Microsoft is extending the number of Group Policy settings in Windows 10 1903. This time they will not be used to configure new features but rather the existing ones. For example, one of the policies can force the installation of updates. And for the first time, you can manage Storage Sense centrally.

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Currently, there is no official documentation on the Group Policy Object (GPO) settings for the latest release of Windows 10. For years Microsoft has made this available as an Excel spreadsheet, but its benefits are limited due to the lack of maintenance and data inconsistencies. We have yet to see whether the situation will improve with version 1903.

Extracting settings from ADMX files ^

I have taken the following data about the new GPO settings directly from the ADMX and ADML files. With PowerShell, you can create a list of all settings relatively easily:

You generate lists for Windows 10 1809 and 1903, and then you compare the two results. However, there are uncertainties and sources of error here as well because the XML structure of the administrative templates is not consistent. For the language files, Microsoft uses at least five different attributes to identify the explanation for the settings.

Such an analysis of the ADMX files determines the new settings for Windows 10 1903 as shown in the table at the end of this article. You can find a complete overview with all explanations here.

Force installation of updates ^

One of the interesting new options is the ComplianceDeadline setting ("Specify deadlines for automatic updates and restarts") for Windows Update. A similar setting was already there, but it only allowed a reboot outside of active hours, and it applied to all updates.

The new option lets admins specify a time period for quality and feature updates separately, within which they must be applied. This forces a restart of the computer within a maximum period of 30 days regardless of active hours and without the possibility for the user to postpone this further.

With a new setting for Windows Update, you can force application of patches within a certain time period

With a new setting for Windows Update, you can force application of patches within a certain time period

This setting solves the problem of delaying important updates over time due to users not shutting down and logging out of their PCs outside of working hours.

So now you can be nice to your users by avoiding reboots while they are still signed in and still be sure that updates will be applied within a reasonable time period. Automatically calculated active hours give you additional flexibility when to restart PCs for updates.

Don't confuse this with the Windows Update for Business (WUfB) settings that postpone installing updates and upgrades for a specified period of time.

For WUfB, Windows 10 1903 also introduces two new settings to control cache behavior.

Storage Sense ^

Storage Sense is a Windows feature that automatically removes redundant files, increasing the amount of space available on disks. Version 1903 allows administrators to control this feature centrally for the first time.

Control of Storage Sense is now possible via GPO

Control of Storage Sense is now possible via GPO

This includes switching on and off this feature via GPO. You can also set thresholds for cleaning the download folder, recycle bin, and files in the cloud. You can also specify whether to delete temporary files.

Windows logon configuration ^

Windows 10 1903 adds three new settings to the many settings that affect the login process. Firstly, you can configure automatic signing in and locking of the last interactive user after a restart.

You can deactivate the blurred background of the login screen

You can deactivate the blurred background of the login screen

An additional setting can turn off the blurred background image on the logon screen. And finally, a third option allows an admin to prevent the use of security questions for local accounts.

More settings ^

New GPO policies also address app voice control, system-related data collection (although it is unclear what role the Windows commercial data pipeline plays in this context), and user access to recommended troubleshooting.

In addition, there is a setting for svchost.exe that requires that the processes it runs only load binary files Microsoft has signed. It can also block dynamically generated code.

Finally, you can enable the Windows Display Driver Model (WDDM) video driver for remote desktop connections using a new policy.

Setting nameDescription
LetAppsActivateWithVoiceLet Windows apps activate with voice
LetAppsActivateWithVoiceAboveLockLet Windows apps activate with voice while the system is locked
NoLocalPasswordResetQuestionsPrevent the use of security questions for local accounts
AllowCommercialDataPipelineAllow the commercial data pipeline
DelayCacheServerFallbackBackgroundDelay background download cache server fallback (in seconds)
DelayCacheServerFallbackForegroundDelay foreground download cache server fallback (in seconds)
DisableAcrylicBackgroundOnLogonShow clear logon background
TroubleshootingAllowRecommendationsTroubleshooting: Allow users to access recommended troubleshooting for known problems
SvchostProcessMitigationEnableEnable svchost.exe mitigation options
SS_AllowStorageSenseGlobalAllow Storage Sense
SS_ConfigStorageSenseGlobalCadenceConfigure Storage Sense cadence
SS_AllowStorageSenseTemporaryFilesCleanupAllow Storage Sense temporary files cleanup
SS_ConfigStorageSenseRecycleBinCleanupThresholdConfigure Storage Sense recycle bin cleanup threshold
SS_ConfigStorageSenseDownloadsCleanupThresholdConfigure Storage Sense downloads cleanup threshold
SS_ConfigStorageSenseCloudContentDehydrationThresholdConfigure Storage Sense cloud content dehydration threshold
TS_SERVER_WDDM_GRAPHICS_DRIVERUse the WDDM graphics display driver for remote desktop connections
SignatureUpdate_SharedSignaturesLocationDefine the security intelligence location for virtual desktop infrastructure (VDI) clients.
ComplianceDeadlineSpecify deadlines for automatic updates and restarts
ConfigAutomaticRestartSignOnConfigure the mode of automatically signing in and locking the last interactive user after a restart or cold boot

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

4+

Users who have LIKED this post:

  • avatar
Share
10 Comments
  1. Paolo Maffezzoli 7 months ago

    Thanks for your nice article I tried to look for the official documentation on 1903 Group Policy objects but it is not yet available on Microsoft KB. Hoping it will be released ...

    0

  2. le reddit armie 6 months ago

    Any link to the new admx templates?

    12+

  3. LUk Michels 6 months ago

    Well, since the new 1903 release we have some issues being:

    - after restart the windows logo appears, and the loading "balled" icon

    - then this gets replaced by a black screen, with the loading balls but it won't go through to the login screen

    This issue we have with quite some people, any advise?

    0

  4. Junaid 5 months ago

    Easy way would be to go into C:\windows\PolicyDefnitions Folder and copy the ADMX to your domain CentralStore

    0

  5. Paolo Maffezzoli 5 months ago

    Do you know if Administrative Templates are availble to download from Microsoft ?

    0

    • Wolfgang Sommergut 5 months ago

      Paolo, neither the ADMX files nor the GPO settings spreadsheet for 1903 are available at this time.

      1+

      Users who have LIKED this comment:

      • avatar
  6. Paolo Maffezzoli 5 months ago

    Ok, thanks for your reply.

    0

  7. saras 4 months ago

    Hi,

     

    I have a query, If I deploy 1903 ADMX template,

    1) What will happen to the existing template and existing settings.

    2) Is there any specific steps to deploy.

     

    Can somebody guide me through this process.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account