The administrative templates for Windows 11 are not backward compatible; hence, Windows 10 cannot be fully managed with them. This situation is unlikely to change. In mixed environments, the question arises for admins as to which ADMX they should keep in the central store.
Avatar

Windows 11 brought a whole new set of group policy settings that admins need to manage the new features of the OS.

Windows 10 21H2 also received some new options, some of which are not included in Windows 11's ADMX. If you administer Windows 10 PCs with Windows 11's ADMX, these settings will unfortunately be missing.

List of deviations

Microsoft has now published the settings that exist only for one of the two OS versions in a blog post. The overview is largely consistent with my comparison of the administrative templates, created using a PowerShell script.

The author of the blog post also assumes that the separate ADMX will remain in place until support for Windows 10 expires. Since many companies are gradually switching to Windows 11, they will have to deal with a mixed environment of both OS versions for a longer period of time. In this case, the question arises as to how to manage group policies.

Own admin workstation for ADMX

One option is to store the ADMX for the prevailing OS version in the central store and provide separate PCs for GPO management with the other templates. If, for example, you decide to use the ADMX from Windows 11 in the central store, then you will also have to set up an admin workstation with Windows 10 and add the following registry key there:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy]

"EnableLocalStoreOverride"=dword:00000001

This action causes the GPO editor to load the local templates.

Force loading of administrative templates from the local machine via an entry in the registry

Force loading of administrative templates from the local machine via an entry in the registry

Evaluate settings for Windows 10 21H2

An alternative would be to check the settings that exist only for Windows 10 and not for Windows 11. If you do not need them, then you can restrict yourself to the ADMX for Windows 11 in the entire environment. The following table contains the exclusive settings for Windows 10 21H2.

ADMX NameScopeSetting
DataCollectionBothAllow Telemetry: Enhanced
DeliveryOptimizationComputerDownload Mode: Bypass
EAIMEUserTurn on Live Sticker
EAIMEUserTurn on lexicon Update
InetResUser and ComputerTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
InetResUser and ComputerReset zoom to default for HTML dialog boxes in Internet Explorer mode
MicrosoftEdgeUser and ComputerSuppress the display of Edge Deprecation Notification
PrintingComputerLimits print driver installation to Administrators
TerminalServerComputerSet the Remote Desktop licensing mode: AAD per User
WindowsDefenderComputerScan packed executables

As you can quickly recognize, you can easily do without most of the settings. Many organizations no longer use Internet Explorer as their default browser, and other means can be used to prevent Flash from running.

The warning about the legacy Edge is of limited use in managed environments since users cannot usually update the browser themselves anyway.

The setting for delivery optimization allows the use of the BITS protocol and is unlikely to be important in practice. The extended data collection by Microsoft should not be urgent, either.

More important is the option to restrict Point and Print to administrators in order to secure the vulnerabilities in the print spooler ("PrintNightmare"). However, the corresponding setting can be obtained for Windows 11 via SecGuide.admx from the Security Baseline.

Group Policy to protect against the vulnerability in the print spooler

Group Policy to protect against the vulnerability in the print spooler

Finally, the settings for scanning zipped program files and RDS licensing remain. If you don't need them either, there's no reason to use a duplicate set of administrative templates.

Conclusion

Microsoft makes it unnecessarily difficult for admins due to the incompatible ADMX for Windows 10 and 11. There is no reason why the company could not consolidate all settings in the Windows 11 administrative templates and thus cover all older versions of the operating system.

A coexistence of the ADMX for Windows 10 and 11 cannot be avoided in mixed environments if one of the exclusive settings for Windows 10 is required. However, this should not be the case in most organizations so that you can limit yourself to the templates for Windows 11 there.

avatar
2 Comments
  1. Avatar
    Moirae 6 months ago

    Is it possible/okay to install only the admx/l files for the feature needed into the central store, such as Windows Update and leave the rest? Basically pick and choose as needed.. Thanks for your response.

    • Avatar Author

      No, that’s not possible. The GPO editor will only fetch ADMX from the location you have configured, i.e. the central store or PolicyDefinitions on the local machine.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account