Windows 10/11: Which group policies should no longer be used in patch management

Windows[German]Today another topic for administrators of Windows systems (Windows 10 and Windows 11) to which Microsoft has commented the days. It is about group policies that can be used in these clients to manage restrictions. At one point it looks like the group policies diverge between Windows 10 and Windows 11. Also, Microsoft recently explained which Group Policies should no longer be used for updates because the conditions have changed since Windows 10 version 1507.


D hese topics have been sitting on the back burner here for a few days, but I'll just dig them out. If anyone already knows all this, feel free to skip the article.

Group policies for Windows 10/11 different

As long as only Windows 10 was used in companies, it was enough to download the latest ADMX template files (templates) from Microsoft and put them in the Central Store.  After that, all the new settings could be configured in the Group Policy Editor. Microsoft made sure that the templates were also backward compatible with older Windows versions.

Now, however, Microsoft has released Windows 11 in October 2021 and writes that as long as Windows 10 is supported, new Windows 10 features may not be included in Windows 11 ADMX files and vice versa. Administrators managing mixed Windows 10 and Windows 11 clients in enterprise environments must now take this into account. 

On January 16, 2022, Helmut Wagensonner (Customer Engineer at Microsoft) raised in the Techcommunity post Windows 10 or Windows 11 GPO ADMX – Which One To Use For Your Central Store? the question of which Group Policy ADMX templates should be selected in mixed Windows 11/Windows 10 environments.  A table at the end of this article shows the differences between Win10 and Win11 templates (as of December 16, 2021). German blog reader Karl pointed out another aspect related to Windows 11 GPOs to me on Twitter:  The ADMX filtering by operating systems hardly allows any conclusions.


Group policies shouldn't be used

Then the other day I stumbled across the following tweet. Within the Techcommunity post Why you shouldn't set these 25 Windows policies Aria Carley addresses another critical aspect in using group policies.

Windows 10: Outdated Update GPOs

The group policies available for Windows Update would have changed drastically over the past few years. Notifications, the ability to control the behavior of update downloads, installs and restarts, and settings have been seriously revised in the latest Windows 10 builds compared to the old Windows 10, version 1511.

As a result, the template files (ADMX) contain group policies that no longer have any effect on devices running Windows 10, version 20H2 or later, and therefore no longer work as described. Or the policies do work, but have been superseded by updated policies.

To reduce this complexity, with Windows 11, Microsoft developers created a subfolder under "Windows Update" for Group Policies to set "Legacy Policies" (see screenshot in above tweet). While these subfolders are only available in Windows 11 ADMX templates, the same recommendations can be made for Windows 10, version 20H2 and later.

As a result, Microsoft recommends in the Techcommunity post that administrators review the Group Policy settings they are using and only use the recommended policy set. An overview of the policies can be found in the Techcommunity post Why you shouldn't set these 25 Windows policies.

Good development, or out of hand?

How do you as administrators actually see this development? I can't avoid the impression that it's all gotten more complex with the Windows-as-a-service approach, and it's all falling on administrator's feet. Something is constantly being changed, now the GPOs of Windows 10 and Windows 11 are diverging – and every month Microsoft pushes out updates that cause additional collateral damage and perhaps also affect GPOs. What's your opinion?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Windows and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *