How to make the Ultimate ADMX Central Store

Oct
31
2013

Guest post from Chris Jaramillo (a GPanswers.com regular friend!) with a little help from Jeremy Moskowitz, Group Policy MVP.

Well, another OS release from Microsoft, and you “workin’ it” Group Policy Admins know what that means: Time to update the central store with the latest definitions.

GPO Definitions: Latest and Greatest

GPO’s definitions start out life on each operating system type. The newest (as of this writing is 2012 R2 and Windows 8.1.)

You would EXPECT them to ship with the same Group Policy definitions, right?

Think again.

Well, I (Chris) did a quick WinDiff of the PolicyDefinitions folders on fresh 2012R2 and Win8.1 builds:

Default on clean install of both Windows 8.1 and 2012R2 systems

  • 167 common ADMX files (and their corresponding AMDL)

ADMX files which are only on a clean install of 8.1:

  • deviceredirection
  • enhancedstorage (Available on 2012R2 via a Feature)
  • sdiagschd
  • search (Available on 2012R2 via a Feature)
  • shapecollector (Available on 2012R2 via a Feature)
  • winstoreui (Available on 2012R2 via a Feature)

ADMX files which are only on a clean install of 2012 R2:

  • grouppolicy-server
  • grouppolicypreferences
  • mmcsnapins2
  • napxpqec
  • pswdsync
  • servermanager (Available on Win8.1 via RSAT)
  • snis
  • terminalserver-server
  • windowsserver

ADMX files which you can get only on 2012 R2 Only, when you install a Role:

  • fileservervssagent

ADMX files which you can get on either 2012 R2 and Win 8.1, when you install a Feature

  • searchocr

So in short, you get the issue as last time. That is, you have to grab some of them from the workstation OS and others from the Server OS. And/or you need to turn on specific features or Roles to get these ADMX files to actually appear at all !

If you had to manually do this, this would make Central Store management almost unbearable.

It would require installing all Roles/Features on each of a Vista, Windows 7, Windows 8, Windows 8.1, 2008R1, 2008R2, 2012R1, and 2012R2 nodes, each with the latest Service Pack.

Then starting with Vista, copy the PolicyDefinitions folder, overwriting with 20018R1, then Windows 7, 2008R2, Windows 8, 2012R1, Windows 8.1, and finally 2012R2. Even then, I have seen instances where MS has removed certain older policy settings from certain newer versions of the same ADMX !

Jeremy’s 2¢

So, here’s my (Jeremy’s) 2¢: Chris is right, but there’s some good news. You DON’T have to go through ALL those gyrations to get the “latest pack” of ADMX files.

Traditionally, Microsoft makes available a download of all the latest ADMX files all in one shot.

The basic rule of thumb would be to simply always just overwrite what’s already in the Central Store *WITH* what Microsoft provides.

So if you had any “extras”.. that’s cool, they just stay there and you can use them. But you’re always overwriting the old ADMX files with the LATEST ADMX files.

As of this MOMENT, Microsoft doesn’t yet have the “latest” ADMX files from Win 8.1 and 2012R2 yet available. I’m pretty sure they’re coming soon. When they do, I’ll post about it.

If it were me, I’d just limp along a little while longer until MS produces them as a full download.

So, that’s the story: Standby for when it drops from MS.

Chris Final 2¢

Special notes: In the 2008R2 version of AppCompat.ADMX, “Prevent access to 16-bit applications” was a user AND computer option. In the 2012R2 version of the same ADMX, the user option is gone. I’m pretty sure I’ve seen IE settings disappear in a newer ADMX as well.) Add on the fact that certain applications (such as IE) have their ADMX/adml files updated when the application is released (sometimes out of band from the OS release), or that certain hotfixes (such as the 2012R1 WSUS patch that I forwarded you a week or two ago) will update ADMX/adml files, and it’s enough to make your head spin.

So, even with populating the latest versions of all of the possible ADMX files, that may not populate the admin templates with all available settings for all client/server/apps (which was kind of the point of a Central Store). However, doing so probably the closest thing to an all-encompassing Central Store that is possible.

Chris extra notes: My recommendation is to keep a copy of the PolicyDefinitions folder from each OS version (including Service Packs) handy, just in case you temporarily need a previous version of the ADMX.