Windows 8.1 - Security policies not applying

Hi All,
I'm having a bit of an issue with group policy settings not applying on Windows 8.1. Most of the policies are applying as they should but for some
reason certain security settings (Password policy, Account lockout policy, Interactive logon message etc.) are not.
I can see from GPResult that the policy is not filtered out and can confirm that some of the settings from the policy are getting applied!
FYI: The DC is WS2003 and we have not imported the Windows 8.1 ADMX templates... Could that be causing the issue?
Any help you guys might be able offer would be greatly appreciated!

As I know, Security policy like Password policy, Account lockout policy, Interactive logon message should work even the DC is Win Server 2003.
I suggest you check whether these policy are overridden by other GPOs due to the the GPO Priority, you can find detailed information in this link
Group Policy processing and precedence
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
Yolanda Zhu
TechNet Community Support

Similar Messages

  • ZCM 11 Group Policies not applying to satellite servers

    Hi there
    We are running 2 Windows 2012 Primary Servers and a SQL 2012 Database server at our main site, all remote sites have SLES11 SP2/OES11 SP1 as satellite servers. We upgraded all servers last weekend to 11.3.1 and now have an issue with Group Policies applying to the satellites. The satellites are all set up the same with Authentication, Collection, Content and Imaging roles.
    Since we upgraded Group Policies are (99% of the time) not applying on satellite sites. I have tried manually replicating content (I assume policies will come from content replication?) to the satellites - I've done this with a zac cdp replicate and zac cvc and everything seems to replicate over however I tried highlighting a satellite server and clicking on Action, Specify Content - select the Policy that is not applying and move it into the selected Content to update column and when I click finish I get the error "The Wizard cannot continue for the following reason(s): Unable to complete your request for the following reason: Error updating content"
    On a managed device at the satellite site if you look at the properties of the Zenworks agent and click on Policies it has applied 4 device assigned policies successfully - Remote Management, Power Management, Application Launcher Config and Application Control Policy, also has successfully applied 3 out of the 4 User Assigned Policies - Mandatory Profile, Dynamic Local User, Application Control - but not the Windows Group Policy.
    Our PCs are on Windows 8.1 and all policies were applying fine before the weekend upgrade......
    Has anyone else had any experience of Group Policies not applying that could point me where to look? I have logged an SR with Novell through our reseller but as yet I am getting no response back at all, not even asking me for more information.
    Many thanks
    Sharon

    Sounds like you have a content replication issue more than a GPO issue.
    Especially if the GPO works for locations that point to the Primaries
    for Content.
    Do you have throttling configured anywhere in any fashion?
    You may need to increase the Replication Timeout to make sure content is
    getting over to the Sats. Often increasing from 60 to 240 helps, but
    watch out for throttling preventing content replication.
    It is possible things are backing up.
    On 7/31/2014 8:26 AM, shazzypoos wrote:
    >
    > I should add that when you looked at the "Click for Details" to the
    > right of the Effective "Failed" status the message is "Policy
    > Enforcement Failed : The action (0) threw an exception. Message (1).
    > Exception (2) (grouppolicy, "None of the source locations could be
    > found"
    >
    > Hmmmm! Currently in closest server rules there is only the server for
    > the site it's on set - we do not want it to come back to the Primary for
    > policies. As I say, this was working before the weekend upgrade. Thanks!
    >
    >
    Craig Wilson - MCNE, MCSE, CCNA
    Novell Technical Support Engineer
    Novell does not officially monitor these forums.
    Suggestions/Opinions/Statements made by me are solely my own.
    These thoughts may not be shared by either Novell or any rational human.

  • Help! Computer List policies not applying to computers

    The computers are bound with LDAP to the xserve, in the computers list and have been restarted multiple times what can I do to make the policies apply?
    Thanks

    After many hours of tinkering I have finally found what was wrong.
    This is how to resolve this issue.
    Problem:
    Computer polices not applying although in computers list,after deleting MCX settings and LDAP plugin settings on the local machine.
    Cause of problem.
    Workgroup manager fails to remove certain records or up date them as things are changed.
    Solution
    Open work group manager and remove computers that are having these difficulties from the computers lists.
    Now open preferences in work group manager. Select the box showing 'show all records' tab and inspector.
    You should see in the left hand side a new tab appear next to groups users and computers list.
    Select the accounts at the top and then click on the 'inspector tab'. This should now show a small drop down menu with several items in it.
    Select computers, and delete the unnecessary or incorrect records for computers.
    After this re add the computers to the computers list and your done.
    If the preferences still didn't apply its now machine based and you should delete the MCX preferences on the machine and flush the MCX cache.

  • Windows 7 internet security will not allow the installation of Flash Player 17 Update

    Windows 7 internet security will not allow the installation of the Flash Player 17 update.  I have tried the direct install using the IE_AX update without success.

    Hi,
    Thanks for the screenshot.  It's very helpful. Essentially, this is an issue with the internet security settings on your machine (Internet Explorer > Internet Options > Security), and not a Flash Player issue.  I Googled "internet security settings prevented one or more files from opening' and it returned numerous hits.  I'm posting a few for you, however, I'm not endorsing any of them.  I recommend you search your self and select one you feel comfortable with.
    https://support.microsoft.com/en-us/kb/2588679
    https://social.technet.microsoft.com/Forums/windows/en-US/6bd973a1-38b5-4ad2-bcf5-e90be18c c64b/your-internet-security-settings-prevented-one-or-more-files-from-being-opened?forum=w 7itproinstall
    How to fix: These files can’t be opened. Your Internet security settings prevented one or more files from being opened. …
    and there are many more.
    Maria

  • Group policies not applied after upgrading to Windows 10

    After signing in on my T430 the group policies delivered by the AD-server are not applied. In particular the network drives don't get mapped (there are some other policies as well, but that's the bigggest problem). When i wait for some minutes in order to force a group policies update, the network drives are slowly getting mapped. The network connection works after signing in and the connection to the server is stable. I set up a clean Windows 10 installation on my T430 (instead of before just upgrading from Windows 8.1) and without installing any third party programs oder drivers and I experience exactly the same problem. On 6 other desktop-computers Windows 10 works fine, just our 2 upgraded Lenovos don't apply the group policies after signing in. I restored my Windows 8.1 image and now it works fine again, the group policies are applied after signing in. Has anyone else experienced this problem yet and found a solution for this?

    I have contacted Lenovo via phone support. They told me Windows 10 isn't tested yet, they have not made any experiences so far and in order to that officially don't support Windows 10. Drivers may work, may not work. Contrary to this list - https://support.lenovo.com/us/en/documents/ht103535 We don't use any wmi filters. But what troubles me ist that at the first login of a user all group policies are applied, including mapped network drives. So everything is fine. But all further logins make it not work. I have contacted Microsoft at well, they tell me to contact Lenovo. Lenovo on the other hand tells me to contact Microsoft...

  • Group policies not applying

    Hello,
    I have just installed Windows 10 on my laptop as a try out, and I LOVE it!!
    Just, I have joined my laptop to a domain... and unfortunately the group policies are not applying!
    I get error messages like this in the application event logs:
    The user '...' preference item in the '...' Group Policy Object did not apply because it failed with error code '0x800704f1 The system cannot contact a domain controller to service the authentication request. Please try again later.' This error was suppressed.
    Does anyone have an idea?
    Thanks!

    Hi GeoffreyBeulque,
    Can you give us  the ipconfig /all information about your network?
    In your error information, your client cannot contact the Domain Controller, you need check your network settings to make sure the connection is OK.
    Alex Zhao
    TechNet Community Support

  • 11.2.3 security policy not applying

    This was in another post felt it need its on post and subject.
    11.2.3 has help, but now on device that have 11.2.3 the security policy is
    not applying. I have 4 device I'm testing on one was a clean instill of
    11.2.3 the other 3 were upgraded, out of all 4 only one the security policy
    is applying right. Where would the security policy be store when it is
    applied to a device. Is their a better way to apply security policy.
    I found that the gpttmpl.inf file is not being copy to the
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    folder and did confirm that it is in the zcm meachine cache folder
    [C:\Program Files
    (x86)\Novell\ZENworks\bin\handlers\CacheFiles\Work stationCache\GroupPolicy\M
    achine\Microsoft\Windows NT\SecEdit]. I manual copy it to the SecEdit
    folder
    logged off back on and then did get the Security Options Settings set
    properly.
    So why is it not copying it over, the Registry.pol file is and all other
    group policy are working (so far). And on the one computer that Security
    Options is working right on and running 11.2.3 the gpttmpl.inf is not in
    the
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    folder ether and I have checked computers that are still on 11.2.0 and the
    Security Settings are applied but the gpttmpl.inf file in not in the
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]. Is
    ZEN suppose to copy gpttmpl.inf to the system32 group policy folder and if
    so can this be fix? I really need Security Settings to apply.
    Hope this makes sense.
    And I have this problem on both 32 & 64 bit windows 7
    I don't know if this affects Windows XP because I don't have any Security
    Settings for XP set.
    Thanks
    Scott

    Well I found this in the ZCM troubleshooting guide with the help of google
    [When more than one Windows Group policy is applied to a device, the
    security settings of the last applied policy are effective on the device.].
    I have all ways had device first user last sense 10.3.3 - 11.2.0 and the
    security policy did apply, at lease with WIN7. So on my test machines I
    change it to user fist device last and now the security policy now works
    with 11.2.3, but I still have to have a bundle to run gpupdate /force at
    user login. If I done have the bundle to run the device group policy does
    not apply sometime, I don't mine to have the bundle to run just why with
    win7 is does not apply with out it and XP does with out it.
    Also why does it not copy the gpttmpl.inf to
    [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    directory?
    >>> On Friday, March 15, 2013 at 12:34 PM, in message
    <[email protected]>, Scott Malugin<[email protected]> wrote:
    > This was in another post felt it need its on post and subject.
    >
    >
    > 11.2.3 has help, but now on device that have 11.2.3 the security policy
    > is
    > not applying. I have 4 device I'm testing on one was a clean instill of
    > 11.2.3 the other 3 were upgraded, out of all 4 only one the security
    > policy
    > is applying right. Where would the security policy be store when it is
    > applied to a device. Is their a better way to apply security policy.
    >
    >
    > I found that the gpttmpl.inf file is not being copy to the
    > [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    > folder and did confirm that it is in the zcm meachine cache folder
    > [C:\Program Files
    > (x86)\Novell\ZENworks\bin\handlers\CacheFiles\Work stationCache\GroupPoli
    > cy\M
    >
    > achine\Microsoft\Windows NT\SecEdit]. I manual copy it to the SecEdit
    > folder
    > logged off back on and then did get the Security Options Settings set
    > properly.
    >
    > So why is it not copying it over, the Registry.pol file is and all other
    > group policy are working (so far). And on the one computer that Security
    > Options is working right on and running 11.2.3 the gpttmpl.inf is not in
    > the
    > [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit]
    > folder ether and I have checked computers that are still on 11.2.0 and
    > the
    > Security Settings are applied but the gpttmpl.inf file in not in the
    > [C:\Windows\System32\GroupPolicy\Machine\Microsoft\ Windows NT\SecEdit].
    > Is
    > ZEN suppose to copy gpttmpl.inf to the system32 group policy folder and
    > if
    > so can this be fix? I really need Security Settings to apply.
    >
    > Hope this makes sense.
    >
    > And I have this problem on both 32 & 64 bit windows 7
    > I don't know if this affects Windows XP because I don't have any
    > Security
    > Settings for XP set.
    >
    >
    > Thanks
    > Scott

  • W7 Group Policies not applying

    We are planning on deploying Windows 7 Pro in our offices this coming year and I have been in the process of building my Windows 7 group policies from scratch by using the XP policies as a template. I have 3 policies that I create the standard lockdown, administrative mode, and IT. As I'm building the policies and the have the Group Policy editor open, whatever changes that I make do apply on my local machine, but after I save and upload the policies and apply them to machines the policy status in the Zen Notify Icon says that they have applied, but in function no policies have applied. I'm getting ready to start adding my Allow These Executables list but don't want to waste the time if the desktop look and feel and general access features aren't being applied correctly to the machines. Is there anything that I can check to see why this isn't working correctly?

    I am making the policies from scratch on a Win7 Pro machine. When I use the GP Editor from ZCM to create and reopen the policies all of my policy details are applying correctly to my local machine which I am working on the policy with. When I apply them to Win7 systems the policy status under the ZCM desktop icon shows that they were applied successfully, but when trying do do anything prohibited by policy or checking the gpedit.msc everything says Not Configured. This is only happening to "Windows Group Policy" objects, DLU and Remote Control are working correctly.

  • Work Folders client setup errors: No prompt for AD credentials & Lockscreen policies not applied.

    Hi everyone.
    I've recently set up a test environment for Work Folders (Server 2012 R2). I'm only testing inside my network so no internet access is required. I have encountered two issues:
    When setting up a domain-joined client using a GPO everything works fine, except for the lockscreen/password policy settings. If I enable this on the fileserver the sync fails claiming that the PC
    doesn't comply with my organization's security policies. This is very weird since Work Folders is responsible for configuring these policies.
    There's no Apply GPO option available in the Control Panel item.
    When setting up a non-domain-joined client for Work Folders I'm not prompted for AD credentials. The setup fails with the error:
    You 're not set up on the server. However, if I open the workfolders URL in Internet Explorer I do
    get prompted for my AD credentials.
    Here's some details about the environment:
    Server 2012 R2 DC. No other GPO's than the work folder GPO.
    DNS alias called workfolders.<domain>.local configured.
    Fileserver set up with self-signed certificate (SSC) bound to default website. The certificate is either manually installed on the clients or distributed via the GPO. The certificate is made with server name workfolders.<domain>.local.
    Work Folder GPO on client OU:
    - Certificate distribution of SSC
    - Loopback Policy enabled
    - Work Folders enabled with Force automatic setup
    Both servers and clients are VMs. Non-domain-joined client logged in as local administrator.
    Has anyone else encountered these issues? Can anyone shed some light on how to resolve this?
    Thanks in advance!
    MicaH

    Roberto, I don't have a W3SVC1 folder containing log files, so no dice. I did find out through event logs that the account that's used to authenticate is the fileservers' local administrator account! Then I remembered that my local Administrator
    accounts' password on my client is the same as on the fileserver (it's a test environment). So I changed the clients local admin password and it finally worked!
    I still have issues with the Device Policies, though. Any thought on that subject?
    Edit: The issue with the device policies is caused by my testuser not being a local admin on the client. I had adjusted my powerplan settings so I could keep my RDP session to the client open and without admin rights the work folders policies cannot be applied.
    Does anyone know how to set these policies using GPO?

  • Custom SCEP Policies not applied

    Hi All,
    I've got 3 test systems with SCEP installed.  They all receive definitions just fine.  Unfortunately they are not receiving the custom antimalware policies i've created.  I found this blog that tells me a command i can run against the registry
    to see what policies are applied:
    reg query HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy /f 2 /d
    http://www.niallbrady.com/2013/02/17/how-can-i-determine-what-antimalware-policy-is-applied-to-my-scep-2012-sp1-client/
    and it returns the following:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy
        All Windows SCEP Clients Policy (Scan Schedule)    REG_DWORD    0x2
        All Windows SCEP Clients Policy (Threat Default Action)    REG_DWORD    0x2
        Windows Server Scanning Exclusions (Excluded)    REG_DWORD    0x2
        Default Client Antimalware Policy (Excluded)    REG_DWORD    0x2
        All Windows SCEP Clients Policy (Realtime Config)    REG_DWORD    0x2
        All Windows SCEP Clients Policy (Advance Setting)    REG_DWORD    0x2
        All Windows SCEP Clients Policy (Spynet)    REG_DWORD    0x2
        All Windows SCEP Clients Policy (Signature Update)    REG_DWORD    0x2
        All Windows SCEP Clients Policy (Scan)    REG_DWORD    0x2
    End of search: 9 match(es) found.
    The way I read that means that the "All Windows SCEP Clients Policy" settings are all applied.  The "Windows Server Exclusions" policy is excluded for some reason. 
    My custom policies set scan times different than the default and i have some exclusions.  When I launch the SCEP client on the local computer, i don't see the set scan times, just the default scan times.  I also don't see the exclusions. 
    I see in that req query command that the Exclusions are (Excluded), but the scan schedule should apply. The priorities on the applied AMP (antimalware policies) are:
    Default Client AntimMalware Policy  10000
    All Windows SCEP Clients Policy  21
    Windows Server Scanning Exclusions  5
    These policies are applied to appropriate collections.  When I click on the system in question in the console and look at the antimalware policies, it lists those three. 
    I cannot for the life of me get these policies to apply even though they have what i think are the right priorities.  The way i understand it, the policies stack for most of the settings.  So the default settings get set by the default policy. 
    Then the "All Windows SCEP Policy" settings would override or merge with any settings in the default policy.  Then the "Windows Server Scanning Exclusions" policy would override or merge with any of the previous two policies. 
    Am I misinterpreting things here?

    Hi,
    I don't know if you managed to resolve this. But I had similar issues and after some detective work this was being caused by Group policy preventing the processing of local group policies. Specifically, the offending setting and explanation is listed below:
    Setting Path:
    Computer Configuration/Administrative Templates/System/Group Policy
    Setting: Turn off Local Group Policy objects processing: Enabled
    Explanation
    This policy setting prevents Local Group Policy objects (Local GPOs) from being applied.
    By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only
    domain-based GPOs are applied.
    If you enable this policy setting, the system will not process and apply any Local GPOs.
    If you disable or do not configure this policy setting, Local GPOs will continue to be applied.
    Note: For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This setting will be ignored on computers that are joined to a workgroup.
    Make sure the setting is either set to disable or not configured.
    The image below shows a RSoP on a computer where policies are applying successfully. As you can see, antimalware settings are being applied as local group policy settings

  • Web-app scoped security policies not working in WL 8

    Hi,
    I can't get web-app scoped security policies working in WL 8.1
    I have a simple web application. It defines a role(ROLE) and security
    constraint (on *.jsp).
    If I examine the web app in the administration console, I see that it
    has created a role (scoped to /*) called "ROLE" just as you would
    expect. It has also created a scoped policy (to *.jsp) with constraints
    that the user be in the role ROLE. This is as expected, and it works.
    However, if I proceed to create my own scoped policy (on *.html) with
    constraints (on ALL methods) that the user be in role ROLE, then I get
    no security at all. ie. I can go to server:port/foo.html and it will
    work - it is not secured.
    Any ideas?
    On a completely unrelated issue, when I deploy an EAR (exploded) with a
    WAR (exploded) and using the admin console expand the application
    correpsonding to th EAR, right click on the WAR node, and try and define
    a scoped role, then I get an error "There are no appropriate RoleEditor
    providers configured". This sounds like a bug. Trying to define a
    scoped policy works as expected.
    TIA,
    Jon

    I can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
    WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
    available on the Security / Realm / myreal / General tab, which
    determines whether or not weblogic considers authorisation of resources
    protected by descriptors or not. (ie. it can force only
    descriptor-protected authorisation, ignoring admin console policies).
    It defaults to ignoring admin console policies, hence my problem.
    Jon

  • Windows 2008 R2 group policy not applied to windows 8 Workstations, but applied to XP and Win 7

    I have a Windows 2008 R2 Domain Controllers and have a Policy to put a specify wallpaper, eventuality i have to change the Wallpaper, this setting applied sucesfully in Windows xp and Windows 7 workstations, but not applied in Windows 8 workstations even
    if i run gpupdate /forcé,
    Best Regards,
    Thank you

    Hi,
    Thanks for posting in the forum.
    Before going further, would you please let me know how did you configure the Group Policy setting to deploy the wallpaper? Have you configured some settings to limit the scope the GPO applying?
    If all Windows 8 machines failed to receive the GPO settings? In order to narrow down the cause of the issue, I suggest we could try to collect the following information for troubleshooting.
    GPMC.log
    ==================
    a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.
    b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
    user in the wizard)
    c. Right click 
    the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
    Once we get the report, please check if the settings have been applied to the target correctly.
    In addition, would you please let me know whether you have imported the latest Windows 8 Administrative Templates to the Windows Server 2008 DC? If not, please try to download and import it.
    Then try to configure the wallpaper GPO settings again to see if it could help.
    For details, please refer to the following articles.
    Administrative Templates (.admx) for Windows 8 and Windows Server 2012
    http://www.microsoft.com/en-us/download/details.aspx?id=36991
    Set Desktop Background via Group Policy in Windows 7, Windows 8 in a Server 2008 or Server 2012 Domain
    http://dizzyit.com/2013/04/14/set-desktop-background-group-policy-windows-7-windows-8-server-2008-server-2012-domain/
    Hope this helps.
    Best Regards,
    Andy Qi
    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback on our support quality, please send your feedback
    here.
    Andy Qi
    TechNet Community Support

  • User policies not applied hence dlu not working

    We have 6 pc's that for some reason don't get user policies. Here's the
    line from zmd-message.log of the workstation agent:
    [1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
    [ApplyPolicies: Either user session is null or Device-only mode is
    enabled or Zen logon module is not present; not applying user policies.]
    The zone is 10.3.3, we use a user source connected to edir and the user
    is getting user policies on other computers. What's this Device-only mode?
    regards,
    Limor

    Found the problem. Our people disabled Zenworks User Authentication in
    the registry.
    On 13/09/2011 09:13, Limor wrote:
    > We have 6 pc's that for some reason don't get user policies. Here's the
    > line from zmd-message.log of the workstation agent:
    > [1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
    > [ApplyPolicies: Either user session is null or Device-only mode is
    > enabled or Zen logon module is not present; not applying user policies.]
    >
    > The zone is 10.3.3, we use a user source connected to edir and the user
    > is getting user policies on other computers. What's this Device-only mode?
    >
    > regards,
    > Limor

  • Email Address Policies not applying

    Hi,
    Before installing Exchange 2010 in our domain, we accidentally deleted few users, and restored back again. However, after installing Exchange, we can see that EAP are not applying to these users, but works fine for other users. Is there any tweak we can
    apply to make EAP apply (ADSIEDIT, or other tool)?
    Thank you for any help
    alfa21

    Hi,
    Is the e-mail address policy your default
    e-mail address policy or a new policy you created before?
    If the e-mail address policy is a new created policy, we can use the
    Update-EmailAddressPolicy cmdlet to apply an e-mail address policy to all recipients:
    Update-EmailAddressPolicy -Identity EMAIL_ADDRESS_POLICY01
    We can use EMC to check whether the problematic users are listed in the
    Default Email Address Policy preview:
    http://exchangeserverpro.com/exchange-server-2010-email-address-policies/
    Thanks,
    Winnie Liang
    TechNet Community Support

  • Local Security Policies not getting applied

    Hi,
    We have a Windows 2012 Server which is added to Domain. We have requirement for applying some security settings on the servers. We do not want to use Group Policies for the same as we have different server in different OU's.
    We have applied the policies using gpedit.msc by going to Computer Configuration/Windows Settings/Security Settings/Local Policies
    But once we run rsop.msc the settings are showing as not defined.
    I tried running gpupdate /force and rebooting but no use.
    Also there are some settings which are configured in Security Options but we want to change those to not defined. There is no option for the same, its only enable or disable.

    Hi,
    I have done some tests, and getting the exact same results as yours.
    It looks like settings configured within the Winning GPOs are dispalyed. For those settings which are not configured from any higher level scope, local group policy settings can be applied then.
    Best Regards,
    Amy

Maybe you are looking for