How to update Group Policy Templates in for Local Computer?

Jonathan Woodward 26 Reputation points
2021-08-07T15:15:37.14+00:00

I need some clarification about updating Group Policy Templates (*.admx, *.adml) on a local Windows 10 machine please. Information on the web is not very clear.

  1. Are the Administrative Templates downloaded from the MS website (for example, the 21H1 templates can be found at https://www.microsoft.com/en-us/download/details.aspx?id=103124) meant to update just a single, local computer? Or are they meant to update templates on a Central Store Server that handles multiple computers on a network? Or both?
  2. If the Administrative Templates are used to update a local computer, what the correct procedure for doing so? When the Administrative Template MSI files downloaded from MS are executed, the newest template files are copied into the Program Files directory only. Does the user have to manually copy the *.admx and *.adml files into the %systemroot%\PolicyDefinitions folder?
  3. It appears that each feature update also updates MOST of the Administrative Templates in the %systemroot%\PolicyDefinitions folder, but a couple are not updated, such as windowsmediadrm.admx and windowsmediaplayer.admx which involve Windows Media Player. However, the %systemroot%\PolicyDefinitions folder is protected and the older *.admx, *.adml files cannot be overwritten with newer files by simply copying without changing the owner from TrustedInstaller to User. Am I supposed to overwrite older templates with newer ones and is there a better way to update without changing owner?
  4. The Administrative Templates downloaded from MS also include grouppolicypreferences.admx and mmcsnapins2.admx which are not included in %systemroot%\PolicyDefinitions. What do they do are are they intended for administering other network computers and, thus, unnecessary?
  5. Are the Administrative Templates downloaded from the MS website for each feature update cumulative? Meaning, if you start with a fresh install of 21H1, you don't need to back install the previous templates (such as 20H1, 20H2, etc.) before installing the 21H1 templates? I am pretty sure each update is cumulative but I wanted to ask anyway.
  6. For installing Administrative Templates for other programs, such as Office, OneDrive, Edge....these templates are not included in a Windows installation. I assume these *.admx and *.adml files are just copied into the %systemroot%\PolicyDefinitions folder?

Thanks!

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,678 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,778 questions
0 comments
Accepted answer
  1. DonPick 1,256 Reputation points
    2021-08-09T10:40:11.007+00:00
    1. Yes both (same files for both scenarios)
    2. Yes, manually copy into PolicyDefinitions
    3. backup existing files by MOVING them out into a backup folder, place the newer files into PolicyDefinitions
    4. GPPrefs etc are for Domain GP not relevant to LocalGP
    5. Yes cumulative
    6. Yes, manually copy into PolicyDefinitions

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jonathan Woodward 26 Reputation points
    2021-08-11T11:51:45.07+00:00

    @DonPick

    Thank you DonPickard for your informative and succinct replies!

    A couple of follow up questions.....

    On my computer, I have a User Account with Administrative Privileges. Am I able to just move out the older files from %systemroot%\PolicyDefinitionis\ folder? If not, would it be better to change the owner of the folder and all files therein from TrustedInstaller (or system, I forget) to User, move out the old files, then change the owner back to TrustedInstaller and copy the updated .admx/.adml files? Or would it be better to log into the built in Administrator account, move the old files, copy in the new files, and log back into the User account? Or does it matter?

    Just to confirm, BOTH grouppolicypreferences.admx and mmcsnapins2.admx are unnecesasary for Local GP?

    Thanks!

    0 comments
  2. DonPick 1,256 Reputation points
    2021-08-12T09:49:14.357+00:00

    On my computer, I have a User Account with Administrative Privileges. Am I able to just move out the older files from %systemroot%\PolicyDefinitionis\ folder? If not, would it be better to change the owner of the folder and all files therein from TrustedInstaller (or system, I forget) to User, move out the old files, then change the owner back to TrustedInstaller and copy the updated .admx/.adml files? Or would it be better to log into the built in Administrator account, move the old files, copy in the new files, and log back into the User account? Or does it matter?

    The objective is to update (replace) the files of interest, the mechanism isn't so important :)
    The templates are really only of value to an admin who uses the GPeditor or gpresult tools (they aren't needed for applying policy settings).
    You can take ownership of all the files anyway you like, then move or delete or replace them anyway you like.
    Just ensure that you always regard the .admx file and its matching .adml file (in locale subfolder) as a pair. Always add/move/delete as a pair, and ensure there is always an adml file for each admx file, to avoid errors in the GP tools.

    for grouppolicypreferences.admx/adml, this template controls the grouppolicpreferences CSE's, and the GPP CSE's only operate on domain GP scenarios (unless you are using purchased 3rd party addon products like PolicyPak)

    for mmcsnapins2.admx/adml this controls the MMC console itself (if you want to control what admins can do, for example). These controls-to-control-the-controls are rarely ever used in my experience, but they are technically applicable for LocalGP (very unlikely though, because they are for business scenarios where Domain GP would likely be in place)

    mmcsnapins2.admx Group Policy Starter GPO Editor
    mmcsnapins2.admx Group Policy Management Editor
    mmcsnapins2.admx Storage Manager for SANs
    mmcsnapins2.admx Storage Manager for SANS Extension
    mmcsnapins2.admx Disk Management Extension
    mmcsnapins2.admx Share and Storage Management
    mmcsnapins2.admx Share and Storage Management Extension
    mmcsnapins2.admx DFS Management
    mmcsnapins2.admx DFS Management Extension
    mmcsnapins2.admx File Server Resource Manager
    mmcsnapins2.admx File Server Resource Manager Extension

    0 comments
  3. Jonathan Woodward 26 Reputation points
    2021-08-12T17:24:23.88+00:00

    @DonPick

    Thank you. After comparing the *admx files in %systemroot%\PolicyDefinitions with those 21H1 templates available from Microsoft, I found that %systemroot%\PolicyDefinitions has the most current template files, making updating unnecessary EXCEPT for

    searchocr.admx (03/19/2019)
    windowsmediadrm.admx (03/19/2019)
    windowsmediaplayer.admx (03/19/2019)

    with the date modified stamp listed in parenthesis to the right. In this case, the downloaded templates have newer date modified stamps,
    searchocr.admx (05/04/2021)
    windowsmediadrm.admx (05/04/2021)
    windowsmediaplayer.admx (05/04/2021)

    I am assuming that the newer timestamp are newer versions and should replace the older versions, correct?

    One more question...changing the owner of %systemroot%\PolicyDefinitions from TrustedInstaller to User and granting the User write/modify permissions seems to be the easiest way to go. Once I am done backing up the old .admx/.adml files, should I change the Owner back to TrustedInstaller or leave as User?

    Thanks!

  4. Jonathan Woodward 26 Reputation points
    2021-08-14T17:42:09.11+00:00

    @DonPick

    That's what I needed to know. Thank you very much for your help!

    0 comments