Based on my results, the following Group Policy settings were added in Windows 10 version 1803 (Insider build 17101), or modified to an extent that warrants listing them here:
Note: An Excel spreadsheet containing policy descriptions, registry paths and possible settings (where applicable) is attached to this post. This time around I am also including a full list of policy settings which had been removed from Windows 10 build 17101 and might wind up not being included in the final build of Windows 10 1803. Please keep in mind, that the text-based analysis is somewhat error-prone, so take the information below with a grain of salt.
ADMX File | Parent Category | Policy | Class |
AppHVSI.admx | Windows Defender Application Guard | Allow hardware-accelerated rendering for Windows Defender Application Guard | Machine |
AppHVSI.admx | Windows Defender Application Guard | Allow files to download and save to the host operating system from Windows Defender Application Guard | Machine |
AppPrivacy.admx | App Privacy | Let Windows apps access an eye tracker device | Machine |
CloudContent.admx | Cloud Content | Turn off Windows Spotlight on Settings | User |
DataCollection.admx | Allow device name to be sent in Windows diagnostic data | Machine | |
DataCollection.admx | Configure telemetry opt-in setting user interface. | Machine | |
DataCollection.admx | Configure telemetry opt-in change notifications. | Machine | |
DeliveryOptimization.admx | Delivery Optimization | Maximum Background Download Bandwidth (percentage) | Machine |
DeliveryOptimization.admx | Delivery Optimization | Maximum Foreground Download Bandwidth (percentage) | Machine |
DeliveryOptimization.admx | Delivery Optimization | Select the source of Group IDs | Machine |
DeliveryOptimization.admx | Delivery Optimization | Delay background download from http (in secs) | Machine |
DeliveryOptimization.admx | Delivery Optimization | Delay Foreground download from http (in secs) | Machine |
DeliveryOptimization.admx | Delivery Optimization | Select a method to restrict Peer Selection | Machine |
DeliveryOptimization.admx | Delivery Optimization | Set Business Hours to Limit Background Download Bandwidth | Machine |
DeliveryOptimization.admx | Delivery Optimization | Set Business Hours to Limit Foreground Download Bandwidth | Machine |
Display.admx | Display | Configure Per-Process System DPI settings | Machine |
EAIME.admx | IME | Turn on Live Sticker | User |
GroupPolicy.admx | Group Policy | Phone-PC linking on this device | Machine |
MicrosoftEdge.admx | Microsoft Edge | Allow configuration updates for the Books Library | Both |
MicrosoftEdge.admx | Microsoft Edge | Allow extended telemetry for the Books tab | Both |
MicrosoftEdge.admx | Microsoft Edge | Allow a shared Books folder | Both |
MicrosoftEdge.admx | Microsoft Edge | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed | Both |
OSPolicy.admx | OS Policies | Allow upload of User Activities | Machine |
Passport.admx | Windows Hello for Business | Use Windows Hello for Business | Both |
Search.admx | Search | Allow Cortana Page in OOBE on an AAD account | Machine |
StartMenu.admx | Remove 'Recently added' list from Start Menu | Machine | |
StartMenu.admx | Disable context menus in the Start Menu | Both | |
TerminalServer.admx | Device and Resource Redirection | Do not allow video capture redirection | Machine |
UserExperienceVirtualization.admx | Microsoft User Experience Virtualization | Enable UEV | Machine |
WindowsDefenderSecurityCenter.admx | Virus and threat protection | Hide the Ransomware data recovery area | Machine |
WindowsDefenderSecurityCenter.admx | Account protection | Hide the Account protection area | Machine |
WindowsDefenderSecurityCenter.admx | Device security | Hide the Device security area | Machine |
WindowsDefenderSecurityCenter.admx | Device security | Device security Hide the Security processor (TPM) troubleshooter page | Machine |
WindowsDefenderSecurityCenter.admx | Device security | Device security Hide the Secure boot area | Machine |
Notable changes are:
- You can now configure whether to save downloaded files to the host operating system from the Windows Defender Application Guard container in an effort to combat malicious content and malware out on the Internet.
- You can now control whether Windows Defender Application Guard renders graphics using hardware or software acceleration using Group Policy.
- You can now remove "Recently added" list from the Start Menu. In addition, you can also prevent users from being able to open context menus in the Start Menu.
- You can now turn off the set of features that enable "linking" your phone to your PC.
- You can now prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
- You can now turn off Windows Spotlight suggestions in the Settings app.
- As Microsoft continues to work on fixing blurry or incorrectly sized desktop applications on high-DPI displays, you can now enable per Process System DPI application compatibility feature.
- You can now disable Cortana Page in OOBE on an AAD account.
- You can now disallow auto start for Windows Hello provisioning after sign-in.
- You can now hide following areas in the Windows Defender Security Center: Ransomware data recovery, Account protection, Device security, Security processor (TPM) troubleshooter and Secure boot.
- You can now enable or disable User Experience Virtualization (UE-V) feature.
Additionally, Microsoft added a bunch of Delivery Optimization configuration settings and implemented additional telemetry controls including a policy setting which determines whether people can change their own telemetry levels in Settings.
As a side note, Windows Defender Exploit Guard Controlled Folder Access feature introduced in Windows 10 1709 in order to protect valuable data from malicious apps and threats, such as ransomware, is now including two additional modus operandi: Block disk modification only (which blocks only attempts by untrusted apps to write to disk sectors but at the same time allows modification or removal of files in protected folders) and Audit disk modification only (this setting will only record attempts to write to protected disk sectors in the Windows event log).
Mercifully, there are also a few new features and corresponding group policy settings which are so meaningless, that I have to mention them here because they may literally make your brain hurt. There is now an odd policy setting that controls the live sticker feature, which uses an online service to provide stickers online. If that is not silly enough, there are now options to allow configuration updates for the Books Library, to allow extended telemetry for the Books tab and to allow a shared Books folder, which means absolutely nothing. Predictably, the book functionality appears to be more important than adding group policy settings for Microsoft Edge that could be really useful.