Setting up a Central Store ^

To avoid this effort and to achieve the same release status for the templates on all admin PCs, Microsoft allows you to set up a Central Store on a domain controller. You don't have to configure the GPO editor for this repository, as it always searches for the ADMX files automatically in the Central Store first.

This is located under:

\\<FQDN of your domain>\SYSVOL\<FQDN of your domain>\Policies\PolicyDefinitions\

Hence, for example:

\\4sysops.local\SYSVOL\4sysops.local\Policies\PolicyDefinitions

You have to create the PolicyDefinitions directory first and then copy the ADMX files there.

Path to the Central Store for the administrative templates

Path to the Central Store for the administrative templates

In addition, you need to save the language files (*.adml), which contain the localized settings and descriptions, to the respective subdirectories, such as en-US or de-DE. The GPO editor then automatically loads the ADML that matches the admin PC's display language.

A current Windows client can serve as the source for the templates; alternatively, Microsoft provides the ADMX as a separate download. This contains not only all templates, but also the ADML files of all supported languages.

However, it is not advisable to copy language files that are not required into the Central Store because they are then replicated to all domain controllers.

It is absolutely recommended to install the ADML files for en-US, even if only a localized Windows in another language is used. This is because English language files are always used as a fallback if the ADML files for the current display language of Windows are not available.

In this example the Italian GPO editor loads the English templates because the Italian versions do not exist in the store.

In this example the Italian GPO editor loads the English templates because the Italian versions do not exist in the store.

Updating templates ^

Since Microsoft releases a new version of the ADMX files with each release of Windows, you have to update the Central Store regularly. However, you cannot simply delete all the templates and import the new ones if you have also placed ADMX files there for other applications. Otherwise, you would have to restore them afterwards.

Templates for different applications in the Central Store

Templates for different applications in the Central Store

In addition, Microsoft does not always replace all the templates. Sometimes file names are changed, and the Office templates were included with the ADMX download until Windows 10 1903, but they haven't been included since then. The date of the ADMX is no longer a suitable filter for deletion; it is only changed for the modified templates.

One possibility would be to keep all templates that are not intended for Windows in a separate folder. You could then restore them from there after cleaning up the Central Store.

Alternatively, you could unzip the ADMX download, go to the destination directory, and use this PowerShell command to delete all files in the store that also exist in the download:

Get-ChildItem \*.admx |
foreach {del -Recurse ("\\\\FQDN\\SYSVOL\\FQDN\\Policies\\PolicyDefinitions\\" + $\_.basename + ".adm?")}
Delete files in the Central Store if they are included in the ADMX download

Delete files in the Central Store if they are included in the ADMX download

As a precaution, you should first start the del command with the WhatIf switch to see which files are affected. After deleting, you should be able to see with the naked eye whether there are old Windows templates still left in the store.

Bypass Central Store ^

The ADMX update may remove certain settings from the templates. So, you might not be able to edit settings that are used in existing GPOs. In this case, you would want the editor to load the previous templates.

Since several ADMX versions cannot be kept side by side in the Central Store, you may load the local templates of a workstation instead. To force the GPO editor to fetch the settings from the local PC and not from the Central Store, you have to add a registry key named Group Policy under:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

Subscribe to 4sysops newsletter!

There, you create a value of the type REG_DWORD, call it EnableLocalStore-Override, and assign it a value of 1.

+4
avatar
2 Comments
  1. Simon 2 months ago

    Hi,

    is there any special reason why I should delete the ADMX files first which I want to update? Why can't I just overwrite the files?

    Thanks in advance,

    Regards,

    Simon

    0

    • Author

      Sometimes Microsoft will change filenames, so old ADMX versions might remain in your central store if you just overwrite the existing templates.

      0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account