Microsoft has officially begun to roll out Windows 10 20H2. At the same time, it is delivering the newest ADMX templates for group policies. On the other hand, the security baseline only exists as a draft. A separate ADK will not be provided.

According to the current release cycle, the autumn update is a kind of service pack, which also brings some smaller innovations. It is therefore considered to be the more stable version of Windows 10 than the one shipped in the first half of the year. Hence, it is particularly recommended for companies. For this reason, the Enterprise Edition of the H2 updates receives 30 months of support starting from the release date, whereas in spring it is only 18 months.

ADK 2004 for deployment ^

For users already running Windows 10 2004, the upgrade to 20H2 is delivered the same way as a cumulative update. Since the 2004 release is probably not widely used in organizations, they must implement a regular update, either by wipe and load or in-place.

The ADK and WinPE for Windows 10 2004 can also be used for 20H2

The ADK and WinPE for Windows 10 2004 can also be used for 20H2

Microsoft provides the Windows ADK for this purpose, which is also used by more sophisticated tools such as the deployment toolkit (MDT). However, Windows 10 does not need its own ADK because its core is more or less the same as in version 2004. This also applies to the Windows Preinstallation Environment (WinPE), which has been available as a separate download since version 1803. The ADK for 2004 and 20H2 can be downloaded from Microsoft's website.

Downloading the ADMX templates ^

In contrast to the previous versions, Microsoft now provides the administrative templates for group policies in time for the rollout of the new operating system. As usual, the latest ADMX files are also included in the OS.

Unpacking the administrative templates for Windows 10 20H2

Unpacking the administrative templates for Windows 10 20H2

But if you want to manage the current Windows 10 from an older workstation or a central store, you need the templates that Microsoft offers as a separate download. They also come with numerous language files, while the operating system itself only provides them in English and in the localized language.

Security baseline ^

As previously mentioned, the security baseline is currently only available as a draft. While there are virtually no new GPO settings in Windows 10 20H2 that could have been included in this security best practice, it still brings some changes.

Microsoft has decided to add existing settings in this recommended configuration. Three of these affect Defender Antivirus. Admins may allow the virus scanner to block files both with virus definitions and with cloud-based machine learning techniques ("First Sight").

There are also two settings to reduce the attack surface. Both define rules for Defender Antivirus. They are called Use advanced protection against ransomware and Block persistence through WMI event subscription.

Subscribe to 4sysops newsletter!

The preliminary baseline is available as an attachment to this blog post on Microsoft's Tech Community. The settings can be imported into your own systems following the included documentation. But most likely you will wait for the final version.

1 Comment
  1. John Delise 1 year ago

    Wolfgang, do you have any information on equivalent Microsoft Endpoint Manager CSP settings to match the new GP settings.  While Microsoft is releasing the spreadsheet again, a new transitional resource needs to be developed, one that models side by side the GP settings and thier corresponding CSP settings and of course the matching Registry setting if any.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account