![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 50%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello WIND_AM,
Thank you for posting question on Microsoft Windows Forum!
Based on your query of whether difference in Windows client versions/builds affecting Group Policy processing, compatibility, or policy application.
While Active Directory is designed to be backward compatible, the mix of Windows 10 (especially older builds like 1903) and Windows 11 creates several layers of potential inconsistency in how Group Policy Objects (GPOs) are processed and applied.
Administrative Template (ADMX) Discrepancies might be considered to be the main suspect here. GPOs rely on ADMX files to define which registry keys should be changed. Windows 11 introduces new settings that simply do not exist in Windows 10 1903. If you configure a policy using the Windows 11 ADMX templates, an older Windows 10 machine may see that setting as "Extra Registry Settings" or ignore it entirely because it does not have the corresponding client-side extension to handle it. On the other hand, Windows Server 2025 and recent Windows 11 builds have hardened security defaults that older versions (like Windows 10 1903) do not share. Newer versions of Windows might require SMB signing by default. If a legacy client has a different security handshake requirement, it might fail to even read the GPO files from the SYSVOL share.
Another point worth mentioning here is some policies require client-side extensions (CSEs) that must exist and be working on the client. If a CSE is missing, broken, or behaves differently between OS builds, that class of settings will apply on those machines. The Group Policy engine invokes CSEs on the client to do the work.
The following articles are useful for your further reference regarding your concerns.
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/client-side-processing-of-group-policy
- https://learn.microsoft.com/en-us/windows/client-management/understanding-admx-backed-policies
Hope the above information is helpful! If it helps you getting more insight into the issue, it is appreciated to accept the answer. Should you have more questions, feel free to leave a message.