Find differences between two GPO templates

If you’ve been dealing with Group Policy Objects (GPO) for any length of time you’ll know that when a new version of the ADMX templates are released there are often no release notes as to what has changed.  If you’re lucky you’ll find the occasional blog that tells you what may be some of the gotchas, but I’ve not found anything consistent.

So I set out to see if PowerShell could help me.  The problem definition was to take two Windows 10 ADMX template downloads (say 1703 and 1709) and compare them.  Of course there are loads of tools that compare XML file by file from a text perspective, but with no understanding of ADMX and not really scalable for the over 200 ADMX files that make up the Windows 10 Group Policy Template.

Of course Microsoft’s Evergreen requirement for Windows as a Service, makes the problem of keeping up with ADMX templates more urgent, and the templates are also no longer guaranteed to be backward compatible.  The most authoritative information I found was on the Microsoft Group Policy Blog however that only goes through to 1709.

I ended up using complex recursion in PowerShell to achieve the end goal, I’ve wrapped the whole lot up into a set of functions so that the following few lines of PowerShell do the trick.

$SourcePath = "C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Creators Update (1703)"
$SourceVersion = "1703" 

$TargetPath = "C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)"
$TargetVersion = "1709"

$ADMXFamily = "win10"

$Differences = Compare-ADMXDirectories $SourcePath $TargetPath 
$Differences | Export-Csv -NoTypeInformation ".\admx-$($ADMXFamily)-$($SourceVersion)-$($TargetVersion).csv" -force

What this produces is a csv file that can be opened in Excel, filtered, sorted and summarised as you like!  Running this to compare Windows 10 1703 ADMX with 1709 we get:

Action Description Count
File Added A file was found in the target version but not in the source 13
File Deleted A file was found in the source version but not in the target 4
Section Added A section (or node) of XML was added to the target which wasn’t in the source) 44
Section Deleted A section (or node) of XML was removed from the target which was in the source 1
Value Changed A value in the target has been changed from what it was in the source 64

Here is the csv file that was produced for comparing Windows 10 1703 with 1709


Now the code isn’t limited to Windows 10, it can compare any two directories full of admx templates and tell you what’s different between them.

We have had some internal discussions about what to do with the PowerShell code and/or the spreadsheets.  We would like you to tell us if this would be something that would be useful to you?


Twan van Beers

Twan is a senior consultant with over 20 years of experience. He has a wide range of skills including Messaging, Active Directory, SQL, Networking and Firewalls. Twan loves to write scripts and get deep and dirty into debugging code, in order to understand and resolve the most complex of problems.

This Post Has 5 Comments

    1. Hi Ronny,

      We have chosen to wrap the script with professional services to provide support for things like Microsoft’s push for evergreen (to keep in support for Windows 10 and Office 365)

      Let us know if you’d like to discuss this further


  1. Hi,

    Have you been able to decide what you are going to do with the function so as to use this capability? For me, this would certainly speed up the decision-making process and fills the gaping gaps MS have left through the evergreen route.



  2. This is exactly the script we are looking for – everytime new templates are published we have the laborious job of comparing them, most of the time manually, to see what settings have changed and what are new. Microsoft never publish all changes, especially removed or amended settings and with so many policies in use it is vital for us to identify everything. Could you advise if there are any plans for you to make this script available?

Leave a Reply

Your email address will not be published. Required fields are marked *