# Administrative template

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/administrative-template

## Quick definition

Administrative templates are files that contain policy settings for Windows and some applications, which administrators can enable, disable, or configure using Group Policy. These templates control registry-based settings, such as security options, desktop appearance, and software restrictions, without needing to directly edit the registry. They are commonly used in enterprise environments to manage thousands of computers from a central location.

## Simple meaning

Think of an administrative template as a pre-filled checklist that a school principal gives to all teachers. The checklist tells each teacher exactly what is allowed in their classrooms: the type of chairs, the color of the whiteboard, which software can be installed, and even what students can see on their screens. Without the checklist, teachers would have to decide everything themselves, leading to chaos and inconsistency. In the IT world, an administrative template works the same way. It is a file (usually with a .admx or .adml extension) that contains a list of settings for Windows or a program like Microsoft Edge. When an IT administrator applies this template through Group Policy, every computer in the company automatically follows those settings. For example, the template might force all computers to show a specific wallpaper, block users from changing network settings, or disable the Command Prompt. The template does not actually run any code or perform actions itself; it simply defines the rules. Windows then reads these rules and changes corresponding registry keys under the hood. This approach is powerful because it ensures consistency, saves time, and reduces the risk of security breaches caused by users misconfiguring their systems. Unless you are an IT professional, you rarely see these templates, but they silently govern many of the restrictions you might encounter on a work computer.

## Technical definition

Administrative templates are XML-based policy definition files used in Microsoft Windows Group Policy. They consist of two file types: .admx files (language-neutral policy definitions) and .adml files (language-specific display strings). These templates define registry-based policy settings that correspond to keys under the HKEY_LOCAL_MACHINE (machine policies) and HKEY_CURRENT_USER (user policies) registry hives. When an administrator modifies a policy setting in the Group Policy Management Console, the change is written to the Local Group Policy Object (LGPO) on a domain controller or local machine. The client-side extension (CSE) for Group Policy, specifically the Administrative Templates extension (gptext.dll), reads these policy files during Group Policy processing, which occurs at computer startup, user logon, and periodically in the background (typically every 90 minutes with a random offset of 0-30 minutes). The extension applies the configured settings by writing appropriate values to the corresponding registry keys. 

 Administrative templates are stored in the following locations: for local policy, they reside in %SystemRoot%\PolicyDefinitions (for .admx files) and %SystemRoot%\PolicyDefinitions\en-US (for .adml files). In a domain environment, they are stored in the Sysvol share under the Group Policy Template folder (\\<domain>\Sysvol\<domain>\Policies\PolicyDefinitions). Windows ships with a set of built-in administrative templates covering a wide range of settings, including Windows components (e.g., Windows Defender, BitLocker, Remote Desktop), Control Panel restrictions, network settings, and Start Menu and Taskbar behaviors. Third-party applications, such as Google Chrome and Microsoft Office, provide their own .admx files that can be added to the central store to extend Group Policy management. 

 The policy settings themselves are defined using a hierarchical structure of categories and subcategories in the .admx file. Each setting is defined by a policy element that includes a registry key path, value name, value type (REG_DWORD, REG_SZ, etc.), and supported operating system versions. Administrators can enable, disable, or leave a policy as Not Configured. When a policy is enabled, the configured value is written to the registry. When disabled, a corresponding disabled value (often 0) is written. When Not Configured, the existing registry value remains unchanged. This mechanism allows centralized control over potentially thousands of settings without manual registry edits, scripting, or local configuration. Understanding administrative templates is essential for the MD-102 exam, which covers Windows client deployment, configuration, and management using modern management tools like Microsoft Intune as well as traditional Group Policy.

## Real-life example

Imagine you are the manager of a chain of coffee shops with twenty locations. Each shop has its own espresso machine, cash register, and menu board. Without any rules, each shop manager decides independently: one shop sets the prices lower, another lets employees play their own music, and a third decides to only serve decaf after noon. Customers become confused and frustrated because the experience varies from store to store. To fix this, you create a master handbook that every shop must follow. The handbook specifies exactly which coffee blends to offer, the pricing for each drink, the allowed music volume, and the cash register settings. You mail one copy of this handbook to every shop, and each manager must apply the rules exactly as written. In the IT world, that handbook is an administrative template. The handbook itself does not enforce the rules; it is just a document. But the shop managers (like the Windows Group Policy client) read the handbook and make the changes to their stores (the computers). If the handbook says 'No iced lattes after 6 PM,' the manager sets the machine to stop making iced lattes at that time. If the handbook says 'All receipts must show the store number,' the manager configures the cash register accordingly. Similarly, when an administrative template sets a policy like 'Disable Bluetooth,' Windows reads that instruction and modifies the registry setting to turn off Bluetooth functionality. The template does not require anyone to visit each computer individually; it is simply applied automatically through the network. You can even update the handbook later (by distributing a new administrative template) and every shop will eventually follow the new rules. This analogy helps explain how a simple document, when paired with an enforcement system, can bring order to many separate devices.

## Why it matters

Administrative templates matter because they are the backbone of configuration management in Windows environments. In any organization with more than a handful of computers, manually configuring each machine is not only inefficient but also prone to errors. Security policies, user interface restrictions, and application behavior must be consistent to meet compliance requirements and reduce support costs. Administrative templates provide a scalable, centralized method to enforce these settings across the entire network. For example, if your company needs to ensure that all devices have Windows Defender enabled and that users cannot disable it, you can simply enable that policy in the administrative template and it applies to everyone. 

 From a security perspective, administrative templates allow IT professionals to lock down endpoints effectively. They can prevent users from accessing Control Panel items, restrict installation of unauthorized software, enforce BitLocker encryption settings, and block remote access. Without these enforced policies, users might disable critical security features, inadvertently expose data, or install malware. The templates also reduce the help desk burden: instead of having to fix each misconfiguration manually, an administrator can correct it once via Group Policy and push the fix to all affected devices. 

 In day-to-day IT operations, administrative templates are used to deploy standard desktop environments, configure privacy settings, manage browser policies, and control updates. For instance, the 'Microsoft Edge' administrative template allows you to set a default homepage, block incognito mode, and enforce strict security policies across the organization. This level of control is especially important in regulated industries like healthcare, finance, and government, where auditing and compliance are mandatory. Understanding how to create, import, and apply administrative templates is therefore a fundamental skill for any Windows administrator, and it is directly tested in exams like MD-102.

## Why it matters in exams

In the MD-102 exam (Microsoft Endpoint Administrator), administrative templates are a core topic under the objective 'Manage Windows clients using Group Policy.' The exam expects you to understand the difference between .admx and .adml files, know where they are stored, and how to add third-party templates to the central store. You will also need to explain how Group Policy processes administrative templates and how to troubleshoot settings that are not applying correctly. 

 Typical questions might ask: 'You need to deploy a custom administrative template to all domain-joined Windows 10 devices. What should you do?' The correct answer usually involves copying the .admx file to the PolicyDefinitions folder in the Sysvol share. Another question might present a scenario where a policy from an administrative template is not applying, and you need to identify the issue, such as incorrect permissions on the Sysvol folder, missing .adml language files, or the policy being set to Not Configured. 

 The exam also covers the integration of administrative templates with Microsoft Intune, as modern endpoint management increasingly relies on cloud-based policies. You may be asked how to use settings catalog (the modern equivalent of administrative templates in Intune) to configure policies for hybrid or Azure AD-joined devices. This means you need to know both the classic Group Policy approach and the newer Intune method. 

the MD-102 exam tests your knowledge of administrative template settings for Windows security, such as 'User Account Control: Run all administrators in Admin Approval Mode' or 'Network access: Do not allow anonymous enumeration of SAM accounts.' These security policies are defined in administrative templates and are commonly included in exam case studies. Understanding the registry path that each policy modifies helps you troubleshoot when a policy is not taking effect. 

 Finally, the exam may ask you to identify which administrative template is appropriate for a given configuration task. For example, if you need to disable the Camera app for all users, you would look under 'Computer Configuration > Administrative Templates > Windows Components > Camera.' Knowing the hierarchy and location of common policy settings saves valuable time during the exam.

## How it appears in exam questions

In MD-102, questions about administrative templates usually fall into three categories: scenario-based, configuration, and troubleshooting. 

 Scenario-based questions often describe a company with multiple client computers that need specific settings. For example: 'Contoso has 500 Windows 10 devices. The security team requires that the Windows Defender Firewall is always enabled and that users cannot disable it. Which administrative template setting should you configure?' The answer would be 'Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Standard Profile > Windows Defender Firewall: Protect all network connections.' These questions test your knowledge of where specific settings reside within the administrative template hierarchy. 

 Configuration questions ask about the process of deploying or managing administrative templates. For instance: 'You need to add a custom administrative template for a line-of-business application. Which action should you perform?' The answer involves copying the .admx file to the central store location on the domain controller. Another common configuration question: 'You want to ensure that only users in a specific security group receive a particular policy setting. What should you do?' The answer: Use security filtering in Group Policy Management. These questions evaluate your practical ability to work with Group Policy objects. 

 Troubleshooting questions present a scenario where a policy is not applying. For example: 'A new administrative template was imported, but the policy settings are not visible in the Group Policy editor on a Windows 10 machine. The .admx file is present in the PolicyDefinitions folder. What is the most likely cause?' The answer could be that the corresponding .adml file is missing, or the file is in the wrong language folder (e.g., en-US). Another troubleshooting question might involve slow logon times due to a large number of administrative templates; the solution might be to optimize the Group Policy processing order or remove unused policy definitions. 

 You may also encounter questions that combine administrative templates with modern management. For instance: 'You are migrating from on-premises group policy to Intune. How do you apply similar settings to cloud-managed devices?' The answer would involve using the settings catalog in Intune, which is inspired by the structure of administrative templates. These questions test your ability to bridge traditional and modern endpoint management concepts.

## Example scenario

You are the IT administrator for a small law firm called Baker & Associates. The firm has 40 Windows 10 computers, all connected to a local domain. The partner has noticed that some employees have been changing their desktop backgrounds to personal photos, and one even installed a screensaver that displayed inappropriate content. The partner wants to enforce a standard corporate desktop appearance across all computers. 

 Instead of going to each desk and changing settings manually, you decide to use Group Policy with an administrative template. You open the Group Policy Management Console on the domain controller and create a new Group Policy Object named 'Corporate Desktop Standard.' You edit this GPO and navigate to User Configuration > Administrative Templates > Desktop > Desktop. You find the policy 'Desktop Wallpaper' and enable it, entering the file path to a company logo image stored on a network share. You also enable 'Screen Saver' and set it to a blank screen saver with a 5-minute timeout. You find the policy 'Prevent changing wallpaper' under User Configuration > Administrative Templates > Control Panel > Personalization and enable it. 

 After linking this GPO to the organizational unit that contains all user accounts, you force a Group Policy update on a test computer by running gpupdate /force. On that computer, the desktop instantly changes to the company logo, the screensaver activates after 5 minutes, and the option to change the wallpaper is grayed out in Settings. You confirm that the policy is working correctly, then wait for the next automatic refresh cycle to apply the change to all other computers. The partner is satisfied, and you have successfully used an administrative template to enforce a standardized desktop environment across the entire firm.

## Common mistakes

- **Mistake:** Thinking that administrative templates are executable files or scripts that run on the client.
  - Why it is wrong: Administrative templates are not executable; they are purely definition files (.admx/.adml) that describe policy settings. They do not perform any action themselves. The actual application of settings is done by the Group Policy client-side extension on the Windows machine.
  - Fix: Remember that administrative templates are like a recipe book. The recipe book (template) tells you what to do, but you still need the chef (Group Policy engine) to cook the meal (apply the settings).
- **Mistake:** Assuming that all policy settings from an administrative template apply immediately after importing the .admx file.
  - Why it is wrong: Importing an .admx file only makes the policy definitions visible in the Group Policy editor. The actual policy settings are not applied until an administrator configures them in a GPO and the GPO is linked to an organizational unit that contains the target computers or users. Even then, the settings take effect only after Group Policy is refreshed on the client.
  - Fix: Always configure the desired policy settings in a GPO, link the GPO to the correct OU, and then run gpupdate /force on the client to apply the changes immediately. Do not assume that just having the template file is enough.
- **Mistake:** Placing .admx files in the wrong directory, causing the settings not to appear in the Group Policy editor.
  - Why it is wrong: For domain-based Group Policy, .admx files must be stored in the PolicyDefinitions folder within the Sysvol share (\\<domain>\Sysvol\<domain>\Policies\PolicyDefinitions). If you place them in the local %SystemRoot%\PolicyDefinitions folder on a domain controller, they will not be replicated to other domain controllers or be available to all administrators. For local policy, the file must be in %SystemRoot%\PolicyDefinitions.
  - Fix: Always use the central store for domain environments. Create the PolicyDefinitions folder in Sysvol if it does not exist, and copy the .admx and .adml files into the appropriate language subfolders.
- **Mistake:** Confusing 'Not Configured' with 'Disabled' when setting a policy.
  - Why it is wrong: 'Not Configured' means the Group Policy engine does not touch the registry setting; whatever value is currently present (including the default) remains. 'Disabled' explicitly writes a value that disables the feature or removes the policy. For example, if you want to enforce that a setting stays disabled, you should set the policy to 'Disabled', not 'Not Configured'.
  - Fix: Always choose 'Enabled' or 'Disabled' explicitly when you want to enforce a setting. Use 'Not Configured' only when you do not care about the setting or when you want to allow a higher-priority GPO to control it.
- **Mistake:** Ignoring language-specific .adml files, which causes the Group Policy editor to show missing or garbled text.
  - Why it is wrong: The .adml files contain the display strings (titles, descriptions, etc.) for the policy settings. If the .adml file is missing, the Group Policy editor cannot display the policy names and descriptions correctly, leading to blank entries or errors. This is a common issue when third-party templates are deployed without the accompanying .adml file.
  - Fix: Always deploy both the .admx and the corresponding .adml file for the languages you support. Place the .adml file in a folder named with the language code (e.g., en-US for English United States).

## Exam trap

{"trap":"The exam presents a scenario where a security group has been granted 'Read' and 'Apply Group Policy' permissions on the GPO, but the policy is still not applying to users in that group.","why_learners_choose_it":"Learners often think that security filtering alone ensures policy application. They forget that Group Policy inheritance and loopback processing can override or block the policy. They also overlook the fact that the 'Apply Group Policy' permission must be explicitly allowed for the user or group, and that the group membership must be evaluated at the time of policy processing.","how_to_avoid_it":"Always check additional factors: ensure the GPO is linked to the correct OU containing the user or computer objects. Verify that no higher-priority GPO has conflicting settings that are set to 'Enforced.' Confirm that the group membership is correct and that the user has logged off and on again to refresh the security token. Use the Resultant Set of Policy (RSOP) tool to see which GPOs are applying and in what order. Also, remember that computer policy applies at startup and user policy applies at logon; if the policy is applied to a computer, it does not affect users unless it is loopback processing."}

## Commonly confused with

- **Administrative template vs Group Policy Preferences:** Group Policy Preferences are different from Administrative Templates because they allow granular configuration of registry settings, drive mappings, printers, and scheduled tasks, and they do not enforce settings; users can change them unless the preference item is configured to apply once and not reapply. Administrative Templates, by contrast, enforce registry-based settings and can reapply every refresh cycle. Preferences are not as secure for enforcing strict policies. (Example: If you want to set a default printer for users but allow them to change it later, use a Group Policy Preference. If you want to force a specific printer and prevent users from changing it, use an Administrative Template policy (if available).)
- **Administrative template vs Security Templates:** Security Templates (.inf files) define security configuration settings for Windows, such as password policies, user rights, and audit policies. They are imported into a GPO via the Security Settings extension, while Administrative Templates control registry-based policies for a wider range of settings, including desktop configuration and software restrictions. Security Templates are applied as part of the Security Configuration Manager, not through the Administrative Templates node. (Example: To enforce a password length requirement, use a Security Template. To disable the 'Run' command on the Start menu, use an Administrative Template.)
- **Administrative template vs Settings Catalog in Intune:** The Settings Catalog in Microsoft Intune is a modern, cloud-based alternative to Administrative Templates. It provides a searchable list of settings that can be configured on devices enrolled in Intune. While Administrative Templates are used in on-premises Group Policy, the Settings Catalog serves the same purpose for cloud-managed devices. However, the Settings Catalog uses a different schema and is not a direct replacement for .admx files. (Example: To configure BitLocker settings for on-premises domain-joined devices, you use an Administrative Template in Group Policy. For devices managed by Intune, you use the Settings Catalog to configure the same BitLocker policies.)

## Step-by-step breakdown

1. **1. Identify the required policy setting** — Determine which registry-based setting you need to control, such as disabling the camera or enforcing a specific wallpaper. Refer to Microsoft documentation or browse the built-in administrative templates to find the exact policy path.
2. **2. Obtain or create the administrative template** — If the setting is built into Windows, the template is already included. For third-party applications, download the official .admx and .adml files. Ensure you have both files and that the language version matches your environment.
3. **3. Deploy the template to the central store (if needed)** — For domain environments, place the .admx file in the central store at \\<domain>\Sysvol\<domain>\Policies\PolicyDefinitions. Create the appropriate language subfolder (e.g., en-US) and place the .adml files there. This makes the settings available to all administrators editing GPOs.
4. **4. Create or edit a Group Policy Object (GPO)** — Open the Group Policy Management Console, right-click 'Group Policy Objects' in your domain, and create a new GPO or edit an existing one. Navigate to the appropriate node (Computer or User Configuration) and expand Administrative Templates.
5. **5. Configure the policy setting** — Find the specific policy you want to enforce, double-click it, and select 'Enabled' or 'Disabled.' Enter any required parameters (like a file path or a time value). Click OK to save. Do not leave it as 'Not Configured' if you want enforcement.
6. **6. Link the GPO to the target organizational unit** — In the Group Policy Management Console, right-click the OU containing the computers or users that should receive the policy. Select 'Link an existing GPO' and choose the GPO you configured. You can also set enforcement or filtering as needed.
7. **7. Test and verify policy application** — On a test client, run gpupdate /force to force a Group Policy refresh. Check the Resultant Set of Policy (rsop.msc) to confirm the policy is applied. For registry-based settings, you can also verify directly in Regedit under the appropriate hive.

## Practical mini-lesson

Administrative templates are a foundational tool for any Windows system administrator. In practice, you will frequently need to configure policies for security, compliance, and user experience. The built-in administrative templates in Windows cover thousands of settings, but you may also need to incorporate templates from Microsoft Office, Google Chrome, or custom line-of-business applications. 

 When working with third-party templates, always ensure you have the correct version of the .admx file that matches the application version. For example, the Microsoft 365 Apps for enterprise administrative template is updated regularly; using an outdated template may result in missing or incorrect settings. Download these files from the official Microsoft Download Center or the application vendor's website. 

 One common challenge is managing templates across multiple domain controllers. If you place an .admx file in the central store on one domain controller, it must replicate to all domain controllers via Active Directory replication. This can take time depending on your replication schedule. To avoid issues, copy the files during off-peak hours and verify replication with tools like repadmin. 

 Another practical aspect is the use of security filtering to limit which users or computers receive a policy. Filtering is done by granting 'Apply Group Policy' and 'Read' permissions to specific security groups in the GPO's delegation tab. However, remember that WMI filters can also be used to target devices based on operating system version, memory, or other criteria. For example, you can apply a policy only to Windows 10 devices with at least 8 GB of RAM. 

 From a troubleshooting perspective, the most common issues include: policies not appearing in the editor because .adml files are missing, policies not applying because the GPO is not linked or is blocked by inheritance, and policies applying to the wrong users because security filtering is misconfigured. Use the Group Policy Modeling Wizard in the Group Policy Management Console to simulate policy application before deploying. The gpresult command-line tool (gpresult /r for summary, gpresult /h for HTML report) is invaluable for diagnosing what policies are actually applied on a client. 

 Finally, be aware of the transition to modern management. Microsoft is gradually moving away from traditional Group Policy and toward Intune and cloud-based management. However, administrative templates are still relevant because Intune's settings catalog mirrors many of the same policies. In hybrid environments, you can use both: on-premises Group Policy for domain-joined devices and Intune policies for Internet-connected or mobile devices. The MD-102 exam covers both approaches, so understanding administrative templates thoroughly gives you a solid foundation for both traditional and modern endpoint administration.

## Memory tip

Think: 'ADMX files Are eXactly what my Group Policy needs; ADML files Add Language.'

## FAQ

**Do I need to restart the computer after applying an administrative template policy?**

Most policy settings applied via administrative templates take effect after a Group Policy refresh (gpupdate /force) without requiring a reboot. However, some computer-specific policies (like those affecting startup or drivers) may require a restart. User policies generally apply immediately after the next logon.

**Can I use administrative templates on Windows 11 Home edition?**

No, administrative templates require the Group Policy Editor (gpedit.msc), which is not available on Windows Home editions. Group Policy is only supported on Windows Pro, Enterprise, and Education editions.

**How do I remove a policy that I set using an administrative template?**

To remove a policy, change the policy setting in the GPO to 'Not Configured' and run gpupdate on the clients. However, the registry value that was set by the policy may remain. To remove it completely, you may need to configure a complementary policy that resets the registry value or manually delete the corresponding registry key.

**What is the difference between .admx and .adml files?**

.admx files are language-neutral XML files that define the policy settings, including registry paths, value types, and supported versions.adml files are language-specific files that contain the display strings (names, descriptions) for the policies. Both are needed for the Group Policy editor to work correctly.

**Can I create my own custom administrative template?**

Yes, you can create custom .admx files using tools like the Microsoft Management Console (MMC) or by manually writing the XML. However, this is complex and typically done only by software vendors. Most IT administrators use pre-built templates from Microsoft or third-party software.

**Why can't I see my policy in the Group Policy editor after importing the .admx file?**

This usually happens if the .adml file is missing or in the wrong language folder. Also ensure the .admx file is in the correct PolicyDefinitions folder (central store for domain, local folder for standalone). Verify the file is not corrupted and is compatible with the Windows version.

## Summary

Administrative templates are a cornerstone of Windows Group Policy, providing a structured way to define and enforce registry-based settings across an organization. They are not executables or scripts but definition files that describe what settings are available and what registry keys they affect. When combined with Group Policy Objects, they allow administrators to centrally manage security, desktop appearance, application behavior, and user restrictions without touching each device individually. 

 For IT professionals aiming for the MD-102 certification, mastering administrative templates is essential. The exam tests your ability to locate the correct policy setting, deploy third-party templates, troubleshoot non-applying policies, and understand the transition to modern management tools like Intune. Mistakes such as confusing 'Not Configured' with 'Disabled', placing .admx files in the wrong location, or forgetting to include .adml files are common pitfalls that can cost exam points. 

 In real-world practice, administrative templates save time, reduce support costs, and enhance security by enforcing consistent configurations. As organizations move toward cloud-based endpoint management, the principles learned from administrative templates transfer directly to the Settings Catalog in Intune. Whether you are managing on-premises or hybrid environments, understanding administrative templates gives you the control and confidence to manage hundreds or thousands of Windows clients effectively. Remember that the key to success is not just knowing the template exists but understanding how to apply it correctly, verify its application, and troubleshoot when things go wrong.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/administrative-template
