- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
The regularly updated Excel spreadsheets were the official documentation for the GPO settings for Windows and Internet Explorer. Among other things, they showed where an option could be found in the GPO editor, from which version of the operating system it was available, and what purpose it served.
However, the quality of the document left much to be desired, and Microsoft apparently wanted to avoid the effort of creating the documentation from scratch. Currently, the Security Baseline also contains a list with all the settings for the group policies, but this list is even more confusing than the usual Excel sheet.
ADMX data quality
The root of the problem is the administrative templates, which have grown over the years and now comprise over 4,000 settings (if you count the entries for both computers and users separately). Over time, inconsistencies and errors have crept in that need to be corrected.
The data quality of the ADMX and ADML files not only affects tools for the automatic documentation, but also the GPO editor. The GPO editor obtains all the information from these XML files in order to build the navigation tree for the settings or to display the explanation for each setting.
Accordingly, it cannot provide any information about the supported operating system, if, for example, the storagesense.admx introduced with Windows 10 1903 contains invalid references to the language files.
The storagesense.admx file contains invalid references to the ADML file; hence, the GPO editor cannot display the OS version
If the ADMX files declare the new settings for Windows 10 1909 as compatible with Server 2016 and Windows 10 1903, the editor will, of course, pass this wrong information to the user ("garbage in, garbage out").
The new settings for Windows 10 1909 are declared for the previous version
The security settings, which can be found in the GPO editor under the Windows settings, are not defined in the administrative templates. As nothing has changed there in recent versions of Windows 10, I have taken this list from Microsoft's Excel spreadsheet for the sake of completeness.
Multilingualism
A fundamental advantage of separating the structure (ADMX) from the human-readable parts (ADML), e.g., explanations, is that the same tool can be used to generate the documentation for several languages.
Microsoft has translated the descriptions of the GPO settings into several languages
Unfortunately, Microsoft has so far ignored this option and only provided an English spreadsheet. My Excel document contains worksheets for seven languages.
In general, Excel is probably not the best tool for documenting GPO settings, mainly because the large amount of data affects its performance (at least when editing). But you can remove unwanted languages to trim the document. Reading the relatively long help text is easier if you double-click the corresponding cell.
Availability
Due to the large number of settings, I have only checked them randomly and have not found any major anomalies. Your feedback on any incorrect data is therefore welcome.
Subscribe to 4sysops newsletter!
The Excel spreadsheet with all GPO settings up to Windows 10 1909 can be downloaded here.
Thanks for your work. It's definitely gonna make my work easy.
A burst of brilliance in a see of darkness. Very nice.
I thought that I had seen an article on this in which you had included the code to extract the information from the ADMX files. But I can't seem to find it on 4sysops now. I have some custom ADMX files that I would like to add to my documentation.
Can you provide the process you used for creating your 1909 spreadsheets?
Thanks for filling in the gaps of information we can't find elsewhere.