none
Updating GPO ADMX files

    Question

  • Hi,

    I'm looking to understand the principles of how ADMX files work as I've had 2 conflicting responses here.

    We have a Central Store for our ADMX files on our DC.

    When you create a Group Policy Object, does it always refer to the central store? so if I update an ADMX file, the object is updated as well?

    -or-

    when you create a Group Policy object, does it copy the ADMX files to a folder represented by the GPO's GUID and then remains until you update it / recreate it with the new version?

    I ask as we are running Windows 10 1511 but need to update our ADMX files to support 1607 as for a period of time, we'll have a mixed estate. I don't want to update the ADMX files until I'm sure of how this works as there are some differences to how Windows Update is controlled between the 1511 ADMX and the 1607 ADMX.

    Thanks.

    Neil.

    Monday, February 20, 2017 2:29 PM

All replies

  • Hi,
     
    Am 20.02.2017 um 15:29 schrieb Hannerz:
    > When you create a Group Policy Object, does it always refer to the central
    > store?
     
    if it exists: yes
     
    But you can add
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy,
    EnableLocalStoreOverride=1 to bypass central store and use local store
    again. Which is good for testing purposes and scenarios, where you do
    not want to update the store for everyone (at this time of your project)
     
    Uploading templates into the Sysvol\Guid of GPO\ADM folder was and still
    is ADM behavior.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Monday, February 20, 2017 3:06 PM
  • Hi,

    Thank for the answer, that was useful.

    I did a bit of research about EnableLocalStoreOverride and didn't get much in terms of how it operates. In this scenario we will have 1511 on the DC and 1607 locally on test devices.

    Am I correct in the following assumption.

    1) We enable EnableLocalStoreOverride on the 1607 machines and ensure they have the correct ADMX files  for 1607 in c:\windows\policydefinitions?

    My questions are:

    1) How do you configure those settings for 1607 that aren't in the 1511 settings? Do you apply them using the local GP editor on each box?

    2) Do the settings that are common between 1511 and 1607 still apply from the DC - but the Windows 10 box still uses the local store?

    Neil.

    Monday, February 20, 2017 4:50 PM
  • > 1) How do you configure those settings for 1607 that aren't in the 1511 settings? Do you apply them using the local GP editor on each box?
    > 2) Do the settings that are common between 1511 and 1607 still apply from the DC - but the Windows 10 box still uses the local store?
     
    Neither or both - partially at least :-)
     
    ADMX templates are used ONLY on
    a) Editing a GPO
    b) Creating a RSoP Results/Modeling report
     
    They are completely irrelevant for GPO processing.
     
    Monday, February 20, 2017 5:03 PM
  • Am 20.02.2017 um 17:50 schrieb Hannerz:
    > 1) We enable EnableLocalStoreOverride on the 1607 machines and ensure they have
    > the correct ADMX files  for 1607 in c:\windows\policydefinitions?
     
    Right. Be aware, the client can be a Server! (from 2008 up)
     
    > 1) How do you configure those settings for 1607 that aren't in the 1511
    > settings? Do you apply them using the local GP editor on each box?
     
    Use GPMC!
    or just deploy 1607 for all in central store. Why not, if Win10 is
    already present.
     
    > 2) Do the settings that are common between 1511 and 1607 still apply from the DC
    > - but the Windows 10 box still uses the local store?
     
    ADM(x) are just a mask to write values into registry.pol
    If you use the wrong ADM(x) the setting is out of reach, but still in
    registry.pol
     
    You use a frontend to write data into database. What happens to dababase
    if you change frontend? Nothing. Data still exist.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Monday, February 20, 2017 5:16 PM
  • Hi, 

    Thanks for the responses. Sorry for the delay.

    In answer to Mark's question:

    > "Use GPMC! or just deploy 1607 for all in central store. Why not, if Win10 is already present."

    With the 1611 templates in the central store and have them apply to all Windows 10 machines, what impact does this have on the different Windows update settings between 1511 and 1607? Although the settings have been reworded, I imagine they apply to the same registry keys. However, where changes to the deferral period have been made between updates for CBB from 8 months to 180 days, what impact does this have on 1511? (I am going to try this myself but have a long list of things to get right with our Windows 10 deployment).

    Having just written the above, I re-read your post about the settings still existing in registry.pol if the ADMX setting doesn't exist. I guess the easiest thing here is to look at the policy files and see where they write.

    Pardon my ignorance here, we are a ZENworks / Novell house and deployed GPO's differently but have finally started to migrate to AD so some things are still a little unclear.

    Neil.

    Thursday, February 23, 2017 12:42 PM
  • Hi Neil,
    >> With the 1611 templates in the central store and have them apply to all Windows 10 machines
    Central store is located in the SYSVOL folder on a Windows domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain so there is no what you said “apply to all Windows 10 machines”. Please refer to: https://support.microsoft.com/en-sg/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows
     And you could see more details regarding to understand about Group Policy ADMX files from:
    https://msdn.microsoft.com/en-us/library/bb530196.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 27, 2017 3:07 AM
    Moderator