Thursday, 06 September 2018 11:24

Group Policy Changes in Windows 10 1809 Preview

Written by
Rate this item
(0 votes)

image

As Windows 10 Redstone 5 Update (1809) development winds down and Microsoft is now beginning the phase of checking in final code to prepare for the final release of the Windows 10 October 2018 Update, it’s that time again to examine updated and new Group Policy settings. There is (obviously) no official documentation from the Group Policy team at this point. However, since the Windows 10 October 2018 Update is pretty much feature complete and is undergoing the final round of testing, it can't hurt to poke around ADMX files because there are truly several things duller in our line of work than comparing thousands of lines of text. Right?

Based on my results, the following Group Policy settings were added in Windows 10, version 1809 (Insider build 17751.1), or modified to an extent that warrants listing them here:

Note: An Excel spreadsheet containing policy descriptions, registry paths and possible settings (where applicable) is attached to this post. Please keep in mind, that the text-based analysis is somewhat error-prone, so take the information below with a grain of salt.

ADMX File Parent Category Policy Class
AppHVSI.admx Windows Defender Application Guard Turn on Windows Defender Application Guard in Enterprise Mode Machine
AppHVSI.admx Windows Defender Application Guard Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device Machine
AppHVSI.admx Windows Defender Application Guard Allow camera and microphone access in Windows Defender Application Guard Machine
AppHVSI.admx Windows Defender Application Guard Allow users to trust files that open in Windows Defender Application Guard Machine
AppHVSI.admx Windows Defender Application Guard Configure additional sources for untrusted files in Windows Defender Application Guard. Machine
DataCollection.admx   Disable deleting diagnostic data Machine
DataCollection.admx   Disable diagnostic data viewer. Machine
DataCollection.admx   Configure Microsoft 365 Update Readiness upload endpoint Machine
MicrosoftEdge.admx Microsoft Edge Allow Sideloading of extension Both
MicrosoftEdge.admx Microsoft Edge Allow FullScreen Mode Both
MicrosoftEdge.admx Microsoft Edge Allow printing Both
MicrosoftEdge.admx Microsoft Edge Allow Saving History Both
MicrosoftEdge.admx Microsoft Edge Configure Favorites Bar Both
MicrosoftEdge.admx Microsoft Edge Configure collection of browsing data for Microsoft 365 Analytics Both
MicrosoftEdge.admx Microsoft Edge Configure Home Button Both
MicrosoftEdge.admx Microsoft Edge Configure Open Microsoft Edge With Both
MicrosoftEdge.admx Microsoft Edge Prevent turning off required extensions Both
MicrosoftEdge.admx Microsoft Edge Prevent certificate error overrides Both
OOBE.admx OOBE Don't launch privacy settings experience on user logon Both
Passport.admx Windows Hello for Business Use Windows Hello for Business certificates as smart card certificates Machine
SmartScreen.admx Explorer Configure App Install Control Machine
WCM.admx Windows Connection Manager Enable Windows to soft-disconnect a computer from a network Machine
WindowsDefender.admx Windows Defender Antivirus Configure detection for potentially unwanted applications Machine
WindowsDefender.admx Scan Configure low CPU priority for scheduled scans Machine
WindowsDefender.admx Device security Disable the Clear TPM button Machine
WindowsDefender.admx Device security Hide the TPM Firmware Update recommendation. Machine
WindowsDefender.admx Systray Hide Windows Security Systray Machine
WindowsUpdate.admx Windows Update Remove access to "Pause updates" feature Machine

In terms of new features, there isn’t anything to be excited about the Windows 10 October 2018 Update as Microsoft's primary focus this time around appears to be the improvement of the overall OS quality and Windows 10 hardening instead of implementation of new features which are so meaningless, that they could literally make your brain hurt.

Notable changes are:

Security:

  • Windows Defender Application Guard in Enterprise Mode provides unprecedented protection against targeted threats using Microsoft’s Hyper-V virtualization technology and now supports Microsoft Office applications in addition to Microsoft Edge. You can enforce Windows Defender Application Guard for Microsoft Edge only, for Microsoft Office only or both.
  • You can now enable camera and microphone access in Windows Defender Application Guard container.
  • You can now configure required actions and validations that gives users the option to trust files that open in Application Guard. (Note: By default users are not able to trust files that open in Application Guard.) If you configure this setting, users will be able to open UI in Windows that enables them to explicitly trust selected files. You can optionally require that the files are cleared by the antivirus program that is installed on the user’s device prior to opening on the host.
  • In addition, you can now configure additional sources for untrusted files which will always open in Windows Defender Application Guard, including removable media, network shares (Note: If you want to explicitly trust a network location and prevent files from that location from opening in Application Guard, use one of the Network Isolation policies.) and files with Mark of the Web (MotW). If you disable or don't configure this setting, only files downloaded from Application Guard for Microsoft Edge will open in Application Guard for Microsoft Word, Excel, or PowerPoint.
  • Windows 10 October 2018 Update introduces the App Install Control feature that helps protect PCs by allowing users to install apps only from the Store. Note: SmartScreen must be enabled for this feature to work properly.
  • Windows Defender now supports low CPU priority mode for scheduled scans.

UI:

  • Starting with Windows 10, version 1809 you can disable the Delete diagnostic data button in Diagnostic & Feedback Settings page.
  • You can now prevent users from launching the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page.
  • As Microsoft continues to tweak the user experience, you can now disable the Clear TPM button in the Windows Security Center as well as hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. In addition, you can also opt to hide Windows Security systray.
  • When logging into a new user account for the first time or after an upgrade in some scenarios, that user may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. You can now prevent this OOBE experience from launching.
  • You can now prevent users from accessing the "Pause updates" Windows Update feature.

Microsoft Edge:

Microsoft is determined to make Microsoft Edge the safest and most modern browser. Over the past three years, the company has been continuously innovating, and the quality of engineering is reflected in the latest improvements being introduced with the Windows 10 October 2018 Update:

  • You can now specify whether unverified extensions can be sideloaded in Microsoft Edge.
  • You can now prohibit users from using the full-screen mode, which shows only the web content and hides the Microsoft Edge UI.
  • You can now restrict whether printing web content in Microsoft Edge is allowed.
  • You can now prevent Microsoft Edge from saving your user's browsing history, which is made up of info about the websites they visit, on their devices.
  • You can now specify whether to set the favorites bar to always be visible or hidden on any page.
  • You can now lock down the Home button to either load the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy.
  • You can now configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it.
  • You can now define a list of extensions in Microsoft Edge that users cannot turn off. Note: You must deploy extensions through any available enterprise deployment channel.
  • You can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.
  • You can now prevent users from from bypassing the security warning to sites that have SSL errors.

Additionally, the Group Policy team is apparantely changing the scope of some policies as follows:

Previously: Machine, Now: Both

  • ControlPanel.admx\SettingsPageVisibility: Specifies the list of pages to show or hide from the System Settings app.

Previously: User, Now: Both

  • StartMenu.admx\NoFrequentUsedPrograms: If you enable this setting, the frequently used programs list is removed from the Start menu.
  • StartMenu.admx\NoMoreProgramsList: If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
  • StartMenu.admx\NoRecentDocsHistory: Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.
  • StartMenu.admx\ForceStartSize: If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings.
  • StartMenu.admx\HideRecentlyAddedApps: This policy allows you to prevent the Start Menu from displaying a list of recently installed applications.
Read 12035 times
  1. Comments (0)

  2. Add yours

Comments (0)

There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts