Wednesday, 21 February 2018 18:12

Group Policy Changes in Windows 10 1803 Preview

Written by
Rate this item
(6 votes)

image

As Windows 10 Redstone 4 Update (1803) development winds down, it’s the grandiose time to examine updated and new Group Policy settings. There is (obviously) no official documentation from the Group Policy team at this point and there might be quite a few changes to Group Policy settings before Windows 10 Spring Update hits RTM. Still, it can't hurt to poke around current ADMX files because there are truly several things duller in our line of work than comparing thousands of lines of text. Right?

Based on my results, the following Group Policy settings were added in Windows 10 version 1803 (Insider build 17101), or modified to an extent that warrants listing them here:

Note: An Excel spreadsheet containing policy descriptions, registry paths and possible settings (where applicable) is attached to this post. This time around I am also including a full list of policy settings which had been removed from Windows 10 build 17101 and might wind up not being included in the final build of Windows 10 1803. Please keep in mind, that the text-based analysis is somewhat error-prone, so take the information below with a grain of salt.

ADMX File Parent Category Policy Class
AppHVSI.admx Windows Defender Application Guard Allow hardware-accelerated rendering for Windows Defender Application Guard Machine
AppHVSI.admx Windows Defender Application Guard Allow files to download and save to the host operating system from Windows Defender Application Guard Machine
AppPrivacy.admx App Privacy Let Windows apps access an eye tracker device Machine
CloudContent.admx Cloud Content Turn off Windows Spotlight on Settings User
DataCollection.admx   Allow device name to be sent in Windows diagnostic data Machine
DataCollection.admx   Configure telemetry opt-in setting user interface. Machine
DataCollection.admx   Configure telemetry opt-in change notifications. Machine
DeliveryOptimization.admx Delivery Optimization Maximum Background Download Bandwidth (percentage) Machine
DeliveryOptimization.admx Delivery Optimization Maximum Foreground Download Bandwidth (percentage) Machine
DeliveryOptimization.admx Delivery Optimization Select the source of Group IDs Machine
DeliveryOptimization.admx Delivery Optimization Delay background download from http (in secs) Machine
DeliveryOptimization.admx Delivery Optimization Delay Foreground download from http (in secs) Machine
DeliveryOptimization.admx Delivery Optimization Select a method to restrict Peer Selection Machine
DeliveryOptimization.admx Delivery Optimization Set Business Hours to Limit Background Download Bandwidth Machine
DeliveryOptimization.admx Delivery Optimization Set Business Hours to Limit Foreground Download Bandwidth Machine
Display.admx Display Configure Per-Process System DPI settings Machine
EAIME.admx IME Turn on Live Sticker User
GroupPolicy.admx Group Policy Phone-PC linking on this device Machine
MicrosoftEdge.admx Microsoft Edge Allow configuration updates for the Books Library Both
MicrosoftEdge.admx Microsoft Edge Allow extended telemetry for the Books tab Both
MicrosoftEdge.admx Microsoft Edge Allow a shared Books folder Both
MicrosoftEdge.admx Microsoft Edge Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed Both
OSPolicy.admx OS Policies Allow upload of User Activities Machine
Passport.admx Windows Hello for Business Use Windows Hello for Business Both
Search.admx Search Allow Cortana Page in OOBE on an AAD account Machine
StartMenu.admx   Remove 'Recently added' list from Start Menu Machine
StartMenu.admx   Disable context menus in the Start Menu Both
TerminalServer.admx Device and Resource Redirection Do not allow video capture redirection Machine
UserExperienceVirtualization.admx Microsoft User Experience Virtualization Enable UEV Machine
WindowsDefenderSecurityCenter.admx Virus and threat protection Hide the Ransomware data recovery area Machine
WindowsDefenderSecurityCenter.admx Account protection Hide the Account protection area Machine
WindowsDefenderSecurityCenter.admx Device security Hide the Device security area Machine
WindowsDefenderSecurityCenter.admx Device security Device security Hide the Security processor (TPM) troubleshooter page Machine
WindowsDefenderSecurityCenter.admx Device security Device security Hide the Secure boot area Machine

Notable changes are:

  • You can now configure whether to save downloaded files to the host operating system from the Windows Defender Application Guard container in an effort to combat malicious content and malware out on the Internet.
  • You can now control whether Windows Defender Application Guard renders graphics using hardware or software acceleration using Group Policy.
  • You can now remove "Recently added" list from the Start Menu. In addition, you can also prevent users from being able to open context menus in the Start Menu.
  • You can now turn off the set of features that enable "linking" your phone to your PC.
  • You can now prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
  • You can now turn off Windows Spotlight suggestions in the Settings app.
  • As Microsoft continues to work on fixing blurry or incorrectly sized desktop applications on high-DPI displays, you can now enable per Process System DPI application compatibility feature.
  • You can now disable Cortana Page in OOBE on an AAD account.
  • You can now disallow auto start for Windows Hello provisioning after sign-in.
  • You can now hide following areas in the Windows Defender Security Center: Ransomware data recovery, Account protection, Device security, Security processor (TPM) troubleshooter and Secure boot.
  • You can now enable or disable User Experience Virtualization (UE-V) feature.

Additionally, Microsoft added a bunch of Delivery Optimization configuration settings and implemented additional telemetry controls including a policy setting which determines whether people can change their own telemetry levels in Settings.

As a side note, Windows Defender Exploit Guard Controlled Folder Access feature introduced in Windows 10 1709 in order to protect valuable data from malicious apps and threats, such as ransomware, is now including two additional modus operandi: Block disk modification only (which blocks only attempts by untrusted apps to write to disk sectors but at the same time allows modification or removal of files in protected folders) and Audit disk modification only (this setting will only record attempts to write to protected disk sectors in the Windows event log).

Mercifully, there are also a few new features and corresponding group policy settings which are so meaningless, that I have to mention them here because they may literally make your brain hurt. There is now an odd policy setting that controls the live sticker feature, which uses an online service to provide stickers online. If that is not silly enough, there are now options to allow configuration updates for the Books Library, to allow extended telemetry for the Books tab and to allow a shared Books folder, which means absolutely nothing. Predictably, the book functionality appears to be more important than adding group policy settings for Microsoft Edge that could be really useful.

Read 18449 times Last modified on Thursday, 22 February 2018 10:36
  1. Comments (6)

  2. Add yours
There are no comments posted here yet
  1. Soeren

"Device security Hide the Security processor (TPM) troubleshooter page" - has anybody used this policy and what does it actually do?
I cannot see any difference with this one enabled on a Win 1803 computer with an outdated Infineon TPM chip...

"Device security Hide the Security processor (TPM) troubleshooter page" - has anybody used this policy and what does it actually do?
I cannot see any difference with this one enabled on a Win 1803 computer with an outdated Infineon TPM chip firmware. We have 4000+ of them and HP requires physical presence to update it. So we will properly dont update :|

Read More
  Attachments
 
  1. Anton Romanyuk

Did you check the Windows Defender Security Center? Enabling this policy should effectively hide info about the security processor manufacturer and version numbers, as well as info about the security processor’s status.

  Attachments
 
  1. Soeren

We are using Danish Windows 10 for end users but I hope you get the picture:
https://s7.postimg.cc/pjisno7on/gpo.png
https://s7.postimg.cc/ui6b27j7b/rsop.png
https://s7.postimg.cc/q91l01nnr/tpm.png
https://s7.postimg.cc/5c5cvd2hj/devsec.png

Thanks a lot in advance!

  Attachments
 
  1. Anton Romanyuk    Soeren

I tried to reproduce your issue by applying local group policy on an 1803 client but had to luck thus far as the GPO behaved as expected to hide the TPM information.

  Attachments
 
  1. Soeren
  Attachments
 
  1. Soeren

I tried to reproduce your issue by applying local group policy on an 1803 client but had to luck thus far as the GPO behaved as expected to hide the TPM information.


Thank you for trying. Maybe it is a bug in the Danish edition - i have seen...

I tried to reproduce your issue by applying local group policy on an 1803 client but had to luck thus far as the GPO behaved as expected to hide the TPM information.


Thank you for trying. Maybe it is a bug in the Danish edition - i have seen weird bugs in the past with localized versions of Win10 - ie the weird onscreen keyboard on a localized 1709...

Maybe it's a bug, maybe it's a feature and maybe the problem will be solved some time in the distant future.

Read More
  Attachments
 

Leave your comments

Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts

  • Yet Another Windows 10 Optimization Script
    As a reminder, Microsoft will be ending support for Windows 7 SP1 on January 14, 2020. I've had multiple enterprise…
    Written on Monday, 25 June 2018 16:09
  • Automating Dell BIOS Configuration Using MDT
    It’s been a busy couple of weeks for me, so I’m slowly going through a backlog of things to cover.…
    Written on Thursday, 21 June 2018 08:11
  • Configuring HP BIOS Using MDT
    This is the second post in my series that explores one of the most common questions I’ve been asked from…
    Written on Tuesday, 19 June 2018 09:54
  • BIOS to UEFI - The Easy Way: MBR2GPT
    This article is the first blog post in a series I'll write over the coming days that will provide a…
    Written on Monday, 11 June 2018 17:08
  • Force LAPS Password Reset during MDT OSD
    My customers often send me exciting cases. This particular one is especially interesting because it is common in infrastructures that…
    Written on Friday, 08 June 2018 10:10
  • Localizing Inbox Apps during OSD
    As a reader of this blog, I suspect that most of you, like me, are frequenting Twitter. And I bet…
    Written on Monday, 04 June 2018 18:18