- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
- Ten sed command examples - Wed, Aug 23 2023
Unfortunately, there is no built-in way to have Microsoft Windows or an Active Directory Domain Controller check for the latest available ADMX templates as part of Group Policy. Instead, administrators have relied on periodically checking for updated ADMX packages.
Using automated processes with scripting tools like PowerShell, administrators can automate manual update processes to create an up-to-date environment. Using the EvergreenAdmx.ps1 script is a great way to do this.
What is EvergreenAdmx?
EvergreenAdmx allows admins to schedule the download of the latest ADMX files available for specific operating systems. It performs two functions:
- It checks for new versions of ADMX templates and, if found, downloads and processes the latest version.
- It copies the new ADMX template files to the Active Directory Central Store or another folder you choose. By copying the files to the proper Central Store Policy Definitions folder, all the domain controllers get the most recent template versions.
You can find the official link to the GitHub page here.
It keeps the following ADMX template files updated for Adobe Acrobat and Reader, FSLogix, Google Chrome, Microsoft Edge (Chromium), Microsoft Office, Microsoft OneDrive, and Windows 10 /11, among others.
Installing EvergreenAdmx
While you can manually download the script to a folder and execute it in this way, the easiest way to install EvergreenAdmx is to install the script from the PowerShell Gallery:
Install-Script -Name EvergreenAdmx
You must accept the prompts to add the script path to your PATH environment variable and add the untrusted repository.
Now you can run the EvergreenAdmx.ps1 script by typing evergreenadmx.
With the parameter Include, you can specify all products you want to process during the EvergreenAdmx check.
Valid entries are:
- Custom Policy Store
- Windows 10
- Microsoft Edge
- Microsoft OneDrive
- Microsoft Office
- FSLogix
- Adobe AcrobatReader DC
- BIS-F
- Citrix Workspace App
- Google Chrome
- Microsoft Desktop Optimization Pack
- Mozilla Firefox
- Zoom Desktop Client
If you don't use the Include parameter while running the script, it will download only the Windows 11 22H2, Microsoft Office, Microsoft OneDrive, and Microsoft Edge templates to the default c:\Program Files\WindowsPowerShell\Scripts\downloads location.
Scheduling the download of ADMX templates
The main use case of EvergreenAdmx is scheduling it to pull down the latest ADMX templates automatically and have these copied to the Central Store of your PolicyDefinitions folder in Active Directory.
You can easily create a scheduled task to run the Evergreen one-liner below:
EvergreenAdmx.ps1 -Windows11Version "22H2" -PolicyStore "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions"
The EvergreenAdmx GitHub page provides an XML file that you can import to create a scheduled task in your environment.
The configured task will check for new ADMX templates and update the Central Store Policy Definitions daily with the newest ADMX templates.
Wrapping up
Evergreen environments on-premises require automated processes to ensure you have the most recent versions of applications, files, and configurations. Keeping your Active Directory Group Policy ADMX templates updated using manual processes is labor-intensive and can lead to issues with old versions of policy templates.
Subscribe to 4sysops newsletter!
The EvergreenAdmx script is a great way to continually update your ADMX templates with the latest versions from Microsoft and third-party vendors.
Salvation I thought, very nice utility to have for a busy admin….. First off let me warn everyone, and you should be doing this on a lab environment before going live with it, modus operandi. My lab servers = Win 2019 1809. My initial test on a DC, I followed the example given in this article; Other than I ran it from PowerShell ISE before creating a scheduled task. The script completely cleared all existing ADMX and ADML files out of the central store. Expected (glad I backed it up) maybe, however the unexpected was that it only install a bunch of 2016 Office Suite templates, that was it ,none of the other ADMX files came back. I did get the MSI popup warning that you can read about at the end of the GitHub page for this script. Now the real work begins, thoroughly vetting this PowerShell script.
Brandon you should cover the MSI issue. Unfortunately it is at the bottom of the GitHub page in the notes section with hardly a mention and it should be thoroughly explained.