How Netwrix PolicyPak Enables Flexibility of Different Group Policy Stores for Windows 10 and Windows 11

Its that time again to upgrade your Windows desktops to the newest OS version. Fortunately, the transition from Windows 10 to Windows 11 is a lot easier than prior upgrades. Still, it isn’t going to happen all at once. Early adaptive users and those with designated roles will be upgraded first with others following suit over time. This presents a challenge for Group Policy Administrators that must then deploy policies for both Windows 10 and Windows 11 simultaneously.

The Policy Definitions Folder

Let’s do a quick refresher for those unfamiliar with administrative template files. Every Windows machine has a local Policy Definitions folder within its Windows directory that hosts the ADMX files and language specific ADML files (inside country code folders). You can see that folder on your desktop with the country codes and ADMX files, right now at c:\windows\PolicyDefinitions.

Group Policy uses these Administrative Template files to create registry-based policy settings. Group Policy best practice suggests that your ADMX and ADML files be stored in a central repository called the Central Store, which is located within the SYSVOL folder of any domain controller.

If you want some videos, here are my recommendations by videos I created myself and have been used by thousands of admins over many years:

After the Central Store is created, the Group Policy Management Console simply “always looks” toward the Central Store by default for policy definitions. Because the files are replicated to all domain controllers in the domain, Group Policy Management Console can obtain the latest files regardless of which DC it happens to connect to.

The Central Store stores the administrative template files for all the operating systems and applications you want to manage. There are two ways to get these files into the central store:

  • You can download them from Microsoft or applicable vendor
  • You can copy them from the local Policy Definitions folder of selected machines and paste them into the Central Store.

It’s important to keep the Central Store up to date to ensure that the latest Group Policy settings are available for your managed operating systems.

Possible ADMX Conflicts

Managing a mixed environment of Windows 11 and Windows 10 can create potential problems for Group Policy.  Below is a screenshot showing the local Policy Definitions folder of a domain joined Windows 11 machine on the left, and the Policy Definitions folder located on the domain’s central store on the right. The template files that currently reside in the SYSVOL folder are for Windows 10.

To manage the settings for new Windows versions you would need to update the Central Store.

But wait: you now have a huge problem !

  • If you move / overwrite the items from Windows 11 into your Central Store, you’re potentially reducing your ability to manage Windows 10 machines.
  • If you keep the Windows 10 items in your Central Store, and DON’T move/ overwrite items from Windows 11, you reduce your ability to manage Windows 11.

Think about it: after all, there is a reason why Microsoft publishes separate ADMX template files for each operating system. Obviously, there are new features and settings that strictly pertain to Windows 11 and vice versa. Overwriting your existing template files with those of Windows 11 can cause conflicts for your GPOs that target Windows 10. The obvious answer to this conundrum would be to have separate store locations for each ADMX grouping.  Unfortunately, that isn’t supported by any GUI within Group Policy since it always goes to the Central Store.

There are, however, two solutions.

Solution 1: PolicyPak Admin Templates Manager Enables you to use Two Separate ADMX Stores

PolicyPak Admin Template Manager allows you easy settings management of the Administrative Templates feature of Group Policy.  It provides multiple advantages over standard Group Policy such as the ability to consolidate GPOs plus deploy
any Microsoft or 3rd party admin template policies via MDM enrolled machines (domain joined or not!)

It also does something else unique.  PolicyPak leverages the same ADMX settings that Group Policy does, except it lets
you utilize separate store locations: The Central Store or a Local Store or both.

In this example we are creating separate GPOs for both Windows 10 and Windows 11.  Because PolicyPak editors are built inside the Group Policy Management Editor, admins are already familiar with its policy creation process.  In the example below we are creating a desktop policy for Windows 10 users using a Windows 11 management machine.

Like Group Policy, PolicyPak Admin Templates Manager will go to your Central Store to retrieve the ADMX files. Notice in the screenshot below that Administrative Template settings for Windows, Microsoft Office and Google are all available as all these ADMX files reside in the Central Store.

After selecting and enabling your desired policies you would save them as you would normally. Next we create a entry for a policy setting for Windows 11.  This time in the Location Filter you want to choose the Local ADMX files that reside on the Windows 11 management machine.

For more detail, watch this video demonstration showing how you can deliver Group Policy Admin Template settings to non-domain joined machines and deliver a single policy to multiple officers or customers

Solution 2: Microsoft Enables you to use Two Separate Stores (sort of)

When you use Microsoft Admin Templates, your Windows 10 or 11 machine can be told to forcefully use the local store. On some machines this requires a hotfix and a Registry settings. The details on using only the local store are here.

Note, however, that every time you wish to use the local store, and then NOT use the local store, you will need local admin rights to disable the registry entry, which is kind of a real pain. Then you need to restart the Group Policy Management Console for it to take effect. Only then will you be able to flip again to using (or not using) the Central Store.

Solution 3: PolicyPak Cloud has both Windows 10 and Windows 11 Policy Settings always available

Don’t want a Central Store or anything to do with DCs? No problem. With PolicyPak Cloud all your Microsoft settings, like Windows 10 and Windows 11 ADMX, plus any 3rd party
ADMX settings you need are always available right inside PolicyPak Cloud like what’s seen here.
So if you want to make policy settings for Windows 10 and also Windows 11 at the same time, it literally couldn’t be easier. Just point and click and find (or search for) the policy setting you want.


Managing a mixed environment of Windows 10 and Windows 11 doesn’t have to be complex. Using PolicyPak Admin Templates manager has this in mind. PolicyPak gives you super admin powers to ensure that policies don’t conflict one another. Its just one of the many ways that Netwrix PolicyPak simplifies desktop management for the “anywhere” workforce.

Jeremy Moskowitz

Founder & CTO, Microsoft MVP in Group Policy, Enterprise Mobility, and MDM

Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.

Ready to Get Started? Register for Our Demo.

Our PolicyPak Demos explain everything you need to know to get started with the software. Once you've attended the demo, you'll be provided a download link and license key to start a free trial.