Known issues managing a Windows 10 Group Policy client in Windows Server 2012 R2

Topic

New Reply

Known issues managing a Windows 10 Group Policy client in Windows Server 2012 R2

Summary

This article describes the known challenges that can occur when you manage a Windows 10 Group policy client base from a Windows 2012 R2 server. The same challenges apply to using the Advanced Group Policy Management sever (AGPM) on a Windows 2012 R2 server when you manage Windows 10 Clients.

The document is separated into sections for each subsequent upgrade as they were released. It also indicates when a change affects only a specific build of the Group Policy ADMX template files.

The following list of changes do not include the many new additional settings that are added to each template file because they do not have any effect if they are added to an existing deployment. The existing deployment does not use those settings. Therefore, it is unlikely to affect the environment.

It is also important to consider that during the GPMC startup, the console caches the ADMX files into memory. Therefore, any changes to the templates that occur while the tool is open do not appear, even after a report refresh. After the tool is shut down and then re-opened, it will get the new ADMX files from the policydefinitions folder.

More Information

Traditionally, the method of translating group policy settings into a user interface that could be easily managed was provided by ADM files. These files use their own markup language. They were locale-specific. Therefore, they were difficult to manage for multinational companies.

Microsoft Windows Vista and Windows Server 2008 introduced a new method of displaying settings within the Group Policy Management Console. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined as using a standards-based, XML file format known as ADMX (more commonly known as administrative templates).

Group Policy Object Editor and Group Policy Management Console remain largely unchanged. In most situations, you do not notice the presence of ADMX files during your daily Group Policy administration tasks.

Some situations require an understanding of how ADMX files are structured and the location in which they are stored. ADMX files provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy tools. The Group Policy tools recognize ADMX files only if you are using a computer that is running Windows Vista or Windows Server 2008 or later versions.

Unlike ADM files, ADMX files are not stored in individual GPOs. For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone who has permission to create or edit GPOs. Group Policy tools continue to recognize any custom ADM files that you have in your existing environment, but will ignore any ADM file that has been superseded by an ADMX file, such as System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to change or create policy settings, the changed or new settings are not read or displayed by the Windows Vista–based Group Policy tools.

The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from ADMX files that are stored either locally or in the optional ADMX central store. The Group Policy Object Editor automatically reads and display Administrative Template policy settings from custom ADM files that are stored in the GPO. You can still add or remove custom ADM files by using the Add/Remove template menu option. All Group Policy settings that are currently in ADM files that are delivered by Windows Server 2003, Windows XP, and Windows 2000 are also available in Windows Vista and Windows Server 2008 ADMX files.

It can be challenging to upgrade the policydefinitions folder that has later revisions of the ADMX files. This is because some settings are deprecated and some are added. Typically, adding settings has a minimal effect. However, deprecating settings often causes pre-configured Group Policies to retain settings that can no longer be changed. Commonly, those types of redundant settings from the new ADMX files are listed as “Extra Registry Settings” in the settings report. These settings are still applied to production, but the administrator can no longer turn them on or off.

In order to manage this situation, an administrator could delete the Group policy, if it is no longer required. Or, they could copy the legacy ADMX template back to the PolicyDefinitions folder. This would enable the setting to be managed again, but at the cost of losing the new settings from the later revision ADMX template.

Known ADMX file content change issues in Windows 10 build 1607

…….

Properties

Article ID: 4015786 – Last Review: Mar 23, 2017 – Revision: 36

Applies to
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows 10 Version 1607, Windows 10 Version 1511

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

Replies

How to create and manage the Central Store for Group Policy Administrative Templates in Windows
https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows

INTRODUCTION

This article describes how to use the new .admx and .adml files to create and administer registry-based policy settings in Windows. This article also explains how the Central Store is used to store and to replicate Windows-based policy files in a domain environment.

Links to download the Administrative Templates files based on the operating system version

Administrative Templates (.admx) for Windows 10 Version 1607 and Windows Server 2016

Administrative Templates (.admx) for Windows 10 and Windows 10 Version 1511

Administrative Templates (.admx) for Windows 8.1 Update and Windows Server 2012 R2 Update

Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2

Administrative Templates (.admx) for Windows 7 and Windows Server 2008 R2
To view ADMX spreadsheets of the new settings that are available in later operating system versions, go to the following Microsoft Download Center website:

Group Policy Settings Reference for Windows and Windows Server

More Information

Overview

Administrative Templates files are divided into .admx files and language-specific .adml files for use by Group Policy administrators. The changes that are implemented in these files let administrators configure the same set of policies by using two languages. Administrators can configure policies by using the language-specific .adml files and the language-neutral .admx files.

Administrative Templates file storage

Windows uses a Central Store to store Administrative Templates files. The ADM folder is not created in a Group Policy Object (GPO) as it is in earlier versions of Windows. Therefore, Windows domain controllers do not store or replicate redundant copies of .adm files.

Note If you use a client that is running an earlier version of Windows to change a policy that is created or administered on a Windows 8.1-based or a Windows 10-based computer, the client creates the ADM folder and replicates the files.

For more information, click the following article number to go to the article in the Microsoft Knowledge Base:
816662 Recommendations for managing Group Policy Administrative Template (.adm) files

The Central Store

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a Windows domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location (for example) on the domain controller:

\\contoso.com\SYSVOL\contoso.com\policies
Copy all files from the PolicyDefinitions folder on a source computer to the PolicyDefinitions folder on the domain controller. The source location can be either of the following:

The C:\Windows folder on a Windows 8.1-based or Windows 10-based client computer
The C:\Program Files (x86)\Microsoft Group Policy\client folder if you have downloaded any of the Administrative Templates separately
The PolicyDefinitions folder on the Windows domain controller stores all .admx files and .adml files for all languages that are enabled on the client computer.

The .adml files are stored in a language-specific folder. For example, English (United States) .adml files are stored in a folder that is named “en-US”; Korean .adml files are stored in a folder that is named “ko_KR”; and so on.

If .adml files for additional languages are required, you must copy the folder that contains the .adml files for that language to the Central Store. When you have copied all .admx and .adml files, the PolicyDefinitions folder on the domain controller should contain the .admx files and one or more folders that contain language-specific .adml files.

Note When you copy the .admx and .adml files from a Windows 8.1-based or Windows 10-based computer, verify that the most recent updates to these files are installed. Also, make sure that the most recent Administrative Templates files are replicated. This advice also applies to service packs, as applicable.

Group Policy administration

Windows 8.1 and Windows 10 do not include Administrative Templates that have an .adm extension. We recommend that you use computers that are running Windows 8.1 or later versions of Windows to perform Group Policy administration.

Updating the Administrative Templates files

In Group Policy for versions of Windows that are earlier than Windows Vista, if you change Administrative Templates policy settings on local computers, the Sysvol share on a domain controller within your domain is automatically updated to include the new .ADM files. Those changes are then replicated to all other domain controllers in the domain. This might increase the network load and storage requirements.

In Group Policy for Windows Server 2012 R2 and Windows 8.1, if you change Administrative Templates policy settings on local computers, Sysvol is not automatically updated to include the new .admx or .adml files. This change in behavior is implemented to reduce network load and disk storage requirements and to prevent conflicts between .admx and .adml files when changes are made to Administrative Templates policy settings across different locations.

To make sure that any local updates are reflected in Sysvol, you must manually copy the updated .admx or .adml files from the PolicyDefinitions file on the local computer to the Sysvol\PolicyDefinitions folder on the appropriate domain controller.

The following update enables you to configure the Local Group Policy editor to use Local .admx files instead of the Central Store:

2917033 An update is available to enable the use of Local ADMX files for Group Policy Editor

Known Issues

…..

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote