Find differences between two GPO templates
If you’ve been dealing with Group Policy Objects (GPO) for any length of time you’ll know that when a new version of the ADMX templates are released there are often no release notes as to what has changed. If you’re lucky you’ll find the occasional blog that tells you what may be some of the gotchas, but I’ve not found anything consistent.
So I set out to see if PowerShell could help me. The problem definition was to take two Windows 10 ADMX template downloads (say 1703 and 1709) and compare them. Of course there are loads of tools that compare XML file by file from a text perspective, but with no understanding of ADMX and not really scalable for the over 200 ADMX files that make up the Windows 10 Group Policy Template.
Of course Microsoft’s Evergreen requirement for Windows as a Service, makes the problem of keeping up with ADMX templates more urgent, and the templates are also no longer guaranteed to be backward compatible. The most authoritative information I found was on the Microsoft Group Policy Blog however that only goes through to 1709.
I ended up using complex recursion in PowerShell to achieve the end goal, I’ve wrapped the whole lot up into a set of functions so that the following few lines of PowerShell do the trick.
$SourcePath = "C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Creators Update (1703)" $SourceVersion = "1703" $TargetPath = "C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)" $TargetVersion = "1709" $ADMXFamily = "win10" $Differences = Compare-ADMXDirectories $SourcePath $TargetPath $Differences | Export-Csv -NoTypeInformation ".\admx-$($ADMXFamily)-$($SourceVersion)-$($TargetVersion).csv" -force
What this produces is a csv file that can be opened in Excel, filtered, sorted and summarised as you like! Running this to compare Windows 10 1703 ADMX with 1709 we get:
|File Added||A file was found in the target version but not in the source||13|
|File Deleted||A file was found in the source version but not in the target||4|
|Section Added||A section (or node) of XML was added to the target which wasn’t in the source)||44|
|Section Deleted||A section (or node) of XML was removed from the target which was in the source||1|
|Value Changed||A value in the target has been changed from what it was in the source||64|
Here is the csv file that was produced for comparing Windows 10 1703 with 1709
Now the code isn’t limited to Windows 10, it can compare any two directories full of admx templates and tell you what’s different between them.
We have had some internal discussions about what to do with the PowerShell code and/or the spreadsheets. We would like you to tell us if this would be something that would be useful to you?