OS Deployment – Windows 10 and OUs, Policies and LAPS

So, you are about to deploy Windows 10 in your organization, that sounds like a great plan. Before you start I do have some recommendations when it comes to joining them in your domain.

Create a separate OU for your Windows 10 computers

Yes, I strongly recommend you to do this. When working with customers I see a lot of “-We have 850 GPO settings that we used for XP, should we apply the same for Windows 10?” and the the answer is of course NO!!!! Instead you create a new OU and start over, this is your chance to cleanup that mess. For most customers it turns out that you need just a small number of settings for Windows 10 computers, since most is already correct. Also, you might use ConfigMgr and are starting use the policy in there instead or shifting into MDM. Just have a blank and blocked OU for your Windows 10 computers until you have figured out exactly what you need to have. after that, you might want to move computers back, use WMI filter or re-arrange your OU structure.

A separate OU has been created for Windows computers.

What policy’s should you have?

This is a discussion I have with every customer and over time I have learn to explain this. I usually divide all settings in to four different categories and the simple rule is that if you cant tag your policy in any of these four categories, don’t use it!

Group Policy Settings Reference for Windows 10:

Download Settings Ref.

Settings that will help the user to do the correct action

This could be to save documents in the correct place, to configure the Antivirus program to perform correctly and so on

Settings that brand the computer correctly

Branding is important from many aspects, one is that the user often sees  a non branded device as their “own”, while a branded computer belongs to the company and this also reflects they way people treat the device.

Settings that prevents the user from shooting them self in the foot

This is not security settings, this is more of the “Would you like to open Word Documents using Notepad instead of Word”, and that will prevent the user from working, kind of…

Real Security settings

As a first step, you need to have some kind of strategy around Security, there is not really any value in locking down a computer to insanity, while the user is a local admin anyway. As a first step use Security Compliance Manager 3.0 plus the draft for Windows 10 Security Settings (and final when that arrives) to determinate a baseline.

Windows 10 Security Compliance Manager Baselines:

Security Compliance Manager:

The new template files for SCM and Windows 10 (draft).

Implement Local Administrator Password Solution (LAPS)

With LAPS you have a solution that will on a regular basis change the password of the local admin account and store it in Active Directory, this is one of those “Just install it, don’t ask)


Download LAPS.

Update your ADMX and ADML files for Windows 10

Ok, so the basic is done, now you need to download the new ADMX and ADML files and store them in a Central Store

Download the ADMX and ADLM files

Tat is done here :

After download, run the installer to unzip the files. Open the folder and remove all languages folders you don’t need. I usually only keep the en-US. The only reason to have other languages is that you have administrators that don’t understand English, this has nothing to do with end users, they will hopefully never, ever create or modify GPO’s


Download the ADMX and ADML files for Windows 10.

Update your Central Store

This is very much recomened, but it will work if you use a local store as well. The reason to have a central store is that all policys modified/created will use the same base, otherwise there is huge risk that a policy is created on one machine, with different languaes, different versionas and that could lead in to all kinds of disaster. (In this case the server is named SRVDC01 and the domain name is network.local)

So, the easy way is to rename the folder called \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions.old

And copy the new policydefinitions from your unzipped folder to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions like this:

The PolicyDefinitions folder in the correct location.

If you hade any custom policy files, copy them from the PolicyDefinitions.old to PolicyDefinitions to get them back. The reason I do this is because there are some policy’s that has been changed and instead of picking them out, it is easier to just rename the old folder and upload a new folder with correct policy’s. Note: this does not change ANY existing policy’s at all.When you create anew policy the Policy Editor will start using the new templates, that’s all.

To verify that you have the correct policy’s in place, just open GPEdit and create a new policy and browse to a new setting you don’t have before.

Here you can see that the template is fetched from Central Store and that I can Configure Device Guard that is a feature of Windows 10.


Categories: Deployment, Windows 10

Tagged as: ,

2 replies »

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.