- Configure Secured Core in Windows Server 2022: HVCI, DMA protection, System Guard, and VBS - Mon, Nov 22 2021
- ADMX templates for Office 2021: compatible with 2016 GPOs and 10 new settings - Mon, Nov 15 2021
- Windows Admin Center 2110: Multi-resource dashboard, VHD tool, and support for Azure Stack HCI 21H2 - Thu, Nov 11 2021
If you count all of the settings in the ADMX files using PowerShell, you will see that their number has not increased but decreased, from 3,440 in Windows 10 1909 to 3,245 in the 2004 version. This mystery can be solved by checking the contents of the PolicyDefinitions directory. In Windows 10 2004, msedge.admx, which contained approximately 200 settings for the old Edge browser, is missing.
New password policies ^
The most interesting innovation is not in the administrative templates, but rather the security policies. This new setting is called Relax minimum password length limits and it enables you to increase the minimum password length up to 128 characters, which previously was limited to 14 characters.
This opens up the possibility of enforcing passphrases without using third-party tools. Passphrases are comprised of several words or entire sentences that users can remember more easily than single long passwords. Due to their length, passphrases are not as easy to crack as passwords by using brute force attacks, especially if they must also meet complexity requirements.
However, Microsoft points out that increasing the minimum password length can lead to compatibility problems. Therefore, Windows 10 2004 adds another setting called Minimum password length audit. It enables you to activate logging for events that occur due to the increased password length.
FIDO authentication ^
Microsoft has supported FIDO2 with Windows Hello for some time as part of its efforts to eliminate passwords for logging on to Windows. A new setting, Turn on security key sign-in, can now allow users to use external security keys such as those from Yubico.
It can be found under Computer Configuration => Policies => Administrative Templates => System => Logon.
Regarding authentication, there is another new setting that previously could only be configured using a separate ADMX file. It can be found under Local Policies and is called Domain controller: LDAP server channel binding token requirements. An explanation is given in this Security Advisory.
No GPO settings for Edge and WSL 2 ^
The previous version of Microsoft Edge is still included with Windows 10 2004, but the group policies that govern it have been removed. The browser will ask if you want to download Edge Chromium the first time you start it. The administrative templates of the new version are therefore not included in the latest release of Windows 10.
For browser management, Windows 10 2004 introduces a setting for Internet Explorer called Configure which channel of Microsoft Edge to use for opening redirected sites. It was originally not available in 1909, but has been added via an update after Edge Chromium was released.
It is used to determine the version of Edge used when redirecting certain pages from IE to the new browser (e.g., using the option Send all websites that are not included in the Enterprise Mode Site List to Microsoft Edge). It is available under Computer Configuration and User Configuration.
For the biggest single innovation of the operating system, the largely rebuilt subsystem for Linux (WSL 2), Microsoft relies on a configuration file in text format (.wslconfig), as it does with Sandbox. Accordingly, there are no group policies for this.
Configuration of delivery optimization ^
Some improvements have been made to Delivery Optimization, a cache mechanism of Windows Update for Business (WUfB). In particular, admins can now specify absolute values for the maximum bandwidth available for downloading updates.
The group policies split this option into two settings, for downloading in the foreground and the background. You can find them under Computer Configuration => Policies => Administrative Templates => Windows Components => Delivery Optimization.
Another new setting, Cache Server Hostname Source, is used to assign a cache host to the clients via DHCP (option 235). A value of 2 is used to force this assignment, even if it has already been specified by the GPO setting Cache Server Hostname.
WUfB also has a new option, Select the target Feature Update version, that limits the search for feature updates to a specific version.
Settings for apps ^
Three new settings control the installation and use of (certain) apps:
- Prevent non-admin users from installing packaged Windows apps: This setting only affects the side loading of apps, but not installation via the store, which needs to be restricted separately.
- Let Windows apps access user movements while running in the background: This privacy setting determines whether Windows apps are allowed to capture the movement of the user’s head, hands or motion controllers.
- Allow Graphing Calculator: This setting relates to the new calculator, which is available as a store app, and can be deactivated.
Defender Antivirus ^
If you activate the Enable file hash computation feature setting, the virus scanner will create a hash for executable files. This setting is disabled by default.
You will note that the Enable file hash computation feature setting affects the performance of the entire system, but this only occurs during the first check. This setting is primarily useful in conjunction with Defender ATP, so you probably will not activate it if you have not booked this service.
IME for East Asian languages ^
Three new settings determine whether users can control the version of the Input Method Editor (IME) used for Japanese, Simplified, or Traditional Chinese. The IME is used to enter complex characters. The newest Microsoft IME is enabled by default.
You can find them under User Configuration => Policies => Administrative Templates => Windows Components => IME.
Removed settings ^
In Windows 10 2004, Microsoft not only added 17 new settings, but also removed five old ones. Three of them relate to delivery optimization, as two new settings for foreground and background downloads have been introduced for bandwidth control. As a result, the following settings have been removed:
- Maximum Upload Bandwidth (in KB/s)
- Maximum Download Bandwidth (in KB/s)
- Maximum Download Bandwidth (percentage)
Two settings for Application Guard will also be phased out:
- Allow users to trust files that open in Windows Defender Application Guard
- Configure additional sources for untrusted files in Windows Defender Application Guard
The basic problem with the deleted settings is that they cannot be configured in existing GPOs once you use the new ADMX templates.