- Change Windows network profiles between public and private - Wed, May 24 2023
- How to map a network drive with PowerShell - Wed, May 17 2023
- Troubleshooting no network or internet in VMware Workstation - Thu, May 4 2023
Windows 11 brought a whole new set of group policy settings that admins need to manage the new features of the OS.
Windows 10 21H2 also received some new options, some of which are not included in Windows 11's ADMX. If you administer Windows 10 PCs with Windows 11's ADMX, these settings will unfortunately be missing.
List of deviations
Microsoft has now published the settings that exist only for one of the two OS versions in a blog post. The overview is largely consistent with my comparison of the administrative templates, created using a PowerShell script.
The author of the blog post also assumes that the separate ADMX will remain in place until support for Windows 10 expires. Since many companies are gradually switching to Windows 11, they will have to deal with a mixed environment of both OS versions for a longer period of time. In this case, the question arises as to how to manage group policies.
Own admin workstation for ADMX
One option is to store the ADMX for the prevailing OS version in the central store and provide separate PCs for GPO management with the other templates. If, for example, you decide to use the ADMX from Windows 11 in the central store, then you will also have to set up an admin workstation with Windows 10 and add the following registry key there:
Windows Registry Editor Version 5.00
This action causes the GPO editor to load the local templates.
Evaluate settings for Windows 10 21H2
An alternative would be to check the settings that exist only for Windows 10 and not for Windows 11. If you do not need them, then you can restrict yourself to the ADMX for Windows 11 in the entire environment. The following table contains the exclusive settings for Windows 10 21H2.
|DataCollection||Both||Allow Telemetry: Enhanced|
|DeliveryOptimization||Computer||Download Mode: Bypass|
|EAIME||User||Turn on Live Sticker|
|EAIME||User||Turn on lexicon Update|
|InetRes||User and Computer||Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects|
|InetRes||User and Computer||Reset zoom to default for HTML dialog boxes in Internet Explorer mode|
|MicrosoftEdge||User and Computer||Suppress the display of Edge Deprecation Notification|
|Printing||Computer||Limits print driver installation to Administrators|
|TerminalServer||Computer||Set the Remote Desktop licensing mode: AAD per User|
|WindowsDefender||Computer||Scan packed executables|
As you can quickly recognize, you can easily do without most of the settings. Many organizations no longer use Internet Explorer as their default browser, and other means can be used to prevent Flash from running.
The warning about the legacy Edge is of limited use in managed environments since users cannot usually update the browser themselves anyway.
The setting for delivery optimization allows the use of the BITS protocol and is unlikely to be important in practice. The extended data collection by Microsoft should not be urgent, either.
More important is the option to restrict Point and Print to administrators in order to secure the vulnerabilities in the print spooler ("PrintNightmare"). However, the corresponding setting can be obtained for Windows 11 via SecGuide.admx from the Security Baseline.
Finally, the settings for scanning zipped program files and RDS licensing remain. If you don't need them either, there's no reason to use a duplicate set of administrative templates.
Microsoft makes it unnecessarily difficult for admins due to the incompatible ADMX for Windows 10 and 11. There is no reason why the company could not consolidate all settings in the Windows 11 administrative templates and thus cover all older versions of the operating system.
A coexistence of the ADMX for Windows 10 and 11 cannot be avoided in mixed environments if one of the exclusive settings for Windows 10 is required. However, this should not be the case in most organizations so that you can limit yourself to the templates for Windows 11 there.
Want to write for 4sysops? We are looking for new authors.
Is it possible/okay to install only the admx/l files for the feature needed into the central store, such as Windows Update and leave the rest? Basically pick and choose as needed.. Thanks for your response.
No, that’s not possible. The GPO editor will only fetch ADMX from the location you have configured, i.e. the central store or PolicyDefinitions on the local machine.