Wednesday, 06 March 2019 13:40

Group Policy Changes in Windows 10 1903 Preview

Written by
Rate this item
(1 Vote)

image

As Windows 10 April 2019 Update Update (codenamed 19H1) development winds down, it’s the grandiose time to examine updated and new Group Policy settings. There might be a few changes to Group Policy settings before Windows 10, version 1903 hits RTM, but it still can't hurt to poke around current ADMX files because there are truly several things duller in our line of work than comparing thousands of lines of text. Right?

Based on my results, the following Group Policy settings were added in Windows 10 version 1903 (Insider build 18341), or modified to an extent that warrants listing them here:

Note: An Excel spreadsheet containing policy descriptions, registry paths and possible settings (where applicable) is attached to this post. Please keep in mind, that the text-based analysis is somewhat error-prone, so take the information below with a grain of salt.

ADMX File Parent Category Policy Class
AppPrivacy.admx App Privacy Let Windows apps activate with voice Machine
AppPrivacy.admx App Privacy Let Windows apps activate with voice while the system is locked Machine
CredUI.admx Credential User Interface Prevent the use of security questions for local accounts Machine
DataCollection.admx   Allow commercial data pipeline Machine
DeliveryOptimization.admx Delivery Optimization Delay Background download Cache Server fallback (in seconds) Machine
DeliveryOptimization.admx Delivery Optimization Delay Foreground download Cache Server fallback (in seconds) Machine
MDM.admx MDM Enable automatic MDM enrollment using default Azure AD credentials Machine
MSDT.admx Microsoft Support Diagnostic Tool Troubleshooting: Allow users to access recommended troubleshooting for known problems Machine
ServiceControlManager.admx Security Settings Enable svchost.exe mitigation options Machine
StorageSense.admx Storage Sense Allow Storage Sense Machine
StorageSense.admx Storage Sense Configure Storage Sense cadence Machine
StorageSense.admx Storage Sense Allow Storage Sense Temporary Files cleanup Machine
StorageSense.admx Storage Sense Configure Storage Sense Recycle Bin cleanup threshold  Machine
StorageSense.admx Storage Sense   Machine
StorageSense.admx Storage Sense Configure Storage Sense Cloud Content dehydration threshold  Machine
TerminalServer.admx Remote Session Environment Use WDDM graphics display driver for Remote Desktop Connections Machine
WindowsUpdate.admx Windows Update Specify deadlines for automatic updates and restarts Machine
WindowsUpdate.admx Windows Update Specify deadlines for automatic updates and restarts Machine
WinLogon.admx Windows Logon Options Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot Machine

In terms of new features, there aren’t any fancy features to be excited about the Windows 10 19H1 Update as Microsoft's primary focus appears to be the improving the overall OS quality as well as simplifying and aligning Windows servicing terminology with Office instead of implementing new features which are so meaningless, that they could literally make your brain hurt.

Notable changes are:

Privacy:

  • You can now configure whether employees in your organization can activate Windows apps by voice. This policy is applied to Windows apps and Cortana.
  • You can now control whether users can interact with applications using speech while the system is locked. This policy is applied to Windows apps and Cortana.
  • You can now decide whether data collected from the device will be opted into the Windows enterprise data pipeline.
    Note: If you don't configure this setting, all data from the device will be collected and processed in accordance with Microsoft's policies for the Windows standard data pipeline. Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10.

Security:

  • You can now configure whether local users are able to set up and use security questions to reset their passwords.
  • You can enable stricter svchost.exe mitigation options, meaning that built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.

Deployment:

  • You can now specify whether to automatically enroll the device to the Mobile Device Management (MDM) service configured in Azure Active Directory (Azure AD). If the enrollment is successful, the device will be managed by the MDM service.
  • Windows 10 April 2019 Update setup process is going to offer some significant improvements when it comes to helping users in your organization to resolve any of the problems that it finds. The corresponding group policy setting allows you to configure how recommended troubleshooting for known problems on the device are being applied in your domains/IT environments.
    Note: Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied.

Windows Update:

  • You can now specify the number of days that a user has before quality and feature updates are installed on their devices automatically, and a grace period after which required restarts occur automatically.
    Note: Updates and restarts will occur regardless of active hours, and the user will not be able to reschedule. Deadlines for feature updates and quality updates can be up to 30 days. The auto-restart grace period can be from 0 to 7 days.
  • It is worth noting, that beginning with Windows 10, version 1903, the following Windows Readiness levels have been deprecated and are only applicable to 1809 and below: SAC & SAC-T.

Misc:

  • Starting with Windows 10, Version 1903, Microsoft introduces several Storage Sense group policy settings designed to keep storage of employees in your organization optimized allowing you to configure default behavior thus negating the need for your end users to configure it.
  • You can now configure whether Remote Desktop Connections will use WDDM graphics display driver.
  • As Microsoft is making continuous improvements in every update, you can now configure the mode of automatically signing in and locking last interactive user after a restart or cold boot.
    Note: If you disable or don't configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended behavior."

Additionally, Microsoft added a bunch of Delivery Optimization configuration settings allowing you to restrict peer selection to AAD Tenant ID as well as to delay the fallback from Cache Server to the HTTP source for background (or foreground) content download by X seconds.

As a side note, BitLocker will use software-based encryption irrespective of hardware-based encryption availability for fixed and removable data drives. Previously, BitLocker Drive Encryption used hardware-based encryption with the encryption algorithm set for the drive by default.

And finally, the Remote Desktop licensing now supports AAD Per User licensing mode which requires that each user account connecting to an RD Session Host server have a service plan that supports RDS licenses assigned in AAD.

Read 32678 times Last modified on Thursday, 07 March 2019 11:25
  1. Comments (5)

  2. Add yours
This comment was minimized by the moderator on the site

Some nice improvements, but I can't find where to download the templates from? Please can you share a DL location as I'd like to test 1903 in my LAB.

Raymond Durrett
This comment was minimized by the moderator on the site

We (as in Microsoft) are still working on the templates and will release them shortly. In the meantime, you could always grab ADMX files from the policydefinition folder (located in C:\Windows) from a freshly installed 1903 machine.

Anton Romanyuk
This comment was minimized by the moderator on the site
This comment was minimized by the moderator on the site

I would not really recommend using 1903 ADMX files unless you absolutely have to - there are still a few kinks to work out.

Anton Romanyuk
This comment was minimized by the moderator on the site

Many thanks for your information

REMY
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts