- LAPS in Windows 11: Password encryption and DSRM account management - Wed, Jun 29 2022
- Install subsystem for Linux 2 (WSL2) on Windows Server - Wed, Jun 22 2022
- Next version of Exchange to arrive in 2025; meanwhile, new features for Exchange 2019 - Fri, Jun 10 2022
The regularly updated Excel spreadsheets were the official documentation for the GPO settings for Windows and Internet Explorer. Among other things, they showed where an option could be found in the GPO editor, from which version of the operating system it was available, and what purpose it served.
However, the quality of the document left much to be desired, and Microsoft apparently wanted to avoid the effort of creating the documentation from scratch. Currently, the Security Baseline also contains a list with all the settings for the group policies, but this list is even more confusing than the usual Excel sheet.
ADMX data quality ^
The root of the problem is the administrative templates, which have grown over the years and now comprise over 4,000 settings (if you count the entries for both computers and users separately). Over time, inconsistencies and errors have crept in that need to be corrected.
The data quality of the ADMX and ADML files not only affects tools for the automatic documentation, but also the GPO editor. The GPO editor obtains all the information from these XML files in order to build the navigation tree for the settings or to display the explanation for each setting.
Accordingly, it cannot provide any information about the supported operating system, if, for example, the storagesense.admx introduced with Windows 10 1903 contains invalid references to the language files.
If the ADMX files declare the new settings for Windows 10 1909 as compatible with Server 2016 and Windows 10 1903, the editor will, of course, pass this wrong information to the user ("garbage in, garbage out").
The security settings, which can be found in the GPO editor under the Windows settings, are not defined in the administrative templates. As nothing has changed there in recent versions of Windows 10, I have taken this list from Microsoft's Excel spreadsheet for the sake of completeness.
A fundamental advantage of separating the structure (ADMX) from the human-readable parts (ADML), e.g., explanations, is that the same tool can be used to generate the documentation for several languages.
Unfortunately, Microsoft has so far ignored this option and only provided an English spreadsheet. My Excel document contains worksheets for seven languages.
In general, Excel is probably not the best tool for documenting GPO settings, mainly because the large amount of data affects its performance (at least when editing). But you can remove unwanted languages to trim the document. Reading the relatively long help text is easier if you double-click the corresponding cell.
Due to the large number of settings, I have only checked them randomly and have not found any major anomalies. Your feedback on any incorrect data is therefore welcome.
Subscribe to 4sysops newsletter!
The Excel spreadsheet with all GPO settings up to Windows 10 1909 can be downloaded here.