My name is Kai Ohnesorge and I am working with Microsoft in a position as Premier Field Engineer (PFE) based in Germany. In my job I am confronted with a large amount of GPO topics, one being changes in ADMX templates over the various versions of Windows. From time to time, we as PFEs are asked for changes in ADMX templates between different versions of Windows operating systems, but so far the only sources of information were the “Group Policy Settings Reference for Windows and Windows Server” spreadsheets. These contain all Group Policy settings available in the corresponding version of the Windows operating systems, but unfortunately there has never been a comprehensive documentation of all changes. A spreadsheet containing all changes in ADMX files shipped with Windows Vista up to Windows 10 Anniversary update (not containing Windows Server 2016 yet) can now be downloaded here. Later on in this article you will find a description of the spreadsheet, but first let me explain why this information might be of importance to you.
Originally, my answer regarding changes to ADMX files always was “ADMX files shipped with newer versions of Windows contain additional settings, but no settings are removed or basic changes are made”. Today, I know this is not the entire truth. In 2012 my good friend Mark Empson, PFE based in the UK, discovered that ADMX files are not always growing between OS versions, but many stay the same size – some of them are actually shrinking! During further investigation he identified settings that were indeed removed from newer versions of ADMX files, which means if a Central Store has been configured for the ADMX and ADML files in a domain, affected settings might not be manageable after updating the files in the central store to the newest version. So if a domain is configured with a Central Store, containing the ADMX templates delivered with Windows Server 2008 R2, a Group Policy might contain the following settings:
After updating the ADMX files to the versions delivered with Windows Server 2012 R2, the same GPO might be displayed as:
As a result, all of these settings are not manageable anymore and cannot be changed or removed within the Group Policy Management Console (GPMC). The same situation will occure when a GPO, that was originally created with Windows Server 2008 R2, is edited with a GPMC installed on Windows Server 2012 R2 while using the local ADMX files.
To bypass this situation, several workarounds are available after identifying if your environment is affected at all. The amount of Policy settings that have been removed is curently around 40 over all versions of Windows, including settings added to Operating systems via patches, but not available in the RTM version of the next release. For example the setting “Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time” has been added to Windows Server 2012 and Windows Server 2012 R2 via an update (yes, updates do change ADMX files!), so it has been available in the latest version of Windows Server 2012 ADMX files, but not in the RTM version of Windows Server 2012 R2.
So if your environment is affected, here are two possible workarounds (not in a particular order):
- Identify all related settings and remove them from the Group Policy before updating the Central Store, if currently configured
- Create a management system (server or client) per version of the Windows Operating system present in your environment and configure the Group Policy objects for a specific version of Windows from the corresponding management system. If a Central Store is configured in the environment, configure the GPMC on these management systems to bypass the central store as described in this article:
An update is available to enable the use of Local ADMX files for Group Policy Editor
Furthermore, for a few Policy settings essential information in the ADMX files, such as the key value or the enabled / disabled values have changed. One example is the Group Policy setting “Turn off Fair Share CPU Scheduling “. Prior to Windows 8 / Windows Server 2012, the key values were:
<decimal value=”1″ />
<decimal value=”0″ />
Starting with the ADMX files shipped with Windows 8 / Windows Server 2012, the key values are:
<decimal value=”0″ />
<decimal value=”1″ />
It is important to mention that this does not affect GPOs present in your environment before updating the ADMX files, but it might affect your clients when editing the GPOs after the update. If any affected Policy settings are configured in your environment, additional testing should be planned before changing the GPOs or applying them to newer versions of Windows.
The comparison file contains a number of spreadsheets:
- Annotations: General comments about the document
- ADMXOSAvailability This spreadsheet displays all ADMX files and their availability in different versions of Windows
- ADMXChangesFull All changes in ADMX files, starting Windows Vista up to Windows 10 Build 1607 Patch state August 2016
- admx_IE11 All changes that occurred in the Internet Explorer 11 ADMX file
- Removed_Items A list of all ADMX files and Policy settings removed between Windows Vista up to Windows 10 Build 1607 Patch state August 2016
- New_Items A list of all ADMX files and Policy settings added between Windows Vista up to Windows 10 Build 1607 Patch state August 2016
- Changed_Items Changes made to Policy settings between Windows Vista up to Windows 10 Build 1607 Patch state August 2016. Important changes, as Registry Key value changes, are marked red.
The file can be downloaded directly from the following location:
Kai Ohnesorge, Microsoft Identity PFE