Microsoft is extending the number of Group Policy settings in Windows 10 1903. This time they will not be used to configure new features but rather the existing ones. For example, one of the policies can force the installation of updates. And for the first time, you can manage Storage Sense centrally.

Currently, there is no official documentation on the Group Policy Object (GPO) settings for the latest release of Windows 10. For years Microsoft has made this available as an Excel spreadsheet, but its benefits are limited due to the lack of maintenance and data inconsistencies. We have yet to see whether the situation will improve with version 1903.

Extracting settings from ADMX files

I have taken the following data about the new GPO settings directly from the ADMX and ADML files. With PowerShell, you can create a list of all settings relatively easily:

$admx = Get-ChildItem "$env:SystemRoot\PolicyDefinitions\*.admx"
$admx | %{ [xml]$f = Get-Content -Path $_

You generate lists for Windows 10 1809 and 1903, and then you compare the two results. However, there are uncertainties and sources of error here as well because the XML structure of the administrative templates is not consistent. For the language files, Microsoft uses at least five different attributes to identify the explanation for the settings.

Such an analysis of the ADMX files determines the new settings for Windows 10 1903 as shown in the table at the end of this article. You can find a complete overview with all explanations here.

Force installation of updates

One of the interesting new options is the ComplianceDeadline setting ("Specify deadlines for automatic updates and restarts") for Windows Update. A similar setting was already there, but it only allowed a reboot outside of active hours, and it applied to all updates.

The new option lets admins specify a time period for quality and feature updates separately, within which they must be applied. This forces a restart of the computer within a maximum period of 30 days regardless of active hours and without the possibility for the user to postpone this further.

With a new setting for Windows Update, you can force application of patches within a certain time period

With a new setting for Windows Update, you can force application of patches within a certain time period

This setting solves the problem of delaying important updates over time due to users not shutting down and logging out of their PCs outside of working hours.

So now you can be nice to your users by avoiding reboots while they are still signed in and still be sure that updates will be applied within a reasonable time period. Automatically calculated active hours give you additional flexibility when to restart PCs for updates.

Don't confuse this with the Windows Update for Business (WUfB) settings that postpone installing updates and upgrades for a specified period of time.

For WUfB, Windows 10 1903 also introduces two new settings to control cache behavior.

Storage Sense

Storage Sense is a Windows feature that automatically removes redundant files, increasing the amount of space available on disks. Version 1903 allows administrators to control this feature centrally for the first time.

Control of Storage Sense is now possible via GPO

Control of Storage Sense is now possible via GPO

This includes switching on and off this feature via GPO. You can also set thresholds for cleaning the download folder, recycle bin, and files in the cloud. You can also specify whether to delete temporary files.

Windows logon configuration

Windows 10 1903 adds three new settings to the many settings that affect the login process. Firstly, you can configure automatic signing in and locking of the last interactive user after a restart.

You can deactivate the blurred background of the login screen

You can deactivate the blurred background of the login screen

An additional setting can turn off the blurred background image on the logon screen. And finally, a third option allows an admin to prevent the use of security questions for local accounts.

More settings

New GPO policies also address app voice control, system-related data collection (although it is unclear what role the Windows commercial data pipeline plays in this context), and user access to recommended troubleshooting.

In addition, there is a setting for svchost.exe that requires that the processes it runs only load binary files Microsoft has signed. It can also block dynamically generated code.

Finally, you can enable the Windows Display Driver Model (WDDM) video driver for remote desktop connections using a new policy.

Subscribe to 4sysops newsletter!

Setting name Description
LetAppsActivateWithVoice Let Windows apps activate with voice
LetAppsActivateWithVoiceAboveLock Let Windows apps activate with voice while the system is locked
NoLocalPasswordResetQuestions Prevent the use of security questions for local accounts
AllowCommercialDataPipeline Allow the commercial data pipeline
DelayCacheServerFallbackBackground Delay background download cache server fallback (in seconds)
DelayCacheServerFallbackForeground Delay foreground download cache server fallback (in seconds)
DisableAcrylicBackgroundOnLogon Show clear logon background
TroubleshootingAllowRecommendations Troubleshooting: Allow users to access recommended troubleshooting for known problems
SvchostProcessMitigationEnable Enable svchost.exe mitigation options
SS_AllowStorageSenseGlobal Allow Storage Sense
SS_ConfigStorageSenseGlobalCadence Configure Storage Sense cadence
SS_AllowStorageSenseTemporaryFilesCleanup Allow Storage Sense temporary files cleanup
SS_ConfigStorageSenseRecycleBinCleanupThreshold Configure Storage Sense recycle bin cleanup threshold
SS_ConfigStorageSenseDownloadsCleanupThreshold Configure Storage Sense downloads cleanup threshold
SS_ConfigStorageSenseCloudContentDehydrationThreshold Configure Storage Sense cloud content dehydration threshold
TS_SERVER_WDDM_GRAPHICS_DRIVER Use the WDDM graphics display driver for remote desktop connections
SignatureUpdate_SharedSignaturesLocation Define the security intelligence location for virtual desktop infrastructure (VDI) clients.
ComplianceDeadline Specify deadlines for automatic updates and restarts
ConfigAutomaticRestartSignOn Configure the mode of automatically signing in and locking the last interactive user after a restart or cold boot
  1. Thanks for your nice article I tried to look for the official documentation on 1903 Group Policy objects but it is not yet available on Microsoft KB. Hoping it will be released …

  2. le reddit armie 4 years ago

    Any link to the new admx templates?

  3. LUk Michels 4 years ago

    Well, since the new 1903 release we have some issues being:

    – after restart the windows logo appears, and the loading "balled" icon

    – then this gets replaced by a black screen, with the loading balls but it won't go through to the login screen

    This issue we have with quite some people, any advise?

  4. Junaid 4 years ago

    Easy way would be to go into C:\windows\PolicyDefnitions Folder and copy the ADMX to your domain CentralStore

  5. Do you know if Administrative Templates are availble to download from Microsoft ?

    • Wolfgang Sommergut 4 years ago

      Paolo, neither the ADMX files nor the GPO settings spreadsheet for 1903 are available at this time.

  6. Ok, thanks for your reply.

  7. saras 4 years ago



    I have a query, If I deploy 1903 ADMX template,

    1) What will happen to the existing template and existing settings.

    2) Is there any specific steps to deploy.


    Can somebody guide me through this process.

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account