- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
When Windows 11 was launched at the beginning of October, Microsoft documented the new group policy settings in its familiar reference spreadsheet. This showed that Microsoft added around 60 settings to the new OS.
At that point, Windows 10 21H2 was still in preview, so it wasn't clear which of the new options would be included in this OS. The guessing is over now that the related ADMX templates and the group policy settings reference are available.
Ideally, Microsoft would have simply adopted some of the new settings from Windows 11 in 10 21H2 so that both versions could be managed with a single set of ADMX templates. But unfortunately, Microsoft doesn't want to make life that easy for admins.
In fact, a closer look reveals that Windows 10 21H2 includes some new settings that are not included in Windows 11. The reverse is true, anyway, because the newer OS offers additional features that group policies have to match.
Settings for Windows 10 21H2 that are missing in 11
Using a PowerShell script to find the differences between the administrative templates for Windows 11 and 10 21H2, I discovered that the following settings are not included in Windows 11:
- Path: \de-de\InetRes.adml
Value: Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash - Path: \de-de\EAIME.adml
Value: Turn on lexicon update - Path: \en-US\InetRes.adml
Value: Reset zoom to default for HTML dialogs in Internet Explorer mode - Path: \en-US\Printing.adml
Value: Limits print driver installation to administrators - Path: \en-US\WindowsDefender.adml
Value: Scan packed executables - Path: \en-US\MicrosoftEdge.adml
Value: Suppress the display of Edge deprecation notification
The absence of #1 can be explained by the fact that IE is no longer on board as a standalone application in Windows 11. However, if you want to manage a mixed environment with the latest ADMX via a central store, then this setting can no longer be edited if it has been activated in existing GPOs.
Setting #3 refers to the IE mode in Edge ("Zoom for HTML dialog boxes"), which is also supported in Windows 11. Why it can no longer be configured there via GPO is unclear.
The warning about an outdated Edge with #6 has also been dropped. It is no longer needed in Windows 11, as the Chromium version of the browser has been on board from the very beginning. However, this would also be desirable in mixed environments.
The setting under #4 was introduced by Microsoft to mitigate the PrintNightmare vulnerabilities in the Windows spooler. It disables Point and Print for standard users. This option is included in the Windows 10 21H2 templates, but not in Windows 11. There, it can only be obtained via SecGuide.admx from the Security Baseline.
The settings for Windows Defender Antivirus are inconsistent, too. Windows 11 includes several new settings for this security component, for example, for the exclusion of certain IP addresses or the scanning of scripts. The latter was included in the baseline as best practice.
The setting for scanning packed program files is missing in Windows 11
These are missing in Windows 10 21H2, but this OS gets the option to scan packed executables. Again, this option is not present in Windows 11—even though it only requires Windows 8 or Server 2012 according to the "Supported on" field in the GPO editor.
Missing settings in Windows 10 21H2
The list of group policies reserved for Windows 11 is much longer. These include all options in the following templates, which were not shipped with Windows 10 21H2:
- NewsAndInterests.admx
- sam.admx
- TenantRestrictions.admx
- WindowsSandbox.admx
Contrary to expectations, support for DNS over HTTPS (DoH) isn't included either.
A system wide configuration of DoH via GPO is not provided in Windows 10 21H2
However, some interesting innovations have made it into the latest iteration of Windows 10. These include, above all, the possibility of whitelisting devices that users are allowed to install as well as the configuration of different sources for updates depending on the type ("Specify source service for specific classes of Windows updates").
Windows 10 now also allows different sources to be specified depending on the type of update
Since there are now many outdated settings for Windows Update, Microsoft has cleaned up the options for this feature in Windows 11 by means of a new folder structure. Unfortunately, Microsoft missed the opportunity to adopt this for Windows 10 21H2 as well. Instead, you still get a long, flat list with numerous irrelevant entries.
In Windows 10 Microsoft has not adopted the new structure for Windows Update settings
Conclusion
Windows 10 21H2 contains not only a subset of the group policies from Windows 11, but also those that do not exist in the new OS. This makes it difficult to manage mixed environments.
If you don't need the few exclusive settings of Windows 10 21H2, you can switch to the ADMX of Windows 11 right away. Otherwise, you have to manage one of the two operating systems via a specially configured workstation. There, you can prevent the templates from being loaded from the Central Store by setting the registry key EnableLocalStoreOverride.
Appendix
The following list contains settings from Windows 11 that are not included in 10 21H2. The list is the result of comparing the ADMX templates, which are common to both systems. Thus, they do not take into account the four templates mentioned above that are missing in Windows 10.
Path: \en-us\AppxPackageManager.adml
Value: Archive infrequently used apps
Path: \en-us\WindowsDefender.adml
Value: This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
Path: \en-us\NewsAndInterests.adml
Value: Allow widgets
Path: \en-us\Taskbar.adml
Value: Configures the Chat icon on the taskbar
Path: \en-us\ControlPanelDisplay.adml
Value: Prevent lock screen background motion
Path: \en-us\AppxPackageManager.adml
Value: Do not allow sideloaded apps to auto-update in the background
Path: \en-us\CloudContent.adml
Value: Turn off cloud consumer account state content
Path: \en-us\WindowsDefender.adml
Value: This setting controls datagram processing for network protection
Path: \en-us\AppxPackageManager.adml
Value: Do not allow sideloaded apps to auto-update in the background on a metered network
Path: \en-us\CloudContent.adml
Value: Turn off Spotlight collection on Desktop
Path: \en-us\DnsClient.adml
Value: Configure DNS over HTTPS (DoH) name resolution
Path: \en-us\WindowsDefender.adml
Value: IP address exclusions
Path: \en-us\InetRes.adml
Value: Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC
Path: \en-us\EAIME.adml
Value: Configure Korean IME version
Path: \en-us\DataCollection.adml
Value: Limit diagnostic log collection
Path: \en-us\DataCollection.adml
Value: Limit dump collection
Path: \en-us\WindowsDefender.adml
Value: Allows Microsoft Defender Antivirus to update and communicate over a metered connection
Path: \en-us\Netlogon.adml
Value: Use lowercase DNS host names when registering domain controller SRV records
Path: \en-us\FileSys.adml
Value: NTFS default tier
Path: \en-us\FileSys.adml
Value: Enable NTFS non-paged pool usage
Path: \en-us\FileSys.adml
Value: NTFS parallel flush threshold
Path: \en-us\FileSys.adml
Value: NTFS parallel flush worker threads
Path: \en-us\WindowsDefender.adml
Value: Turn on script scanning
Path: \en-us\sam.adml
Value: Configure validation of ROCA-vulnerable WHfB keys during authentication
Path: \en-us\WindowsDefender.adml
Value: Configure scheduled task times randomization window
Path: \en-us\StartMenu.adml
Value: Show or hide "Most used" list from Start menu
Path: \en-us\WindowsDefender.adml
Value: Define the directory path to copy support log files
Path: \en-us\TenantRestrictions.adml
Value: Cloud policy details
Path: \en-us\TerminalServer.adml
Value: Do not allow location redirection
Subscribe to 4sysops newsletter!
Path: \en-us\TerminalServer.adml
Value: Allow UI automation redirection
Windows 11 ADMX templates also drop the DownloadMode = 100 (Bypass) value from Delivery Optimization. This means Delivery Optimization cannot be disabled in favor of BITS.
Is it possible, or even advisable to clean up in the admx files?
Like most environments, our domain has been upgraded over time, starting at win2012 DC’s with Win 7 clients.
Now we’re on 2019 DC’s (soon to be upgraded) with win 10 client´s (the first few Win11 clients are popping up too).
This all makes GPO management a bit of a hit & miss affair.
Would a clean up be a good idea?
Hi Wolfgang,
Thanks for your detailed analysis. You certainly benefit many admins out there and save us much work!
You dutifully post direct links to the group policy settings reference spreadsheets, which is much appreciated, but I can’t seem to find the singular Microsoft page that actually lists the links to these spreadsheets. As consistent as you are, I’m sure you’d agree that it would be prudent for admins to be able to find these documents without your assistance.
Thanks again for all the great work.