Shortly after the release of the latest Windows 10 version, Microsoft published the corresponding administrative templates for the group policies. Compared to release 1903, the changes are only minor and the documentation hasn't been updated since Windows 10 1809.

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Due to the relatively few innovations in Windows 10 1909 (19H2), it is not surprising that the group policies didn't get too many new settings either. In order to determine the differences, you must compare the actual files due to the lack of documentation.

One new setting for Enterprise Mode ^

It turns out that compared to 1903, Microsoft has only changed two ADMX files, DeviceInstallation.admx and inetres.admx for Internet Explorer. The latter now includes an additional option called KeepIntranetSitesInInternetExplorer to manage cooperation with Edge. The description states:

Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy isn’t enabled, this policy has no effect.

A new GPO setting for internet Explorer helps to configure the Enterprise Mode

A new GPO setting for internet Explorer helps to configure the Enterprise Mode

Allow or block certain PnP devices ^

The two new settings in DeviceInstallation.admx are Prevent installation of devices that match any of these device IDs and Allow installation of devices that match any of these device instance IDs.

New GPO setting in Windows 10 1909 for blacklisting certain PnP devices

New GPO setting in Windows 10 1909 for blacklisting certain PnP devices

These settings allow administrators to put plug-and-play devices with a specific instance ID on a blacklist or whitelist, so they are, for example, able to block them. So Windows now offers more granular mechanisms to handle USB devices.

The instance ID of the devices can be determined using PowerShell, like this:

Get instance ID of PnP devices with PowerShell

Get instance ID of PnP devices with PowerShell

Office templates no longer included ^

If you unpack the templates for Windows 10 1903 and 1909 into separate folders under the same directory, you'll quickly realize by using the old command interpreter

that Microsoft no longer delivers the templates for Office in the current ADMX package.

The Office templates are no longer included with the ADMX download

The Office templates are no longer included with the ADMX download

Installation ^

As usual, the latest group policy administrative templates are included on every workstation with Windows 10 1909 under %systemroot%\PolicyDefinitions. However, they are limited to the language files for English and the language of the localized operating system. Also missing are ADMX files that are irrelevant to local group policies, such as GroupPolicyPreferences.admx.

The complete templates for Windows 10 1909 are available via Microsoft's ADMX download from this page. It is available as an MSI package and includes all language files. After unpacking to the directory of your choice, you can copy the templates to the Central Store using

\\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions

as the destination.

Conclusion ^

The administrative templates for the group policies reflect the fact that Windows 10 1909 offers hardly any new features and are limited to only three new settings. The ADK even remains at version 1903, which also covers 1909. The GPO settings spreadsheet is still stuck at version 1809, so Microsoft will hopefully update this documentation soon.

An update for the security baseline has also been released. It doesn't add any new settings but has removed 4 existing ones. Most notably the baseline doesn't enforce expiration dates for machine account passwords any more. In addition it stops blocking Thunderbolt devices and doesn't recommend to use Exploit Protection because of compatibility issues.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

2+
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account