- How to change the PowerShell prompt - Wed, Mar 22 2023
- Trim characters from strings in PowerShell - Tue, Mar 14 2023
- Set Chrome, Firefox and Edge as default mail client (mailto handlers) - Mon, Mar 6 2023
Currently, there is no official documentation on the Group Policy Object (GPO) settings for the latest release of Windows 10. For years Microsoft has made this available as an Excel spreadsheet, but its benefits are limited due to the lack of maintenance and data inconsistencies. We have yet to see whether the situation will improve with version 1903.
Extracting settings from ADMX files
I have taken the following data about the new GPO settings directly from the ADMX and ADML files. With PowerShell, you can create a list of all settings relatively easily:
$admx = Get-ChildItem "$env:SystemRoot\PolicyDefinitions\*.admx"
$admx | %{ [xml]$f = Get-Content -Path $_
$f.policyDefinitions.policies.policy.name}
You generate lists for Windows 10 1809 and 1903, and then you compare the two results. However, there are uncertainties and sources of error here as well because the XML structure of the administrative templates is not consistent. For the language files, Microsoft uses at least five different attributes to identify the explanation for the settings.
Such an analysis of the ADMX files determines the new settings for Windows 10 1903 as shown in the table at the end of this article. You can find a complete overview with all explanations here.
Force installation of updates
One of the interesting new options is the ComplianceDeadline setting ("Specify deadlines for automatic updates and restarts") for Windows Update. A similar setting was already there, but it only allowed a reboot outside of active hours, and it applied to all updates.
The new option lets admins specify a time period for quality and feature updates separately, within which they must be applied. This forces a restart of the computer within a maximum period of 30 days regardless of active hours and without the possibility for the user to postpone this further.
With a new setting for Windows Update, you can force application of patches within a certain time period
This setting solves the problem of delaying important updates over time due to users not shutting down and logging out of their PCs outside of working hours.
So now you can be nice to your users by avoiding reboots while they are still signed in and still be sure that updates will be applied within a reasonable time period. Automatically calculated active hours give you additional flexibility when to restart PCs for updates.
Don't confuse this with the Windows Update for Business (WUfB) settings that postpone installing updates and upgrades for a specified period of time.
For WUfB, Windows 10 1903 also introduces two new settings to control cache behavior.
Storage Sense
Storage Sense is a Windows feature that automatically removes redundant files, increasing the amount of space available on disks. Version 1903 allows administrators to control this feature centrally for the first time.
Control of Storage Sense is now possible via GPO
This includes switching on and off this feature via GPO. You can also set thresholds for cleaning the download folder, recycle bin, and files in the cloud. You can also specify whether to delete temporary files.
Windows logon configuration
Windows 10 1903 adds three new settings to the many settings that affect the login process. Firstly, you can configure automatic signing in and locking of the last interactive user after a restart.
You can deactivate the blurred background of the login screen
An additional setting can turn off the blurred background image on the logon screen. And finally, a third option allows an admin to prevent the use of security questions for local accounts.
More settings
New GPO policies also address app voice control, system-related data collection (although it is unclear what role the Windows commercial data pipeline plays in this context), and user access to recommended troubleshooting.
In addition, there is a setting for svchost.exe that requires that the processes it runs only load binary files Microsoft has signed. It can also block dynamically generated code.
Finally, you can enable the Windows Display Driver Model (WDDM) video driver for remote desktop connections using a new policy.
Subscribe to 4sysops newsletter!
| Setting name | Description |
| LetAppsActivateWithVoice | Let Windows apps activate with voice |
| LetAppsActivateWithVoiceAboveLock | Let Windows apps activate with voice while the system is locked |
| NoLocalPasswordResetQuestions | Prevent the use of security questions for local accounts |
| AllowCommercialDataPipeline | Allow the commercial data pipeline |
| DelayCacheServerFallbackBackground | Delay background download cache server fallback (in seconds) |
| DelayCacheServerFallbackForeground | Delay foreground download cache server fallback (in seconds) |
| DisableAcrylicBackgroundOnLogon | Show clear logon background |
| TroubleshootingAllowRecommendations | Troubleshooting: Allow users to access recommended troubleshooting for known problems |
| SvchostProcessMitigationEnable | Enable svchost.exe mitigation options |
| SS_AllowStorageSenseGlobal | Allow Storage Sense |
| SS_ConfigStorageSenseGlobalCadence | Configure Storage Sense cadence |
| SS_AllowStorageSenseTemporaryFilesCleanup | Allow Storage Sense temporary files cleanup |
| SS_ConfigStorageSenseRecycleBinCleanupThreshold | Configure Storage Sense recycle bin cleanup threshold |
| SS_ConfigStorageSenseDownloadsCleanupThreshold | Configure Storage Sense downloads cleanup threshold |
| SS_ConfigStorageSenseCloudContentDehydrationThreshold | Configure Storage Sense cloud content dehydration threshold |
| TS_SERVER_WDDM_GRAPHICS_DRIVER | Use the WDDM graphics display driver for remote desktop connections |
| SignatureUpdate_SharedSignaturesLocation | Define the security intelligence location for virtual desktop infrastructure (VDI) clients. |
| ComplianceDeadline | Specify deadlines for automatic updates and restarts |
| ConfigAutomaticRestartSignOn | Configure the mode of automatically signing in and locking the last interactive user after a restart or cold boot |
Thanks for your nice article I tried to look for the official documentation on 1903 Group Policy objects but it is not yet available on Microsoft KB. Hoping it will be released …
Any link to the new admx templates?
Well, since the new 1903 release we have some issues being:
– after restart the windows logo appears, and the loading "balled" icon
– then this gets replaced by a black screen, with the loading balls but it won't go through to the login screen
This issue we have with quite some people, any advise?
Easy way would be to go into C:\windows\PolicyDefnitions Folder and copy the ADMX to your domain CentralStore
Do you know if Administrative Templates are availble to download from Microsoft ?
Paolo, neither the ADMX files nor the GPO settings spreadsheet for 1903 are available at this time.
Ok, thanks for your reply.
https://www.microsoft.com/en-us/download/details.aspx?id=58495
here 1903.
Hi,
I have a query, If I deploy 1903 ADMX template,
1) What will happen to the existing template and existing settings.
2) Is there any specific steps to deploy.
Can somebody guide me through this process.
@saras,
first of all, download ADMX files from : Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)
Then you can follow info as explained in this helpful MS article : Step-By-Step: Managing Windows 10 with Administrative templates
Hope it helps!