Based on my results, the following Group Policy settings were added in Windows 10, version 1809 (Insider build 17751.1), or modified to an extent that warrants listing them here:
Note: An Excel spreadsheet containing policy descriptions, registry paths and possible settings (where applicable) is attached to this post. Please keep in mind, that the text-based analysis is somewhat error-prone, so take the information below with a grain of salt.
|ADMX File||Parent Category||Policy||Class|
|AppHVSI.admx||Windows Defender Application Guard||Turn on Windows Defender Application Guard in Enterprise Mode||Machine|
|AppHVSI.admx||Windows Defender Application Guard||Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device||Machine|
|AppHVSI.admx||Windows Defender Application Guard||Allow camera and microphone access in Windows Defender Application Guard||Machine|
|AppHVSI.admx||Windows Defender Application Guard||Allow users to trust files that open in Windows Defender Application Guard||Machine|
|AppHVSI.admx||Windows Defender Application Guard||Configure additional sources for untrusted files in Windows Defender Application Guard.||Machine|
|DataCollection.admx||Disable deleting diagnostic data||Machine|
|DataCollection.admx||Disable diagnostic data viewer.||Machine|
|DataCollection.admx||Configure Microsoft 365 Update Readiness upload endpoint||Machine|
|MicrosoftEdge.admx||Microsoft Edge||Allow Sideloading of extension||Both|
|MicrosoftEdge.admx||Microsoft Edge||Allow FullScreen Mode||Both|
|MicrosoftEdge.admx||Microsoft Edge||Allow printing||Both|
|MicrosoftEdge.admx||Microsoft Edge||Allow Saving History||Both|
|MicrosoftEdge.admx||Microsoft Edge||Configure Favorites Bar||Both|
|MicrosoftEdge.admx||Microsoft Edge||Configure collection of browsing data for Microsoft 365 Analytics||Both|
|MicrosoftEdge.admx||Microsoft Edge||Configure Home Button||Both|
|MicrosoftEdge.admx||Microsoft Edge||Configure Open Microsoft Edge With||Both|
|MicrosoftEdge.admx||Microsoft Edge||Prevent turning off required extensions||Both|
|MicrosoftEdge.admx||Microsoft Edge||Prevent certificate error overrides||Both|
|OOBE.admx||OOBE||Don't launch privacy settings experience on user logon||Both|
|Passport.admx||Windows Hello for Business||Use Windows Hello for Business certificates as smart card certificates||Machine|
|SmartScreen.admx||Explorer||Configure App Install Control||Machine|
|WCM.admx||Windows Connection Manager||Enable Windows to soft-disconnect a computer from a network||Machine|
|WindowsDefender.admx||Windows Defender Antivirus||Configure detection for potentially unwanted applications||Machine|
|WindowsDefender.admx||Scan||Configure low CPU priority for scheduled scans||Machine|
|WindowsDefender.admx||Device security||Disable the Clear TPM button||Machine|
|WindowsDefender.admx||Device security||Hide the TPM Firmware Update recommendation.||Machine|
|WindowsDefender.admx||Systray||Hide Windows Security Systray||Machine|
|WindowsUpdate.admx||Windows Update||Remove access to "Pause updates" feature||Machine|
In terms of new features, there isn’t anything to be excited about the Windows 10 October 2018 Update as Microsoft's primary focus this time around appears to be the improvement of the overall OS quality and Windows 10 hardening instead of implementation of new features which are so meaningless, that they could literally make your brain hurt.
Notable changes are:
- Windows Defender Application Guard in Enterprise Mode provides unprecedented protection against targeted threats using Microsoft’s Hyper-V virtualization technology and now supports Microsoft Office applications in addition to Microsoft Edge. You can enforce Windows Defender Application Guard for Microsoft Edge only, for Microsoft Office only or both.
- You can now enable camera and microphone access in Windows Defender Application Guard container.
- You can now configure required actions and validations that gives users the option to trust files that open in Application Guard. (Note: By default users are not able to trust files that open in Application Guard.) If you configure this setting, users will be able to open UI in Windows that enables them to explicitly trust selected files. You can optionally require that the files are cleared by the antivirus program that is installed on the user’s device prior to opening on the host.
- In addition, you can now configure additional sources for untrusted files which will always open in Windows Defender Application Guard, including removable media, network shares (Note: If you want to explicitly trust a network location and prevent files from that location from opening in Application Guard, use one of the Network Isolation policies.) and files with Mark of the Web (MotW). If you disable or don't configure this setting, only files downloaded from Application Guard for Microsoft Edge will open in Application Guard for Microsoft Word, Excel, or PowerPoint.
- Windows 10 October 2018 Update introduces the App Install Control feature that helps protect PCs by allowing users to install apps only from the Store. Note: SmartScreen must be enabled for this feature to work properly.
- Windows Defender now supports low CPU priority mode for scheduled scans.
- Starting with Windows 10, version 1809 you can disable the Delete diagnostic data button in Diagnostic & Feedback Settings page.
- You can now prevent users from launching the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page.
- As Microsoft continues to tweak the user experience, you can now disable the Clear TPM button in the Windows Security Center as well as hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. In addition, you can also opt to hide Windows Security systray.
- When logging into a new user account for the first time or after an upgrade in some scenarios, that user may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. You can now prevent this OOBE experience from launching.
- You can now prevent users from accessing the "Pause updates" Windows Update feature.
Microsoft is determined to make Microsoft Edge the safest and most modern browser. Over the past three years, the company has been continuously innovating, and the quality of engineering is reflected in the latest improvements being introduced with the Windows 10 October 2018 Update:
- You can now specify whether unverified extensions can be sideloaded in Microsoft Edge.
- You can now prohibit users from using the full-screen mode, which shows only the web content and hides the Microsoft Edge UI.
- You can now restrict whether printing web content in Microsoft Edge is allowed.
- You can now prevent Microsoft Edge from saving your user's browsing history, which is made up of info about the websites they visit, on their devices.
- You can now specify whether to set the favorites bar to always be visible or hidden on any page.
- You can now lock down the Home button to either load the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy.
- You can now configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it.
- You can now define a list of extensions in Microsoft Edge that users cannot turn off. Note: You must deploy extensions through any available enterprise deployment channel.
- You can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.
- You can now prevent users from from bypassing the security warning to sites that have SSL errors.
Additionally, the Group Policy team is apparantely changing the scope of some policies as follows:
Previously: Machine, Now: Both
- ControlPanel.admx\SettingsPageVisibility: Specifies the list of pages to show or hide from the System Settings app.
Previously: User, Now: Both
- StartMenu.admx\NoFrequentUsedPrograms: If you enable this setting, the frequently used programs list is removed from the Start menu.
- StartMenu.admx\NoMoreProgramsList: If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
- StartMenu.admx\NoRecentDocsHistory: Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.
- StartMenu.admx\ForceStartSize: If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings.
- StartMenu.admx\HideRecentlyAddedApps: This policy allows you to prevent the Start Menu from displaying a list of recently installed applications.