- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
Due to the relatively few innovations in Windows 10 1909 (19H2), it is not surprising that the group policies didn't get too many new settings either. In order to determine the differences, you must compare the actual files due to the lack of documentation.
One new setting for Enterprise Mode
It turns out that compared to 1903, Microsoft has only changed two ADMX files, DeviceInstallation.admx and inetres.admx for Internet Explorer. The latter now includes an additional option called KeepIntranetSitesInInternetExplorer to manage cooperation with Edge. The description states:
Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy isn’t enabled, this policy has no effect.
A new GPO setting for internet Explorer helps to configure the Enterprise Mode
Allow or block certain PnP devices
The two new settings in DeviceInstallation.admx are Prevent installation of devices that match any of these device IDs and Allow installation of devices that match any of these device instance IDs.
New GPO setting in Windows 10 1909 for blacklisting certain PnP devices
These settings allow administrators to put plug-and-play devices with a specific instance ID on a blacklist or whitelist, so they are, for example, able to block them. So Windows now offers more granular mechanisms to handle USB devices.
The instance ID of the devices can be determined using PowerShell, like this:
Get-PnpDevice | select friendlyName, InstanceID
Get instance ID of PnP devices with PowerShell
Office templates no longer included
If you unpack the templates for Windows 10 1903 and 1909 into separate folders under the same directory, you'll quickly realize by using the old command interpreter
for %i in (*.admx) do if not exist ..\admx-1909\%i echo %i
that Microsoft no longer delivers the templates for Office in the current ADMX package.
The Office templates are no longer included with the ADMX download
Installation
As usual, the latest group policy administrative templates are included on every workstation with Windows 10 1909 under %systemroot%\PolicyDefinitions. However, they are limited to the language files for English and the language of the localized operating system. Also missing are ADMX files that are irrelevant to local group policies, such as GroupPolicyPreferences.admx.
The complete templates for Windows 10 1909 are available via Microsoft's ADMX download from this page. It is available as an MSI package and includes all language files. After unpacking to the directory of your choice, you can copy the templates to the Central Store using
\\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions
as the destination.
Conclusion
The administrative templates for the group policies reflect the fact that Windows 10 1909 offers hardly any new features and are limited to only three new settings. The ADK even remains at version 1903, which also covers 1909. The GPO settings spreadsheet is still stuck at version 1809, so Microsoft will hopefully update this documentation soon.
An update for the security baseline has also been released. It doesn't add any new settings but has removed 4 existing ones. Most notably the baseline doesn't enforce expiration dates for machine account passwords any more. In addition it stops blocking Thunderbolt devices and doesn't recommend to use Exploit Protection because of compatibility issues.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
does this .admx supports windows server 2012 R2 ?
If you look here:
https://www.microsoft.com/en-us/download/100591
It says only Windows Server 2019. So no.
@Microsoft: What’s now true?