Since the previous releases of Windows 10 included only a few new GPO settings, Microsoft has decided to introduce some interesting options with 21H2. Among other things, these include the installation of devices, printing, updates, the sandbox, Microsoft Defender, and the ability to collect diagnostic data.

All currently available documentation, as well as the ADMX-Download, relates exclusively to Windows 11, which has the same version number as the last Windows 10, namely 21H2. Most of the new group policies also apply to Windows 10 21H2, but sadly, the administrative templates shipped with the preview are still outdated.

The best thing to do is install the new templates for Windows 11 and check the individual settings to see whether they are also supported under Windows 10. However, this information is not available for some of them, such as those for Windows Sandbox. The corresponding ADMX file is missing under Windows 10 21H2.

Several new settings ^

If you believe the current Group Policy Settings Reference Spreadsheet, then Windows 11 brings a whopping 111 new settings. However, most of them are only the result of the notoriously poor documentation.

According to Microsofts Excel spreadsheet Windows 11 and Windows 10 21H2 introduce more than 100 new settings

According to Microsofts Excel spreadsheet Windows 11 and Windows 10 21H2 introduce more than 100 new settings

For example, all settings for Windows Update are considered new just because Microsoft has reordered them in a new folder structure. In addition, there are those whose names have changed, such as from Allow Telemetry to Allow Diagnostic Data. They also count as new.

If you take a look at the documentation of the security baseline, it shows a clearer picture. The Excel spreadsheete shows 61 new settings. If you remove the duplicates between the computer and the user scopes, then 56 remain.

DoH and device installation ^

Among those that remain are only two settings that actually apply to new features. The first is Configure DNS over HTTPS (DoH) name resolution, with which you can deactivate, force, or simply allow DNS over HTTPS. This option is missing in Windows 10, but the template for Windows 11 specifies Vista as the minimum OS version supported.

Group Policy for the central configuration of DNS over HTTPS

Group Policy for the central configuration of DNS over HTTPS

The second major innovation is about device installation. There, thanks to the option Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria, you now get finer control over which devices users are allowed to install.

New setting to change the logic when processing the rules for device installation

New setting to change the logic when processing the rules for device installation

Different sources depending on the type of update ^

21H2 brings an interesting new option for Windows Update. Specify source service for specific classes of Windows Updates now allows you to obtain different types of updates (quality, feature update, driver, or other) from WSUS or Windows Update, respectively.

For different classes of updates you can now choose between WSUS and Windows Update

For different classes of updates you can now choose between WSUS and Windows Update

Before configuring this setting, you should disable Do not allow update deferral policies to cause scans against Windows Update.

If you use the templates for Windows 11, you can find this setting in the new Legacy Guidelines folder.

New policies for printing ^

In the aftermath of the vulnerabilities known as "PrintNightmare", Microsoft has introduced some restrictions on printers.

Limit print driver installation to Administrators can be used to reactivate Point and Print for standard users after the August update. It is not part of the normal administrative templates, but shipped with the security baseline's SecGuide.admx.

The option of restricting printing to certain devices is also new. With Enable Device Control Printing Restrictions, only printers in the corporate network or approved USB printers are allowed.

Admins can now restrict printing to specific devices via GPO

Admins can now restrict printing to specific devices via GPO

This setting is supplemented by a setting called List of approved USB-connected print devices. There, you enter the VID or PID of the allowed USB printers.

Microsoft Defender ^

Microsoft Defender has eight new settings. Among them is the possibility of excluding certain IP addresses from scans. Turn on script scanning has even made it into the current security baseline as a recommendation.

These two options are also missing from the Windows 10 templates. Since Windows 8 or Windows 10 1709 are mentioned as minimum requirements, they should be applicable there as well.

Windows Sandbox configuration ^

There are many new Group Policies for the Sandbox. They can be used to control whether audio and video input, network, printers, or a virtual GPU should be available in the VM. Another option determines whether one can exchange data with the sandbox via the clipboard.

As mentioned, these settings are missing in the Windows 10 21H2 templates; the information about the supported versions of Windows isn't provided either. Therefore, these options should only take effect from Windows 11 onwards.

Diagnostic data ^

Four new settings help to control Microsoft's data collection. For example, with Limit dump collection, you can restrict memory dumps to kernel mini-dumps and user-mode dumps.

Another setting limits the collection of diagnostic logs. Two additional options are used to regulate interaction with the OneSettings service (logging and downloads).

Disable GUI features ^

Some of the new settings you can use to remove unnecessary or annoying features from the desktop should be of interest in professional environments. This applies, for example, to animations on the lock screen (Turn off spotlight collection on desktop and Prevent lock screen background motion).

Removing the list of most frequently used apps from the Start menu

Removing the list of most frequently used apps from the Start menu

The option to disable widgets also falls into this category. It is missing from the Windows 10 templates and should only apply to the new widgets in Windows 11. However, according to the GPO editor, it should also support the previous OS.

Hiding the "most frequently used" list from the Start menu should also be welcome in many cases.

Conclusion ^

Windows 10 / 11 21H2 includes a whole new set of group policies. Only two of them control new features; the rest extend the central administration of existing components.

The setting for determining the source for certain update types is appealing. Microsoft Defender and Printing are given more security-related options.

The excitement over these new options is once again marred by Microsoft's sloppy documentation and lack of attention in the last version of Windows 10. At this point, admins will have to install the ADMX templates for Windows 11 and see which of the new settings also works for Windows 10.

avatar
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account