Windows 10 2004: 17 new settings for group policies

Windows 10 2004 (20H1) introduces two new settings that enable the use of long passwords. Another new setting increases the security of LDAP authentication, and others relate to update management, store apps, FIDO authentication and East Asian characters.

If you count all of the settings in the ADMX files using PowerShell, you will see that their number has not increased but decreased, from 3,440 in Windows 10 1909 to 3,245 in the 2004 version. This mystery can be solved by checking the contents of the PolicyDefinitions directory. In Windows 10 2004, msedge.admx, which contained approximately 200 settings for the old Edge browser, is missing.

New password policies ^

The most interesting innovation is not in the administrative templates, but rather the security policies. This new setting is called Relax minimum password length limits and it enables you to increase the minimum password length up to 128 characters, which previously was limited to 14 characters.

New settings increase the minimum length of passwords and enable you to monitor this action

New settings increase the minimum length of passwords and enable you to monitor this action

This opens up the possibility of enforcing passphrases without using third-party tools. Passphrases are comprised of several words or entire sentences that users can remember more easily than single long passwords. Due to their length, passphrases are not as easy to crack as passwords by using brute force attacks, especially if they must also meet complexity requirements.

However, Microsoft points out that increasing the minimum password length can lead to compatibility problems. Therefore, Windows 10 2004 adds another setting called Minimum password length audit. It enables you to activate logging for events that occur due to the increased password length.

FIDO authentication ^

Microsoft has supported FIDO2 with Windows Hello for some time as part of its efforts to eliminate passwords for logging on to Windows. A new setting, Turn on security key sign-in, can now allow users to use external security keys such as those from Yubico.

Setting to configure FIDO authentication

Setting to configure FIDO authentication

It can be found under Computer Configuration => Policies => Administrative Templates => System => Logon.

Regarding authentication, there is another new setting that previously could only be configured using a separate ADMX file. It can be found under Local Policies and is called Domain controller: LDAP server channel binding token requirements. An explanation is given in this Security Advisory.

No GPO settings for Edge and WSL 2 ^

The previous version of Microsoft Edge is still included with Windows 10 2004, but the group policies that govern it have been removed. The browser will ask if you want to download Edge Chromium the first time you start it. The administrative templates of the new version are therefore not included in the latest release of Windows 10.

For browser management, Windows 10 2004 introduces a setting for Internet Explorer called Configure which channel of Microsoft Edge to use for opening redirected sites. It was originally not available in 1909, but has been added via an update after Edge Chromium was released.

When redirecting pages from Internet Explorer to Edge, you can specify the version of the target browser

When redirecting pages from Internet Explorer to Edge, you can specify the version of the target browser

It is used to determine the version of Edge used when redirecting certain pages from IE to the new browser (e.g., using the option Send all websites that are not included in the Enterprise Mode Site List to Microsoft Edge). It is available under Computer Configuration and User Configuration.

For the biggest single innovation of the operating system, the largely rebuilt subsystem for Linux (WSL 2), Microsoft relies on a configuration file in text format (.wslconfig), as it does with Sandbox. Accordingly, there are no group policies for this.

Configuration of delivery optimization ^

Some improvements have been made to Delivery Optimization, a cache mechanism of Windows Update for Business (WUfB). In particular, admins can now specify absolute values for the maximum bandwidth available for downloading updates.

The group policies split this option into two settings, for downloading in the foreground and the background. You can find them under Computer Configuration => Policies => Administrative Templates => Windows Components => Delivery Optimization.

Setting the maximum bandwidth for downloading updates

Setting the maximum bandwidth for downloading updates

Another new setting, Cache Server Hostname Source, is used to assign a cache host to the clients via DHCP (option 235). A value of 2 is used to force this assignment, even if it has already been specified by the GPO setting Cache Server Hostname.

Setting to assign the cache host via DHCP

Setting to assign the cache host via DHCP

WUfB also has a new option, Select the target Feature Update version, that limits the search for feature updates to a specific version.

The scan for feature updates can be limited to certain releases

The scan for feature updates can be limited to certain releases

The scan for feature updates can be limited to certain releases

The scan for feature updates can be limited to certain releases

Settings for apps ^

Three new settings control the installation and use of (certain) apps:

  • Prevent non-admin users from installing packaged Windows apps: This setting only affects the side loading of apps, but not installation via the store, which needs to be restricted separately.
  • Let Windows apps access user movements while running in the background: This privacy setting determines whether Windows apps are allowed to capture the movement of the user’s head, hands or motion controllers.
  • Allow Graphing Calculator: This setting relates to the new calculator, which is available as a store app, and can be deactivated.
New setting for apps to protect privacy

New setting for apps to protect privacy

Defender Antivirus ^

If you activate the Enable file hash computation feature setting, the virus scanner will create a hash for executable files. This setting is disabled by default.

Setting to configure Defender Antivirus to computate file hashes

Setting to configure Defender Antivirus to computate file hashes

You will note that the Enable file hash computation feature setting affects the performance of the entire system, but this only occurs during the first check. This setting is primarily useful in conjunction with Defender ATP, so you probably will not activate it if you have not booked this service.

IME for East Asian languages ^

Three new settings determine whether users can control the version of the Input Method Editor (IME) used for Japanese, Simplified, or Traditional Chinese. The IME is used to enter complex characters. The newest Microsoft IME is enabled by default.

You can find them under User Configuration => Policies => Administrative Templates => Windows Components => IME.

Removed settings ^

In Windows 10 2004, Microsoft not only added 17 new settings, but also removed five old ones. Three of them relate to delivery optimization, as two new settings for foreground and background downloads have been introduced for bandwidth control. As a result, the following settings have been removed:

  • Maximum Upload Bandwidth (in KB/s)
  • Maximum Download Bandwidth (in KB/s)
  • Maximum Download Bandwidth (percentage)

Two settings for Application Guard will also be phased out:

  • Allow users to trust files that open in Windows Defender Application Guard
  • Configure additional sources for untrusted files in Windows Defender Application Guard

The basic problem with the deleted settings is that they cannot be configured in existing GPOs once you use the new ADMX templates.

3+
avatar

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

4 Comments
  1. SF 6 months ago

    where do you find the 2004 admx? is there an official download or do i have to take it from the 2004 installation windows policies folder?

    0

    • Wolfgang Sommergut 6 months ago

      The ADMX files are not available yet. So you have to edit GPOs on a workstation with Win 10 2004 for now, if you want to use the new settings.

      1+
      avatar
  2. SF 6 months ago

    thank youè

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account