The administrative templates for Windows 11 are not backward compatible; hence, Windows 10 cannot be fully managed with them. This situation is unlikely to change. In mixed environments, the question arises for admins as to which ADMX they should keep in the central store.

Windows 11 brought a whole new set of group policy settings that admins need to manage the new features of the OS.

Windows 10 21H2 also received some new options, some of which are not included in Windows 11's ADMX. If you administer Windows 10 PCs with Windows 11's ADMX, these settings will unfortunately be missing.

List of deviations

Microsoft has now published the settings that exist only for one of the two OS versions in a blog post. The overview is largely consistent with my comparison of the administrative templates, created using a PowerShell script.

The author of the blog post also assumes that the separate ADMX will remain in place until support for Windows 10 expires. Since many companies are gradually switching to Windows 11, they will have to deal with a mixed environment of both OS versions for a longer period of time. In this case, the question arises as to how to manage group policies.

Own admin workstation for ADMX

One option is to store the ADMX for the prevailing OS version in the central store and provide separate PCs for GPO management with the other templates. If, for example, you decide to use the ADMX from Windows 11 in the central store, then you will also have to set up an admin workstation with Windows 10 and add the following registry key there:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy]

"EnableLocalStoreOverride"=dword:00000001

This action causes the GPO editor to load the local templates.

Force loading of administrative templates from the local machine via an entry in the registry

Force loading of administrative templates from the local machine via an entry in the registry

Evaluate settings for Windows 10 21H2

An alternative would be to check the settings that exist only for Windows 10 and not for Windows 11. If you do not need them, then you can restrict yourself to the ADMX for Windows 11 in the entire environment. The following table contains the exclusive settings for Windows 10 21H2.

ADMX Name Scope Setting
DataCollection Both Allow Telemetry: Enhanced
DeliveryOptimization Computer Download Mode: Bypass
EAIME User Turn on Live Sticker
EAIME User Turn on lexicon Update
InetRes User and Computer Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
InetRes User and Computer Reset zoom to default for HTML dialog boxes in Internet Explorer mode
MicrosoftEdge User and Computer Suppress the display of Edge Deprecation Notification
Printing Computer Limits print driver installation to Administrators
TerminalServer Computer Set the Remote Desktop licensing mode: AAD per User
WindowsDefender Computer Scan packed executables

As you can quickly recognize, you can easily do without most of the settings. Many organizations no longer use Internet Explorer as their default browser, and other means can be used to prevent Flash from running.

The warning about the legacy Edge is of limited use in managed environments since users cannot usually update the browser themselves anyway.

The setting for delivery optimization allows the use of the BITS protocol and is unlikely to be important in practice. The extended data collection by Microsoft should not be urgent, either.

More important is the option to restrict Point and Print to administrators in order to secure the vulnerabilities in the print spooler ("PrintNightmare"). However, the corresponding setting can be obtained for Windows 11 via SecGuide.admx from the Security Baseline.

Group Policy to protect against the vulnerability in the print spooler

Group Policy to protect against the vulnerability in the print spooler

Finally, the settings for scanning zipped program files and RDS licensing remain. If you don't need them either, there's no reason to use a duplicate set of administrative templates.

Conclusion

Microsoft makes it unnecessarily difficult for admins due to the incompatible ADMX for Windows 10 and 11. There is no reason why the company could not consolidate all settings in the Windows 11 administrative templates and thus cover all older versions of the operating system.

A coexistence of the ADMX for Windows 10 and 11 cannot be avoided in mixed environments if one of the exclusive settings for Windows 10 is required. However, this should not be the case in most organizations so that you can limit yourself to the templates for Windows 11 there.

avatar
2 Comments
  1. Moirae 4 days ago

    Is it possible/okay to install only the admx/l files for the feature needed into the central store, such as Windows Update and leave the rest? Basically pick and choose as needed.. Thanks for your response.

    • Author

      No, that’s not possible. The GPO editor will only fetch ADMX from the location you have configured, i.e. the central store or PolicyDefinitions on the local machine.

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account