Remove Extra Registry Settings from GPO
Date Added: 1/18/2017

If you select a GPO and click the Settings tab, you may notice an extra section at the bottom of the Computer Config or User config called Extra Registry Settings.  That probably means you have created a GPO using a previous version of an ADMX, but the newer version of the ADMX you're using now no longer has those settings in it.  In other words, those are orphaned settings that should probably be removed.  One way is to delete the GPO and recreate it.  The other way is to use Powershell to remove those specific settings:

1) Get the name of the GPO
2) See if the Extra Registry Setting is in the Computer or the User section.  If computer, use HKLM below.  If User, use HKCU below.
3) Open powershell and run this command, replacing the GPO's NAME and the HKCU with HKLM if necessary:

Remove-GPRegistryValue -Name My Windows Defender Config GPO -Key HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection -ValueName DisableIntrusionPreventionSystem

4) After removing the setting, you may want to look at the GPO to see if the new ADMX file has given you any new options that you're interested in.  Or, you may want to keep that registry setting, but you should put it in a Registry Preference instead of leaving it as an orphaned setting.

---

Back to List