Latest posts by Wolfgang Sommergut (see all)
- Group Policies in Windows 10 1909: ADMX download, three new GPO settings - Wed, Nov 27 2019
- Encrypt event logs and files with PowerShell and group policies - Mon, Nov 25 2019
- Issuing certificates for document encryption (Cryptographic Message Syntax) - Thu, Nov 21 2019
Due to the relatively few innovations in Windows 10 1909 (19H2), it is not surprising that the group policies didn't get too many new settings either. In order to determine the differences, you must compare the actual files due to the lack of documentation.
One new setting for Enterprise Mode ^
It turns out that compared to 1903, Microsoft has only changed two ADMX files, DeviceInstallation.admx and inetres.admx for Internet Explorer. The latter now includes an additional option called KeepIntranetSitesInInternetExplorer to manage cooperation with Edge. The description states:
Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy isn’t enabled, this policy has no effect.
Allow or block certain PnP devices ^
The two new settings in DeviceInstallation.admx are Prevent installation of devices that match any of these device IDs and Allow installation of devices that match any of these device instance IDs.
These settings allow administrators to put plug-and-play devices with a specific instance ID on a blacklist or whitelist, so they are, for example, able to block them. So Windows now offers more granular mechanisms to handle USB devices.
The instance ID of the devices can be determined using PowerShell, like this:
Get-PnpDevice | select friendlyName, InstanceID
Office templates no longer included ^
If you unpack the templates for Windows 10 1903 and 1909 into separate folders under the same directory, you'll quickly realize by using the old command interpreter
for %i in (*.admx) do if not exist ..\admx-1909\%i echo %i
that Microsoft no longer delivers the templates for Office in the current ADMX package.
As usual, the latest group policy administrative templates are included on every workstation with Windows 10 1909 under %systemroot%\PolicyDefinitions. However, they are limited to the language files for English and the language of the localized operating system. Also missing are ADMX files that are irrelevant to local group policies, such as GroupPolicyPreferences.admx.
The complete templates for Windows 10 1909 are available via Microsoft's ADMX download from this page. It is available as an MSI package and includes all language files. After unpacking to the directory of your choice, you can copy the templates to the Central Store using
as the destination.
The administrative templates for the group policies reflect the fact that Windows 10 1909 offers hardly any new features and are limited to only three new settings. The ADK even remains at version 1903, which also covers 1909. The GPO settings spreadsheet is still stuck at version 1809, so Microsoft will hopefully update this documentation soon.
An update for the security baseline has also been released. It doesn't add any new settings but has removed 4 existing ones. Most notably the baseline doesn't enforce expiration dates for machine account passwords any more. In addition it stops blocking Thunderbolt devices and doesn't recommend to use Exploit Protection because of compatibility issues.