Blog Post

Windows IT Pro Blog
11 MIN READ

Why you shouldn’t set these 25 Windows policies

AriaUpdated's avatar
AriaUpdated
Icon for Microsoft rankMicrosoft
Jan 19, 2022
The Windows update experience, as well as the policies that control it, have changed dramatically over the last few years. Notifications, the ability to dictate the behavior of update downloads, inst...
Updated Jul 14, 2022
Version 4.0
servicing and updates
windows 10
windows 11
Karl-WE's avatar
Karl-WE
MVP
Jan 26, 2022

Hi AriaUpdated thanks for taking time to answer so many questions. 👍🏻

 

To the filtering:

If you right click on Administrative Templates node in GPMC or GP there a search and filtering that's really helpful. 

 

Having it in the description would help a lot. Adding a new OS category would be perfect. Might have more dependencies though. The filtering can also specificially filter for strings in the description only. 

 

Reading the helpful feedback from others I would like to reinstate a former idea. 

 

I could not do it myself but maybe either a community project from MVPs like Jeremy Moskowitz,, SusanBradleyGeek and othersi n cooperation with Microsoft or a native solution from Microsoft supported by feedback from the community

 

Many still have to deal with GPO and want to modernize their policies. But that's not the only target. Would also work with CSP.

 

There is the valid question how to setup modern policies for Windows Server 2019 and later.

 

Idea:

Create a webpage (comparable to config. Office.com) that's able to do the following:

 

1. A) Import gpresult.html and parse for Windows Update, Defender and Telemetry Settings > showing the effective results per Windows /Windows Server OS and SKU for all supported and ESU Versions.

 

B) Alternative method: read settings via registry from hklm / hcu policies hives and direct settings. 

 

Usecase: see how modern policies would work as result on all OSes. 

 

2. The webpage has a wizard that assist to select OS and SKU and the outcome based on requirements. Step by step especially restart and enforcement policies. 

They differ most depending OS. 

 

3. Export the settings as GPO or PowerShell which can be then imported in GPMC or CSP

 

What do you think about this? 

 

It sounds like some work to do, but honestly it would be the easiest approach for patchmanagement people.

 

As you mentioned to write more blogs about other aspects I welcome this, but would also be a good base for this idea. 

 

We would not only get reliable settings for all OS per version but also have an easy deployment and pretty easy troubleshooting. 

 

How do you feel about this idea? Is it something you would consider to invest ressources?