Wednesday, 21 February 2018 18:12

Group Policy Changes in Windows 10 1803 Preview

Written by
Rate this item
(1 Vote)

image

As Windows 10 Redstone 4 Update (1803) development winds down, it’s the grandiose time to examine updated and new Group Policy settings. There is (obviously) no official documentation from the Group Policy team at this point and there might be quite a few changes to Group Policy settings before Windows 10 Spring Update hits RTM. Still, it can't hurt to poke around current ADMX files because there are truly several things duller in our line of work than comparing thousands of lines of text. Right?

Based on my results, the following Group Policy settings were added in Windows 10 version 1803 (Insider build 17101), or modified to an extent that warrants listing them here:

Note: An Excel spreadsheet containing policy descriptions, registry paths and possible settings (where applicable) is attached to this post. This time around I am also including a full list of policy settings which had been removed from Windows 10 build 17101 and might wind up not being included in the final build of Windows 10 1803. Please keep in mind, that the text-based analysis is somewhat error-prone, so take the information below with a grain of salt.

ADMX File Parent Category Policy Class
AppHVSI.admx Windows Defender Application Guard Allow hardware-accelerated rendering for Windows Defender Application Guard Machine
AppHVSI.admx Windows Defender Application Guard Allow files to download and save to the host operating system from Windows Defender Application Guard Machine
AppPrivacy.admx App Privacy Let Windows apps access an eye tracker device Machine
CloudContent.admx Cloud Content Turn off Windows Spotlight on Settings User
DataCollection.admx   Allow device name to be sent in Windows diagnostic data Machine
DataCollection.admx   Configure telemetry opt-in setting user interface. Machine
DataCollection.admx   Configure telemetry opt-in change notifications. Machine
DeliveryOptimization.admx Delivery Optimization Maximum Background Download Bandwidth (percentage) Machine
DeliveryOptimization.admx Delivery Optimization Maximum Foreground Download Bandwidth (percentage) Machine
DeliveryOptimization.admx Delivery Optimization Select the source of Group IDs Machine
DeliveryOptimization.admx Delivery Optimization Delay background download from http (in secs) Machine
DeliveryOptimization.admx Delivery Optimization Delay Foreground download from http (in secs) Machine
DeliveryOptimization.admx Delivery Optimization Select a method to restrict Peer Selection Machine
DeliveryOptimization.admx Delivery Optimization Set Business Hours to Limit Background Download Bandwidth Machine
DeliveryOptimization.admx Delivery Optimization Set Business Hours to Limit Foreground Download Bandwidth Machine
Display.admx Display Configure Per-Process System DPI settings Machine
EAIME.admx IME Turn on Live Sticker User
GroupPolicy.admx Group Policy Phone-PC linking on this device Machine
MicrosoftEdge.admx Microsoft Edge Allow configuration updates for the Books Library Both
MicrosoftEdge.admx Microsoft Edge Allow extended telemetry for the Books tab Both
MicrosoftEdge.admx Microsoft Edge Allow a shared Books folder Both
MicrosoftEdge.admx Microsoft Edge Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed Both
OSPolicy.admx OS Policies Allow upload of User Activities Machine
Passport.admx Windows Hello for Business Use Windows Hello for Business Both
Search.admx Search Allow Cortana Page in OOBE on an AAD account Machine
StartMenu.admx   Remove 'Recently added' list from Start Menu Machine
StartMenu.admx   Disable context menus in the Start Menu Both
TerminalServer.admx Device and Resource Redirection Do not allow video capture redirection Machine
UserExperienceVirtualization.admx Microsoft User Experience Virtualization Enable UEV Machine
WindowsDefenderSecurityCenter.admx Virus and threat protection Hide the Ransomware data recovery area Machine
WindowsDefenderSecurityCenter.admx Account protection Hide the Account protection area Machine
WindowsDefenderSecurityCenter.admx Device security Hide the Device security area Machine
WindowsDefenderSecurityCenter.admx Device security Device security Hide the Security processor (TPM) troubleshooter page Machine
WindowsDefenderSecurityCenter.admx Device security Device security Hide the Secure boot area Machine

Notable changes are:

  • You can now configure whether to save downloaded files to the host operating system from the Windows Defender Application Guard container in an effort to combat malicious content and malware out on the Internet.
  • You can now control whether Windows Defender Application Guard renders graphics using hardware or software acceleration using Group Policy.
  • You can now remove "Recently added" list from the Start Menu. In addition, you can also prevent users from being able to open context menus in the Start Menu.
  • You can now turn off the set of features that enable "linking" your phone to your PC.
  • You can now prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
  • You can now turn off Windows Spotlight suggestions in the Settings app.
  • As Microsoft continues to work on fixing blurry or incorrectly sized desktop applications on high-DPI displays, you can now enable per Process System DPI application compatibility feature.
  • You can now disable Cortana Page in OOBE on an AAD account.
  • You can now disallow auto start for Windows Hello provisioning after sign-in.
  • You can now hide following areas in the Windows Defender Security Center: Ransomware data recovery, Account protection, Device security, Security processor (TPM) troubleshooter and Secure boot.
  • You can now enable or disable User Experience Virtualization (UE-V) feature.

Additionally, Microsoft added a bunch of Delivery Optimization configuration settings and implemented additional telemetry controls including a policy setting which determines whether people can change their own telemetry levels in Settings.

As a side note, Windows Defender Exploit Guard Controlled Folder Access feature introduced in Windows 10 1709 in order to protect valuable data from malicious apps and threats, such as ransomware, is now including two additional modus operandi: Block disk modification only (which blocks only attempts by untrusted apps to write to disk sectors but at the same time allows modification or removal of files in protected folders) and Audit disk modification only (this setting will only record attempts to write to protected disk sectors in the Windows event log).

Mercifully, there are also a few new features and corresponding group policy settings which are so meaningless, that I have to mention them here because they may literally make your brain hurt. There is now an odd policy setting that controls the live sticker feature, which uses an online service to provide stickers online. If that is not silly enough, there are now options to allow configuration updates for the Books Library, to allow extended telemetry for the Books tab and to allow a shared Books folder, which means absolutely nothing. Predictably, the book functionality appears to be more important than adding group policy settings for Microsoft Edge that could be really useful.

Read 4626 times Last modified on Thursday, 22 February 2018 10:36

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts