none
Extra Registry Settings in GPO

    Question

  • Hi,

    We are using Windows Server 2012 R2 Domain Controllers. We have a GPO which was created long back ago by some one in the organization. I would like to modify some the settings of this GPO. In GPMC some settings it showing as "Extra Registry Settings". I need to modify some of the settings in the "Extra Registry Settings" but I am not able to find them in the Group Policy Object Editor. Please suggest how to resolve this
    example

    Software\Policies\Microsoft\FVE\ActiveDirectoryBackup 0 
    Software\Policies\Microsoft\FVE\EncryptionMethod 4 
    Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\AllowHardwareCompatibilityChecking 1 
    Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\AllowUserExemption 0 

    i want to create new GPO by changing the values for testing. but not able to find this, 

    Thanks in Advance

    Aamir


    NA

    Friday, May 27, 2016 3:44 PM

Answers

  • Hello

    So to change the existing settings we have add this bitlocker ADMX/L file to the current sysvol and change it.

    Am i correct?

    Aamir


    NA

    Yes, to be able to resolve the 'Extra Registry settings' symptom, and also to be able to edit the related settings, you need the ADMX/ADML template files accessible to your GPMC/GPME.

    To do this, confirm if you are, or are not, using a Central Store for this domain. (open GPMC->GPME and refer to below pictures)

    If not using CS, place the ADMX/ADML files at c:\windows\policydefinitions\ on the machine where you are running GPMC/GPME.
    If you are using CS, place the ADMX/ADML files in your CS (on SYSVOL).


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, May 31, 2016 9:18 PM
  • I am checking in Domain controller, so we are using Central Store.

    however i am again consfused that, if the extra registry setting is already available in DC, so the ADMX/l template should be here, but its not available in CS.

    So from where this extra registryi setting has been pushed.

    When you open any GPO via GPMC/GPME, even if doing that on a DC, that does not confirm that CS is in use.
    You must check the "source" of templates, as per the pictures I posted, and examine the tooltip as shown. That is the correct way to confirm if local or central store is being used.

    Either way, the resolution for your issue, is to copy the relevant ADMX/ADML into the relevant \policydefinitions\ folder.

    Then, close GPMC/GPME, then reopen GPMC/GPME. That will cause GPMC/GPME to re-enumerate and parse the ADMX/ADML and render the RSoP display correctly.

    If a GPO contains registry settings, and those registry settings are not 'matched' to a setting definition within an ADMX/ADML, RSoP will be unable to display correctly and so 'extra registry settings' display will result.

    Once a registry setting has been authored into a GPO, that setting will always remain stored in that GPO regardless of matching ADMX/ADML. So, at some point in time, somebody has had those ADMX/ADML files loaded into their GPMC/GPME, and has enabled/configured those settings. For you to be able to modify/configure those particular settings, you must perform the same action (load the ADMX/ADML files into your GPMC/GPME).

    The ADMX/ADML files, are templates, i.e. they are used when creating/modifying a GPO but they are not required for the settings within a GPO to be applied to targeted users/computers. ADMX/ADML templates are only used when GPMC/GPME or RSoP is executed - the templates are not used by the CSE DLLs for applying/processing the settings during GP processing (startup/logon/refresh/etc)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, June 01, 2016 9:06 PM
  • 

    I just checked and can confirm you that it is retrieved from Central store but when i goto my sysvol location

    D:\SYSVOL\sysvol\abc.constoso.net\Policies\PolicyDefinitions, not able to find any admx template relate to bitlocker or MBAM. I can see is 

    Chrome.admx

    excel.admx

    inetres.adm/admx

    lync15.admx

    outlk15.admx

    office15.admx

    and similarly with adml file folder as well.

    So I need to download the admx file from  https://www.microsoft.com/en-us/download/details.aspx?id=41183 and paste it sysvol location and then create new GPO adding this template. Correct?

    Yes.

    Also note that when a CS is created, the proper procedure is to copy a full set of ADMX/ADML from c:\windows\policydefinitions\ --> the CS

    This would correctly populate all the default Windows templates into the CS.
    Your example shows that you have some Office2013 templates in your CS, this is fine.
    Your example also shows that you have non-Microsoft templates (Chrome), this is fine.

    The MDOP/MBAM templates do not ship by default with Windows, this is why you must download the MDOP/MBAM templates as per the link and place the desired templates into your CS.

    This will resolve your Extra Registry Settings issue :)

    Note that the MDOP/MBAM download also includes several other templates (eg UE-V etc) which you *can*, but do not *need* to place in your CS.
    There is no harm done if you place the UE-V templates into CS, even if you are not using UE-V in your environment.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, June 02, 2016 8:59 PM
  • example, showing multiple GP Admin Templates for multiple products, within the MDOP templates download (once extracted)

    choose the desired product/version templates, and place those into your CS


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, June 02, 2016 9:06 PM
  • Hello Don,

    i have one more doubt here, now we some setting in our GPMC which comes unde extra registry setting. I understand it is bcoz the template is missing.

    Now for example i copy admx and adml from MBAM 2.5 template and paste in the sysvol of DC.

    will it impact the currect setting which is reflecting extra registry setting?

    Aamir


    NA


    adding/removing/changing Admin Template files, does not change any GPO/settings at all.
    The templates are not 'connected' in any way to the GPOs - it is only the viewing/editing tools that reference the templates, the actual GPOs don't reference the templates at all.

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by Masthanomatic Friday, June 10, 2016 12:01 PM
    Thursday, June 09, 2016 9:03 PM

All replies

  • If it shows up at Extra Registry Settings it means that the client that you are using to view/edit the GPO (or the central store if you are using the Policy Definitions folder in SYSVOL) does not have the ADMx files to map the settings in the GUI.

    You can download the MDOP one there: https://www.microsoft.com/en-us/download/details.aspx?id=41183


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 27, 2016 4:00 PM
  • thanks for the quick reply

    I am not using any client to view this setting. I have directly logged into DC and open the GPO editor.

    Do you still suggest the same.

    Aamir


    NA

    Friday, May 27, 2016 4:07 PM
  • Yes. Recommendation is to use the central policy store. Do download the ADMx/l files and put them our your policy store in SYSVOL.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 27, 2016 4:17 PM
  • Hello Pierre,

    we have already added those setting in our GPMC, so those template should already be there? correct

    but i am not able to find it

    Thanks


    NA

    Friday, May 27, 2016 9:30 PM
  • we have already added those setting in our GPMC, so those template should already be there? correct

    but i am not able to find it

    check your \PolicyDefinitions\ folder (either on DC or in Central Store, depending upon your scenario)...

    Do the necessary ADMX and ADML files exist in your \PolicyDefinitions\ folder?

    The settings of your interest, are related to MDOP/MBAM and are not included in default Windows templates, you must download and store the ADMX & ADML files. Probably, somebody previously in your environment had done this task, but may have performed this task locally on a particular server or workstation where GPMC/GPME was used for that task.
    This task (place ADMX+ADML files into \PolicyDefinitions\, when performed from any server or workstation, allows that server/workstation to 'extend' GPMC/GPME on that server/workstation, this allows GPOs to be created which deploy those 'new' settings, but, if other servers/workstations do not have those necessary ADMX+ADML files, the 'Extra Registry Settings' symptom will result.
    This is exactly why a Central Store make sense, because when a CS is implemented, all member servers/workstations where GPMC/GPME is used, will refer to the CS to obtain the ADMX+ADML files.
    Note that GP 'clients', when performing RSoP/GPResult, will *not* refer to the CS. The CS is only referenced by GPMC/GPME.

    The files of interest (example from my en-US scenario):

    \PolicyDefinitions\BitLockerManagement.admx
    \PolicyDefinitions\BitLockerUserManagement.admx
    \PolicyDefinitions\en-US\BitLockerManagement.adml
    \PolicyDefinitions\en-US\BitLockerUserManagement.adml

    EDIT: you can easily find which template contains a particular setting/regkey, by using GPSearch:
    http://gpsearch.azurewebsites.net/#2549


    Don [doesn't work for MSFT, and they're probably glad about that ;]



    • Edited by DonPick Sunday, May 29, 2016 3:18 AM
    Sunday, May 29, 2016 3:10 AM
  • Hi Aamir,
    Extra registry settings indicate that settings were configured in the GPO using a template that is not available to the tool you are using. When the templates are available, the registry settings are organized in sections based on the information in the template. 
    In this case, as Pierre suggested , using a central store for group policy templates will reduce the chance of this happening.
    There is a solution which was offered by Xn in the following thread, you could take a look and have a try:
    >Downloaded the latest .adm of Office 2010.
    > Extracted the file to the FQDN\SYSVOL\FQDN\Policies\PolicyDefinition\Office2010 (created on the spot)
    > Edited the GPO, expanded the "Policies"
    > Right Click on Admin Templates and choose "Add/Remove Templates" Click "Add"
    > Navigate to the Office2010\ADM folder
    > Highlight all .adm files available and click "Open"
    > Accept all and close
    Why does Extra Registry Settings not appear when i edit a policy
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1e6033b5-d31c-43a7-bfda-46395e538139/why-does-extra-registry-settings-not-appear-when-i-edit-a-policy?forum=winserverGP
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 30, 2016 7:05 AM
    Moderator
  • Hi Aamir,
    Extra registry settings indicate that settings were configured in the GPO using a template that is not available to the tool you are using. When the templates are available, the registry settings are organized in sections based on the information in the template. 
    In this case, as Pierre suggested , using a central store for group policy templates will reduce the chance of this happening.
    There is a solution which was offered by Xn in the following thread, you could take a look and have a try:
    >Downloaded the latest .adm of Office 2010.
    > Extracted the file to the FQDN\SYSVOL\FQDN\Policies\PolicyDefinition\Office2010 (created on the spot)
    > Edited the GPO, expanded the "Policies"
    > Right Click on Admin Templates and choose "Add/Remove Templates" Click "Add"
    > Navigate to the Office2010\ADM folder
    > Highlight all .adm files available and click "Open"
    > Accept all and close
    Why does Extra Registry Settings not appear when i edit a policy
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1e6033b5-d31c-43a7-bfda-46395e538139/why-does-extra-registry-settings-not-appear-when-i-edit-a-policy?forum=winserverGP
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    .ADM files, and the "Add/Remove Templates" method,  are unnecessary for the reported scenario, and, are not-applicable for a Central Store scenario...

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, May 30, 2016 8:23 AM
  • > Software\Policies\Microsoft\FVE\ActiveDirectoryBackup 0
     
    FVE = Full Volume Encryption (aka BitLocker).
     
    Either create a central store and add all ADMX/ADML files from a server
    AND from a client. Or edit the GPO on a client which has the bitlocker
    ADMX/ADML files present.
     
    Monday, May 30, 2016 10:05 AM
  • Hello

    So to change the existing settings we have add this bitlocker ADMX/L file to the current sysvol and change it.

    Am i correct?

    Aamir


    NA

    Tuesday, May 31, 2016 2:51 PM
  • Hello

    So to change the existing settings we have add this bitlocker ADMX/L file to the current sysvol and change it.

    Am i correct?

    Aamir


    NA

    Tuesday, May 31, 2016 2:53 PM
  • Hello

    So to change the existing settings we have add this bitlocker ADMX/L file to the current sysvol and change it.

    Am i correct?

    Aamir


    NA

    Yes, to be able to resolve the 'Extra Registry settings' symptom, and also to be able to edit the related settings, you need the ADMX/ADML template files accessible to your GPMC/GPME.

    To do this, confirm if you are, or are not, using a Central Store for this domain. (open GPMC->GPME and refer to below pictures)

    If not using CS, place the ADMX/ADML files at c:\windows\policydefinitions\ on the machine where you are running GPMC/GPME.
    If you are using CS, place the ADMX/ADML files in your CS (on SYSVOL).


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, May 31, 2016 9:18 PM
  • Hello Don,

    Thanks for the explaination

    I am checking in Domain controller, so we are using Central Store.

    however i am again consfused that, if the extra registry setting is already available in DC, so the ADMX/l template should be here, but its not available in CS.

    So from where this extra registryi setting has been pushed.

    Aamir


    NA

    Wednesday, June 01, 2016 3:36 PM
  • I am checking in Domain controller, so we are using Central Store.

    however i am again consfused that, if the extra registry setting is already available in DC, so the ADMX/l template should be here, but its not available in CS.

    So from where this extra registryi setting has been pushed.

    When you open any GPO via GPMC/GPME, even if doing that on a DC, that does not confirm that CS is in use.
    You must check the "source" of templates, as per the pictures I posted, and examine the tooltip as shown. That is the correct way to confirm if local or central store is being used.

    Either way, the resolution for your issue, is to copy the relevant ADMX/ADML into the relevant \policydefinitions\ folder.

    Then, close GPMC/GPME, then reopen GPMC/GPME. That will cause GPMC/GPME to re-enumerate and parse the ADMX/ADML and render the RSoP display correctly.

    If a GPO contains registry settings, and those registry settings are not 'matched' to a setting definition within an ADMX/ADML, RSoP will be unable to display correctly and so 'extra registry settings' display will result.

    Once a registry setting has been authored into a GPO, that setting will always remain stored in that GPO regardless of matching ADMX/ADML. So, at some point in time, somebody has had those ADMX/ADML files loaded into their GPMC/GPME, and has enabled/configured those settings. For you to be able to modify/configure those particular settings, you must perform the same action (load the ADMX/ADML files into your GPMC/GPME).

    The ADMX/ADML files, are templates, i.e. they are used when creating/modifying a GPO but they are not required for the settings within a GPO to be applied to targeted users/computers. ADMX/ADML templates are only used when GPMC/GPME or RSoP is executed - the templates are not used by the CSE DLLs for applying/processing the settings during GP processing (startup/logon/refresh/etc)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, June 01, 2016 9:06 PM
  • 

    thanks Don,

    I just checked and can confirm you that it is retrieved from Central store but when i goto my sysvol location

    D:\SYSVOL\sysvol\abc.constoso.net\Policies\PolicyDefinitions, not able to find any admx template relate to bitlocker or MBAM. I can see is 

    Chrome.admx

    excel.admx

    inetres.adm/admx

    lync15.admx

    outlk15.admx

    office15.admx

    and similarly with adml file folder as well.

    So I need to download the admx file from  https://www.microsoft.com/en-us/download/details.aspx?id=41183 and paste it sysvol location and then create new GPO adding this template. Correct?

    Thanks in advance

    Aamir


    NA

    Thursday, June 02, 2016 10:58 AM
  • 

    I just checked and can confirm you that it is retrieved from Central store but when i goto my sysvol location

    D:\SYSVOL\sysvol\abc.constoso.net\Policies\PolicyDefinitions, not able to find any admx template relate to bitlocker or MBAM. I can see is 

    Chrome.admx

    excel.admx

    inetres.adm/admx

    lync15.admx

    outlk15.admx

    office15.admx

    and similarly with adml file folder as well.

    So I need to download the admx file from  https://www.microsoft.com/en-us/download/details.aspx?id=41183 and paste it sysvol location and then create new GPO adding this template. Correct?

    Yes.

    Also note that when a CS is created, the proper procedure is to copy a full set of ADMX/ADML from c:\windows\policydefinitions\ --> the CS

    This would correctly populate all the default Windows templates into the CS.
    Your example shows that you have some Office2013 templates in your CS, this is fine.
    Your example also shows that you have non-Microsoft templates (Chrome), this is fine.

    The MDOP/MBAM templates do not ship by default with Windows, this is why you must download the MDOP/MBAM templates as per the link and place the desired templates into your CS.

    This will resolve your Extra Registry Settings issue :)

    Note that the MDOP/MBAM download also includes several other templates (eg UE-V etc) which you *can*, but do not *need* to place in your CS.
    There is no harm done if you place the UE-V templates into CS, even if you are not using UE-V in your environment.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, June 02, 2016 8:59 PM
  • example, showing multiple GP Admin Templates for multiple products, within the MDOP templates download (once extracted)

    choose the desired product/version templates, and place those into your CS


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, June 02, 2016 9:06 PM
  • thanks Don,

    I will test this and marked this as answer

    Thanks again for your help on time

    Regard

    Aamir


    NA

    Friday, June 03, 2016 10:31 AM
  • Hello Don,

    i have one more doubt here, now we some setting in our GPMC which comes unde extra registry setting. I understand it is bcoz the template is missing.

    Now for example i copy admx and adml from MBAM 2.5 template and paste in the sysvol of DC.

    will it impact the currect setting which is reflecting extra registry setting?

    Aamir


    NA

    Thursday, June 09, 2016 5:25 PM
  • Hello Don,

    i have one more doubt here, now we some setting in our GPMC which comes unde extra registry setting. I understand it is bcoz the template is missing.

    Now for example i copy admx and adml from MBAM 2.5 template and paste in the sysvol of DC.

    will it impact the currect setting which is reflecting extra registry setting?

    Aamir


    NA


    adding/removing/changing Admin Template files, does not change any GPO/settings at all.
    The templates are not 'connected' in any way to the GPOs - it is only the viewing/editing tools that reference the templates, the actual GPOs don't reference the templates at all.

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by Masthanomatic Friday, June 10, 2016 12:01 PM
    Thursday, June 09, 2016 9:03 PM