question

JonathanWoodward-2815 avatar image
0 Votes"
JonathanWoodward-2815 asked JonathanWoodward-2815 answered

How to update Group Policy Templates in for Local Computer?

I need some clarification about updating Group Policy Templates (.admx, .adml) on a local Windows 10 machine please. Information on the web is not very clear.

  1. Are the Administrative Templates downloaded from the MS website (for example, the 21H1 templates can be found at https://www.microsoft.com/en-us/download/details.aspx?id=103124) meant to update just a single, local computer? Or are they meant to update templates on a Central Store Server that handles multiple computers on a network? Or both?

  2. If the Administrative Templates are used to update a local computer, what the correct procedure for doing so? When the Administrative Template MSI files downloaded from MS are executed, the newest template files are copied into the Program Files directory only. Does the user have to manually copy the .admx and .adml files into the %systemroot%\PolicyDefinitions folder?

  3. It appears that each feature update also updates MOST of the Administrative Templates in the %systemroot%\PolicyDefinitions folder, but a couple are not updated, such as windowsmediadrm.admx and windowsmediaplayer.admx which involve Windows Media Player. However, the %systemroot%\PolicyDefinitions folder is protected and the older .admx, .adml files cannot be overwritten with newer files by simply copying without changing the owner from TrustedInstaller to User. Am I supposed to overwrite older templates with newer ones and is there a better way to update without changing owner?

  4. The Administrative Templates downloaded from MS also include grouppolicypreferences.admx and mmcsnapins2.admx which are not included in %systemroot%\PolicyDefinitions. What do they do are are they intended for administering other network computers and, thus, unnecessary?

  5. Are the Administrative Templates downloaded from the MS website for each feature update cumulative? Meaning, if you start with a fresh install of 21H1, you don't need to back install the previous templates (such as 20H1, 20H2, etc.) before installing the 21H1 templates? I am pretty sure each update is cumulative but I wanted to ask anyway.

  6. For installing Administrative Templates for other programs, such as Office, OneDrive, Edge....these templates are not included in a Windows installation. I assume these .admx and .adml files are just copied into the %systemroot%\PolicyDefinitions folder?

Thanks!

windows-10-generalwindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonPickard-7259 avatar image
0 Votes"
DonPickard-7259 answered JonathanWoodward-2815 commented
  1. Yes both (same files for both scenarios)

  2. Yes, manually copy into PolicyDefinitions

  3. backup existing files by MOVING them out into a backup folder, place the newer files into PolicyDefinitions

  4. GPPrefs etc are for Domain GP not relevant to LocalGP

  5. Yes cumulative

  6. Yes, manually copy into PolicyDefinitions


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you DonPickard for your informative and succinct replies!

A couple of follow up questions.....

  1. On my computer, I have a User Account with Administrative Privileges. Am I able to just move out the older files from %systemroot%\PolicyDefinitionis\ folder? If not, would it be better to change the owner of the folder and all files therein from TrustedInstaller (or system, I forget) to User, move out the old files, then change the owner back to TrustedInstaller and copy the updated .admx/.adml files? Or would it be better to log into the built in Administrator account, move the old files, copy in the new files, and log back into the User account? Or does it matter?

  2. Just to confirm, BOTH grouppolicypreferences.admx and mmcsnapins2.admx are unnecesasary for Local GP?

Thanks!

0 Votes 0 ·
JonathanWoodward-2815 avatar image
0 Votes"
JonathanWoodward-2815 answered

@DonPickard-7259

Thank you DonPickard for your informative and succinct replies!

A couple of follow up questions.....

On my computer, I have a User Account with Administrative Privileges. Am I able to just move out the older files from %systemroot%\PolicyDefinitionis\ folder? If not, would it be better to change the owner of the folder and all files therein from TrustedInstaller (or system, I forget) to User, move out the old files, then change the owner back to TrustedInstaller and copy the updated .admx/.adml files? Or would it be better to log into the built in Administrator account, move the old files, copy in the new files, and log back into the User account? Or does it matter?

Just to confirm, BOTH grouppolicypreferences.admx and mmcsnapins2.admx are unnecesasary for Local GP?

Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonPickard-7259 avatar image
0 Votes"
DonPickard-7259 answered DonPickard-7259 published

On my computer, I have a User Account with Administrative Privileges. Am I able to just move out the older files from %systemroot%\PolicyDefinitionis\ folder? If not, would it be better to change the owner of the folder and all files therein from TrustedInstaller (or system, I forget) to User, move out the old files, then change the owner back to TrustedInstaller and copy the updated .admx/.adml files? Or would it be better to log into the built in Administrator account, move the old files, copy in the new files, and log back into the User account? Or does it matter?

The objective is to update (replace) the files of interest, the mechanism isn't so important :)
The templates are really only of value to an admin who uses the GPeditor or gpresult tools (they aren't needed for applying policy settings).
You can take ownership of all the files anyway you like, then move or delete or replace them anyway you like.
Just ensure that you always regard the .admx file and its matching .adml file (in locale subfolder) as a pair. Always add/move/delete as a pair, and ensure there is always an adml file for each admx file, to avoid errors in the GP tools.



for grouppolicypreferences.admx/adml, this template controls the grouppolicpreferences CSE's, and the GPP CSE's only operate on domain GP scenarios (unless you are using purchased 3rd party addon products like PolicyPak)


for mmcsnapins2.admx/adml this controls the MMC console itself (if you want to control what admins can do, for example). These controls-to-control-the-controls are rarely ever used in my experience, but they are technically applicable for LocalGP (very unlikely though, because they are for business scenarios where Domain GP would likely be in place)

mmcsnapins2.admx Group Policy Starter GPO Editor
mmcsnapins2.admx Group Policy Management Editor
mmcsnapins2.admx Storage Manager for SANs
mmcsnapins2.admx Storage Manager for SANS Extension
mmcsnapins2.admx Disk Management Extension
mmcsnapins2.admx Share and Storage Management
mmcsnapins2.admx Share and Storage Management Extension
mmcsnapins2.admx DFS Management
mmcsnapins2.admx DFS Management Extension
mmcsnapins2.admx File Server Resource Manager
mmcsnapins2.admx File Server Resource Manager Extension



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanWoodward-2815 avatar image
0 Votes"
JonathanWoodward-2815 answered DonPickard-7259 commented

@DonPickard-7259

Thank you. After comparing the *admx files in %systemroot%\PolicyDefinitions with those 21H1 templates available from Microsoft, I found that %systemroot%\PolicyDefinitions has the most current template files, making updating unnecessary EXCEPT for

searchocr.admx (03/19/2019)
windowsmediadrm.admx (03/19/2019)
windowsmediaplayer.admx (03/19/2019)

with the date modified stamp listed in parenthesis to the right. In this case, the downloaded templates have newer date modified stamps,
searchocr.admx (05/04/2021)
windowsmediadrm.admx (05/04/2021)
windowsmediaplayer.admx (05/04/2021)

I am assuming that the newer timestamp are newer versions and should replace the older versions, correct?

One more question...changing the owner of %systemroot%\PolicyDefinitions from TrustedInstaller to User and granting the User write/modify permissions seems to be the easiest way to go. Once I am done backing up the old .admx/.adml files, should I change the Owner back to TrustedInstaller or leave as User?

Thanks!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

am assuming that the newer timestamp are newer versions and should replace the older versions, correct?

Yes, correct :)


Once I am done backing up the old .admx/.adml files, should I change the Owner back to TrustedInstaller or leave as User?

I've never had the need to change ownership back.
the Windows templates are these days serviced in each monthly CU for Windows10 anyway, so the local copy is as current as your Windows version is :)






0 Votes 0 ·
JonathanWoodward-2815 avatar image
0 Votes"
JonathanWoodward-2815 answered

@DonPickard-7259

That's what I needed to know. Thank you very much for your help!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.