Editing the same GPO in Windows Server 2008 and Windows 7 --> confusion
- Hi,
I came over this while testing the BitLocker Recovery Password feature, but it is not a BitLocker-realted but a Group Policy-related question:
I have got a domain with Windows Server 2008 DCs only and Windows Vista and Windows 7 clients.
I created a Group Policy Object using GPMC on Windows Server 2008 and configured the setting "Control Panel Setup: Enable advanced startup options" to be enabled. The explanation to this setting states "Requirements: at least Windows Vista". This setting only workd for my Vista clients but not for the Windows 7 clients (although the policy definetely applied to the Windows 7 machines).
I installed RSAT on a Windows 7 machine and opened exactly the same GPO and it showed different configuration options (the ones which are new to Windows Server 2008 R2 and Windows 7). The "Require aditional authentication at startup" setting still exists but the explanation says: "Requirements: Windows 7 familiy". However, in Windows 7 RSAT I can see the changes made in Windows Server 2008 but to make the setting available for both Windows Vista and Windows 7 I have to open the GPO from both systems (or configure two GPOs)?
Is this behavior by design? Is it documented somewhere?
Kind regards,
Dagmar
Answers
Hi,
Based on my research, the policy name of "Control Panel Setup: Enable advanced startup options" is changed to “Require additional authentication at startup (Windows Server 2008 and Windows Vista)" in Windows 7. The policy setting can apply to Windows Vista and Windows 7.
In Windows 7, there are more settings available to configure BitLocker. Therefore, it has another policy named “Require additional authentication at startup”, which can apply to Windows 7 family only.
To avoid the display confusion, you may create a central store. In this way, the settings in Administrative Templates are loaded from central store instead of local drive.
To create a central store, please copy the PolicyDefinitions folder (C:\Windows\) to \\FQDN\SYSVOL\FQDN\policies folder. For more information, please refer to the following article:How to create a Central Store for Group Policy Administrative Templates in Window Vista
http://support.microsoft.com/kb/929841
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 11, 2009 5:13 AM
All Replies
Hi,
Based on my research, the policy name of "Control Panel Setup: Enable advanced startup options" is changed to “Require additional authentication at startup (Windows Server 2008 and Windows Vista)" in Windows 7. The policy setting can apply to Windows Vista and Windows 7.
In Windows 7, there are more settings available to configure BitLocker. Therefore, it has another policy named “Require additional authentication at startup”, which can apply to Windows 7 family only.
To avoid the display confusion, you may create a central store. In this way, the settings in Administrative Templates are loaded from central store instead of local drive.
To create a central store, please copy the PolicyDefinitions folder (C:\Windows\) to \\FQDN\SYSVOL\FQDN\policies folder. For more information, please refer to the following article:How to create a Central Store for Group Policy Administrative Templates in Window Vista
http://support.microsoft.com/kb/929841
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 11, 2009 5:13 AM
- Thank you for your help.
Reading the article about Central Store for GP ADMX helped me to understand the issue.
Kind regards,
Dagmar - Hi,
Glad to hear that. If you need any assistance in the further, please feel free to post in our forums.
Have a nice day.
This posting is provided "AS IS" with no warranties, and confers no rights.
