Windows 11 has introduced a number of new group policies. After the recent release of Windows 10 21H2, it appears that it has inherited some of these settings. However, the group policies for Windows 11 are not backwards compatible, which makes managing mixed environments more difficult.

When Windows 11 was launched at the beginning of October, Microsoft documented the new group policy settings in its familiar reference spreadsheet. This showed that Microsoft added around 60 settings to the new OS.

At that point, Windows 10 21H2 was still in preview, so it wasn't clear which of the new options would be included in this OS. The guessing is over now that the related ADMX templates and the group policy settings reference are available.

Ideally, Microsoft would have simply adopted some of the new settings from Windows 11 in 10 21H2 so that both versions could be managed with a single set of ADMX templates. But unfortunately, Microsoft doesn't want to make life that easy for admins.

In fact, a closer look reveals that Windows 10 21H2 includes some new settings that are not included in Windows 11. The reverse is true, anyway, because the newer OS offers additional features that group policies have to match.

Settings for Windows 10 21H2 that are missing in 11

Using a PowerShell script to find the differences between the administrative templates for Windows 11 and 10 21H2, I discovered that the following settings are not included in Windows 11:

  1. Path: \de-de\InetRes.adml
    Value: Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash
  2. Path: \de-de\EAIME.adml
    Value: Turn on lexicon update
  3. Path: \en-US\InetRes.adml
    Value: Reset zoom to default for HTML dialogs in Internet Explorer mode
  4. Path: \en-US\Printing.adml
    Value: Limits print driver installation to administrators
  5. Path: \en-US\WindowsDefender.adml
    Value: Scan packed executables
  6. Path: \en-US\MicrosoftEdge.adml
    Value: Suppress the display of Edge deprecation notification

The absence of #1 can be explained by the fact that IE is no longer on board as a standalone application in Windows 11. However, if you want to manage a mixed environment with the latest ADMX via a central store, then this setting can no longer be edited if it has been activated in existing GPOs.

Setting #3 refers to the IE mode in Edge ("Zoom for HTML dialog boxes"), which is also supported in Windows 11. Why it can no longer be configured there via GPO is unclear.

The warning about an outdated Edge with #6 has also been dropped. It is no longer needed in Windows 11, as the Chromium version of the browser has been on board from the very beginning. However, this would also be desirable in mixed environments.

The setting under #4 was introduced by Microsoft to mitigate the PrintNightmare vulnerabilities in the Windows spooler. It disables Point and Print for standard users. This option is included in the Windows 10 21H2 templates, but not in Windows 11. There, it can only be obtained via SecGuide.admx from the Security Baseline.

The settings for Windows Defender Antivirus are inconsistent, too. Windows 11 includes several new settings for this security component, for example, for the exclusion of certain IP addresses or the scanning of scripts. The latter was included in the baseline as best practice.

The setting for scanning packed program files is missing in Windows 11

The setting for scanning packed program files is missing in Windows 11

These are missing in Windows 10 21H2, but this OS gets the option to scan packed executables. Again, this option is not present in Windows 11—even though it only requires Windows 8 or Server 2012 according to the "Supported on" field in the GPO editor.

Missing settings in Windows 10 21H2

The list of group policies reserved for Windows 11 is much longer. These include all options in the following templates, which were not shipped with Windows 10 21H2:

  • NewsAndInterests.admx
  • sam.admx
  • TenantRestrictions.admx
  • WindowsSandbox.admx

Contrary to expectations, support for DNS over HTTPS (DoH) isn't included either.

A system wide configuration of DoH via GPO is not provided in Windows 10 21H2

A system wide configuration of DoH via GPO is not provided in Windows 10 21H2

However, some interesting innovations have made it into the latest iteration of Windows 10. These include, above all, the possibility of whitelisting devices that users are allowed to install as well as the configuration of different sources for updates depending on the type ("Specify source service for specific classes of Windows updates").

Windows 10 now also allows different sources to be specified depending on the type of update

Windows 10 now also allows different sources to be specified depending on the type of update

Since there are now many outdated settings for Windows Update, Microsoft has cleaned up the options for this feature in Windows 11 by means of a new folder structure. Unfortunately, Microsoft missed the opportunity to adopt this for Windows 10 21H2 as well. Instead, you still get a long, flat list with numerous irrelevant entries.

In Windows 10 Microsoft has not adopted the new structure for Windows Update settings

In Windows 10 Microsoft has not adopted the new structure for Windows Update settings

Conclusion

Windows 10 21H2 contains not only a subset of the group policies from Windows 11, but also those that do not exist in the new OS. This makes it difficult to manage mixed environments.

If you don't need the few exclusive settings of Windows 10 21H2, you can switch to the ADMX of Windows 11 right away. Otherwise, you have to manage one of the two operating systems via a specially configured workstation. There, you can prevent the templates from being loaded from the Central Store by setting the registry key EnableLocalStoreOverride.

Appendix

The following list contains settings from Windows 11 that are not included in 10 21H2. The list is the result of comparing the ADMX templates, which are common to both systems. Thus, they do not take into account the four templates mentioned above that are missing in Windows 10.

Path: \en-us\AppxPackageManager.adml
Value: Archive infrequently used apps

Path: \en-us\WindowsDefender.adml
Value: This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.

Path: \en-us\NewsAndInterests.adml
Value: Allow widgets

Path: \en-us\Taskbar.adml
Value: Configures the Chat icon on the taskbar

Path: \en-us\ControlPanelDisplay.adml
Value: Prevent lock screen background motion

Path: \en-us\AppxPackageManager.adml
Value: Do not allow sideloaded apps to auto-update in the background

Path: \en-us\CloudContent.adml
Value: Turn off cloud consumer account state content

Path: \en-us\WindowsDefender.adml
Value: This setting controls datagram processing for network protection

Path: \en-us\AppxPackageManager.adml
Value: Do not allow sideloaded apps to auto-update in the background on a metered network

Path: \en-us\CloudContent.adml
Value: Turn off Spotlight collection on Desktop

Path: \en-us\DnsClient.adml
Value: Configure DNS over HTTPS (DoH) name resolution

Path: \en-us\WindowsDefender.adml
Value: IP address exclusions

Path: \en-us\InetRes.adml
Value: Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC

Path: \en-us\EAIME.adml
Value: Configure Korean IME version

Path: \en-us\DataCollection.adml
Value: Limit diagnostic log collection

Path: \en-us\DataCollection.adml
Value: Limit dump collection

Path: \en-us\WindowsDefender.adml
Value: Allows Microsoft Defender Antivirus to update and communicate over a metered connection

Path: \en-us\Netlogon.adml
Value: Use lowercase DNS host names when registering domain controller SRV records

Path: \en-us\FileSys.adml
Value: NTFS default tier

Path: \en-us\FileSys.adml
Value: Enable NTFS non-paged pool usage

Path: \en-us\FileSys.adml
Value: NTFS parallel flush threshold

Path: \en-us\FileSys.adml
Value: NTFS parallel flush worker threads

Path: \en-us\WindowsDefender.adml
Value: Turn on script scanning

Path: \en-us\sam.adml
Value: Configure validation of ROCA-vulnerable WHfB keys during authentication

Path: \en-us\WindowsDefender.adml
Value: Configure scheduled task times randomization window

Path: \en-us\StartMenu.adml
Value: Show or hide "Most used" list from Start menu

Path: \en-us\WindowsDefender.adml
Value: Define the directory path to copy support log files

Path: \en-us\TenantRestrictions.adml
Value: Cloud policy details

Path: \en-us\TerminalServer.adml
Value: Do not allow location redirection

Subscribe to 4sysops newsletter!

Path: \en-us\TerminalServer.adml
Value: Allow UI automation redirection

avatar
3 Comments
  1. Ryan 2 years ago

    Windows 11 ADMX templates also drop the DownloadMode = 100 (Bypass) value from Delivery Optimization. This means Delivery Optimization cannot be disabled in favor of BITS.

  2. Rex Keene 1 year ago

    Is it possible, or even advisable to clean up in the admx files?

    Like most environments, our domain has been upgraded over time, starting at win2012 DC’s with Win 7 clients.

    Now we’re on 2019 DC’s (soon to be upgraded) with win 10 client´s (the first few Win11 clients are popping up too).
    This all makes GPO management a bit of a hit & miss affair.

    Would a clean up be a good idea?

  3. Brendan W (Rank 2) 1 year ago

    Hi Wolfgang,

    Thanks for your detailed analysis. You certainly benefit many admins out there and save us much work!

    You dutifully post direct links to the group policy settings reference spreadsheets, which is much appreciated, but I can’t seem to find the singular Microsoft page that actually lists the links to these spreadsheets. As consistent as you are, I’m sure you’d agree that it would be prudent for admins to be able to find these documents without your assistance.

    Thanks again for all the great work.

    avatar

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account