Windows 10 or Windows 11 GPO ADMX - Which One To Use For Your Central Store?

quite bad if your company have W10 and 11 (e.g. due to transition phase)

Thanks for your article @hewagen.

As a Senior IT expert helping customers with the transition, which includes maintaining their GPO my main questions / concerns are:

1. Why does Microsoft maintain two ADMX policy sets in the first place? The Windows 11 ADMX should contain all settings and should be highly compatible with Windows 10 21H2 or earlier supported versions. It baffles me to be honest.

2. Why is the Windows 10 21H2 kept being updated and the other Windows 11 21H2 ADMX not being updated for a long time now, and as such missing settings?
There is nothing worse than GPP or registry hacks imho if it is avoidable.

3. Microsoft should understand this approach is not feasible. Even more we now have no further SAC but GAC starting with 21H2, the efforts to combine the templates should be considered. The gap, as per example below, can only get worse. 

EXAMPLE:
@hewagen your table is missing a difference in both settings, the setting is (still) missing in Windows 11 ADMX, due them being pretty much outdated compared to the Windows 10 21H2 ADMX. The release of Windows 11 ADMX missed this change by 2 days a week only , which now cause uneccessary confusion.

References:
KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates (...

KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481) (microsof...

Set RestrictDriverInstallationToAdministrators using Group Policy

After installing updates released October 12, 2021 or later, you can also set RestrictDriverInstallationToAdministrators using a Group Policy, using the following instructions:

1. Open the group policy editor tool and go to Computer Configuration > Administrative Templates > Printers. 

2. Set the Limits print driver installation to Administrators setting to "Enabled". This will set the registry value of RestrictDriverInstallationToAdministrators to 1.

@hewagen what's also missing in the Windows 11 ADMX is the OS filtering option.

It ends with Windows 10.

When you open the GPMC and edit a GPO or local GP Editor you can right click on ADMX templates (in central store or local) and use a very sufficient filter, which has been maintained for decades now.

Windows 11 is the exception. There's no new OS category for this OS.

Can you please ask the team why we cannot filter for Windows 11 anymore if the Windows 11 ADMX introduced OS build specific settings?

In practice the central store is used to manage Windows Server and Windows Client OS, no matter the version, starting with XP/2003 or Vista/2008.

This should not been changed. The workaround in the blog is not helpful for common management scenarios.

Generally admins should not use their own devices to execute management tasks but a seperate host and user dedicated to these elevated tasks.

What a mess. It's gonna be a pain to manage both worlds (Win10 & 11) in transition phase. 

Microsoft you can do better.

Also, does this only effect Win10 & Win11? Or Server 2022 and below as well?

@Pascal_Tieg depends on how you use it but by design of using Central Store for ADMX, it does affect Windows Server as well as I've outlined above.

@Karl_Wester-Ebbinghaus Yeah, that's what I figured. Just would love to have it confirmed by MS. 

What about those of us using AGPM for change control, history, auditing, and delegation?

This is terrible.  Microsoft seems to lack any understanding or empathy for organisations trying to manage their products or they wouldn't introduce this mess. Do better Microsoft.

@hewagen Any feedback on above questions?

I'd like to echo all of the feedback above. Our org will be Win10 and Win11 for quite some time (as older TPM PCs that can't in-place upgrade exit the environment as they age out (attrition.)) This will make supporting both much more difficult.

Is there a technical reason that Win10 and Win11 ADMX files can't be a single ADMX file like Microsoft has done for years with past OSs? Thanks

Wait "Limit print driver installation to Administrators" is only available in Windows 10? So that means Windows 11 can't apply that mitigation for PrintNightmare?!?

We ran a test on a domain W11 system and it could add a printer and install the driver as a regular user, thus showing that setting really is only W10. I can't find any online documentation for W11/PrintNightmare but this leads me to believe it would be vulnerable?

As time goes on and environments get more and more mixed, this will be insanely confusing and borderline untenable in large environments with many complex GPOs. We already have enough things to worry about between testing patches for Microsoft (see January updates), researching and mitigating a never-ending flood of vulnerabilities, etc.

What possible explanation could there be to not have one set of templates, and Win11-exclusive settings simply having a Requirement of "Windows 11". You know, exactly how Windows 10 was handled?  If there's conflicts, move older settings to a "Legacy Settings" subfolder, exactly like was done with Windows Updates' settings in recent ADMX templates.

This is a tone-deaf decision that I think Microsoft should reconsider.

I can't believe what I've just read...

This looks to me a further sign that Windows 11 is not a real candidate for serious Enterprise deployment yet.  Don't even get me started on the Teams shortcut debacle.

Please fix this, as in its current state it's basically broken.

@davidmbahm if you deployed all CUs per default there is not much vulnerability left.

As everything is now effective by default.

However you might need this GPO for certain drivers that are package but still need admin rights even with point and print etc. 

The Windows 11 ADMX is missing the GPO yes. It's only in the Windows 10 21H2 ADMX. For Windows 11 you need to deploy a registry GPP.

This is slower and more prone to errors.

@WindowsTeam please fix this !!!

This article seems to be completely misleading and seems incorrect from my testing?

The Windows 11 21H2 ADMX/ADML files linked above AND the Windows 11 ADMX/ADML files included with the Win11 Enterprise Operating System in C:\Windows\PolicyDefinitions all dated June 5th, 2021 install fine on Windows 10 1909 or newer into C:\Windows\PolicyDefinitions (you have to take ownership as an admin) and you can run gpedit.msc and clearly see the new Start Menu setting listed for Win11 only. Also all the previous Windows 7, Windows 8, Windows 10 settings are included.

If you do a side by side compare between the Windows 11 ADMX files and the Windows 10 20H2 files you can see they are identical with the exception of the very few new policies for Windows 11.

If you update all the ADMX and the ADML on the Sysvol Central store, with the new June versions, they run without errors and can be seen and applied in Group Policy Management to Windows 10 and Windows 11?

If you run mmc.exe and RSOP on Windows 11 or Windows 10 the policies apply equally to both OS.

Hi @ll,

thanks for your feedback. Sorry for the delayed response and for not answering the questions above. I'm not part of the Windows product group so I don't know when this issue will be addressed. Anyway, I just wanted to point out that there are differences between the two ADMX versions (at the point of writing the article) but there is an "easy" workaround to get it solved. I most cases you won't even notice them because more than 99% of the settings within the ADMX are equal.

But I'm with you when you say that this can cause additional "trouble" in rare cases. I ran into this issue at one of my customers as well. I will try to contact the PG to get information if this will be fixed (and when) unless it's done on purpose. I will comment here.

Thanks,
Helmut

Thanks for taking the time to reply @hewagen and I hope you receive some better news for us from the Product Group for in the future!

Thank you Helmut for your reply and picking up the feedback @hewagen !

---

@hewagen wrote:

 

• Hi @ll,

   

  thanks for your feedback. Sorry for the delayed response and for not answering the questions above. I'm not part of the Windows product group so I don't know when this issue will be addressed. Anyway, I just wanted to point out that there are differences between the two ADMX versions (at the point of writing the article) but there is an "easy" workaround to get it solved. I most cases you won't even notice them because more than 99% of the settings within the ADMX are equal.

   

  But I'm with you when you say that this can cause additional "trouble" in rare cases. I ran into this issue at one of my customers as well. I will try to contact the PG to get information if this will be fixed (and when) unless it's done on purpose. I will comment here.

   

  Thanks,
  Helmut

 

---

Hi,
I think you need to re-write your article because it is being repeated across multiple news sources and the information it is providing is incorrect in as how it is being interpreted.

I just confirmed with multiple Domain Admins that the ADMX for Windows 11 21H2 are backwards compatible to even Windows 7 they way they have always been. 

Reading the article again I think what you are trying to say is that Microsoft released a "new version" for Windows 10 that has settings not included in their "new version" for Windows 11 which to me is a case of when two OS developers are not talking to each other. They should merge the two and fix it for sure but as about 99.9% of those settings are probably not used, it isn't a huge big deal. You can just use a preference if you need to.

You can also mix and match the ADMX files. Microsoft keeps them separately for a reason. I am still running the ADMX/ADML from Windows 7 days for the Bitlocker Encryption settings because we still use Active Directory to store and Group Policy to set Bitlocker and the newer ADMX/ADML have had the settings removed.

The only rule is to keep the ADMX and ADML matched.

@lforbes You might be right. Reading through this again it can be misunderstood. I will add another note to the beginning of the article to clarify. Thanks for your feedback.

So K_Wester-Ebbinghaus is correct.

Windows 11 Computer running Group Policy Management and Windows 11 is MISSING the Operating System Edition.
Note that Server 2022 is there and that was just released.
Note that this is a flaw in Windows 11 OS, not in the ADMX templates. This OS version is part of the Group Policy Management Console itself not in the ADMX.

If I logon to the Windows 11 and open my Policy and go to Targeted Pref, I get Windows 10, no Windows 11 and Server 2022 but NOT Server 2019???

If I open the EXACT same policy and same Preference on Windows 10, I get Windows 10, Server 2019 Family, missing Windows 11 but that is to be expected.

@lforbes So how do you control those Win10 policies that are only available in the Win10 policies, per this very post?

In our enterprise we run latest Windows 10 Enterprise and we heavily use latest GPO/ADMX. Migrating to Windows 11 is going to be very much transitional spread over a year. Based on this post, it sounds like you can either have Windows 10 or Windows 11 ADMX templates, this is madness.

What is someone supposed to do if they want to manage both Windows 10 and Windows 11 fleet of computers? 

The only option I see here is to start using Intune (MECM co-managed and specific workloads moved to Intune for W11) for all things GPOs for Windows 11, and ensure all existing on-premise GPOs are only being applied to Windows 10 computers so the two do not mix.

Anyone have any other solution to this mess?

Maybe this will be solved with 22H2 having everything combined into one template.

Could they be stupid enough to keep with separate incompatible templates going forward?

Is it me or is everyone else tired of having to tweak everything to get it to run after another Microsoft screw up?
What Genius thought this was a good idea? Had an issue with inetres missing a setting and hunted this mess down, well thank you MSFT for another debacle
Anyone who thinks this is OK does not live in the real world where we try to keep businesses running and secure
Since inception of the Central Store the latest ADMX files would naturally manage the previous OS
Since Windows 10 there have been numerous errors in the deployment of the latest ADMX files
Someone has to do a better job, or find someone that can, this is not that difficult

@hewagen do you have any news if the small discrepancies between the newer ADMX for Windows 10 21H2 will be matching Windows 11 21H2?

Any news from the PG? I have to disagree it's a rare condition. (unless you assume no one is either using both OS, or using Intune instead). 

Maybe you think it's rare, but the fact win 11 admx Urge you to implement printing nightmare via GPO GPP registry while natively included in Windows 10 is odd

We want to help customers to be consistent. 

@lforbes  thanks for testing, but it's the wrong area. 

You are looking into GPP conditions for a GPO GPP. 

You are right about the behaviour, because it is WMI based. 

I am talking about filters in GPMC ADMX, please check my detailed report and screenshot. Let me know if anything is unclear.

Hi @Jeremy Moskowitz as designated expert and MVP, do you have time so we could schedule a meeting with the PG to get this improved for Windows 11 22H2?

Hi all,

the topic found its way to the PG. They're working on it. I don't have any further details for now but there is movement.

Thanks!

Thank you for your quick follow up. Much appreciated Helmut, also for forwarding the feedback. 

First: I am ALWAYS available to the PG at anytime. :) PG just reach out to me as you see fit and happy to help.

I do agree that the MISSING Windows 11 in GPPRefs Item Level Targeting is completely bonkers. That has to be rectified. It can be worked around by WMI query, but it really should be fixed.

I also agree the myriad of issues is starting to pile up for regular customers and its possible a few small tweaks could re-right the ship for thousands of normal microsoft customers.

With that.. again; happy to help here.

Hi @hewagen how are you have you heard back from the Product Group. 

We now have a new release for Windows 10 21H2 ADMX, while Windows 11 sticks on the outdated based. Doesn't make any sense in production.

Win 10 from 2022

https://www.microsoft.com/en-us/download/details.aspx?id=104042

Win 11 from 2021

https://www.microsoft.com/en-us/download/details.aspx?id=103507

Unfortunately I do not have any news yet. The PG is still working on it.

Hi,

So this is what I did today. I downloaded the V2 of Windows 10, 21H2 and then I just added the ADMX/ADML from the Windows 11 package where the Windows 11 ones had newer settings I wanted.

I opened both in Notepad++ and did a "Compare". 

I used the grid above to identify any policies I would use like the Chat one for Taskbar and the Register DNS Securely one.

I just copied over the ones that I wanted like DNSClient.admx/adml and the Taskbar.admx/adml that had the newer settings but the older dates.

So I created a folder of the best of each and I used that on my Servers.

They worked just fine and they open fine and I can set the settings and they apply to both our Windows 10 and Windows 11 computers as well as our older Windows 7 ones (Yes we have the extended license for some Hospital Applications that are very expensive) 

@lforbes would you mind sharing this on github? so, one could download but also track the changes made?

I see that Windows 11 22H2 ADMX templates have been available for some time.

Is this issue solved with the Windows 11 22H2 templates or is the same incompatibility issue going to happen again when the Windows 10 22H2 ADMX templates are released?

I haven't heard anything from the PG till now. Going to wait until Win 10 22H2 RTMs, to do another comparison between the templates. 

Thanks for the follow up. From what I heard regarding the security baseline Team there will be still different ADMX for each OS in 22H2. So will they publishing different baselines aswell.

Some things mentioned before should have been improved though. (printingnightmare settings) 

As announced already, I'm currently preparing a comparison with the 22H2 releases. This will be a new post going online on early January.

"Apps and Features" is not present in the Start button context menu.

Here are the follow up blog posts. Cheers @hewagen !

Which ADMX to prefer Windows 10 or Windows 11

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-or-windows-11-gpo...

Windows 10 / 11 22H2 ADMX - Update

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-or-windows-11-gpo...

It seems Windows 11 GPO still miss a setting for TLS 1.3 in
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page > Turn off encryption support > Secure Protocol combinations

Finally
Windows 11 GPO got a setting for TLS 1.3 in latest preview Patch March 23
https://support.microsoft.com/en-us/topic/march-28-2023-kb5023778-os-build-22621-1485-preview-d490bb...

"This update affects the Group Policy Editor. It adds Transport Layer Security (TLS) 1.3 to the list of protocols that you can set."

How would AGPM work if you have Windows 10 ADMX templates in your central store and Windows 11 ADMX templates on a workstation with the registry hack configured to bypass the central store?

I saw the earlier post that said AGPM can be installed on a Windows 11 system, but that isn’t my question.

Is there an issue with AGPM working with local stores on some systems and the central store on other systems at the same time?

Can Windows 11 ADMX templates be managed from a Windows 10 workstation or does the admin workstation running GPMC with the registry hack use local templates also need to be Windows 11?

You need a Win 11 workstation with GPMC (RSAT) installed. Then add the registry setting and modify your domain policy settings from that workstation.

@hewagen Will you be able to use AGPM using the local Windows 11 ADMX templates while everyone else is using the same AGPM instance with Windows 10 templates from the AD central store?