Microsoft has released version 21H1 of Windows 10. This is a small update that is activated via an enablement package. At the same time, the ADMX templates for the group policies, which contain ten new settings, are available. There are no notable changes with the Security Baseline, the ADK, or the RSAT.

As with version 20H2 last fall, Microsoft is delivering the few new features of 21H1 (see an overview here) in advance via a cumulative update. This time they were included in the May update for versions 2004 or 20H2. However, the new features remain inactive until the enablement package unlocks them.

This is delivered via WSUS and Windows Update for Business as KB5000736, and is also available in the Download and Volume Licensing Center. The official release also marks the start of the support period of 18 months, which Microsoft generally grants for all editions of the spring update.

The new features delivered in the May update are released as KB5000736

The new features delivered in the May update are released as KB5000736

Users who are still running a version older than 2004 will need a conventional upgrade, which requires several reboots.

New GPO settings

Windows 10 21H1 doesn't include any new features that would require additional group policies for their configuration. Nevertheless, the update brings ten new settings for components that have been in place for a while.

Most of them serve to drive the transition from legacy web browsers to Edge Chromium. Internet Explorer can now be deactivated as a standalone browser. IE then only serves as a rendering engine for Edge in Internet Explorer Mode. If a user tries to start IE, this group policy automatically redirects the page to load in Edge.

The Group Policy settings introduced with Windows 10 21H1

The Group Policy settings introduced with Windows 10 21H1

Two other settings control the behavior of IE when it is run as a component of Edge. You can now show the Save target as entry in the context menu of a link. The other option allows you to activate hot keys, such as CTRL+S.

The legacy browsers also include the first generation of Edge, which Microsoft is now replacing with the Chromium version during Windows 10 feature upgrades. Until this change has taken place, a dialog warns the user that the current browser is outdated. This message can be suppressed via another setting.

In addition, there is an option for Windows Update. It is used to deactivate the so-called safeguards. These prevent the installation of feature upgrades on computers that contain components known to cause problems with a particular version of the operating system.

Another setting allows you to switch off the news feed in the taskbar. The next one removes the icon for Meet Now, which is a feature for video conferencing on Skype.

The remaining settings control text recognition for TIFF files, which is a feature of Windows Search. They allow, for example, the selection of the language based on the code page or cause the OCR function to always capture all pages of a TIFF.

In the past, searchOCR.admx, which contains these settings, was a constant source of error messages; while the language files were available, the actual template for them was missing.

Detailed information about all settings can be found in the Group Policy Settings Reference Spreadsheet. It also explicitly marks new options.

ADMX download

The templates with all current settings for the group policies are, as usual, part of the operating system and can be found under% SystemRoot%\PolicyDefinitions. In addition, the complete templates can now be downloaded from Microsoft's Download Center.

As usual, this package comes with 22 language files, whereas on a workstation, only en-US or the language of the localized Windows is available. The ADMX download primarily benefits users who use Windows 10 in multiple language versions.

The administrative templates must be unpacked with elevated rights

The administrative templates must be unpacked with elevated rights

In addition, there are ADMXs that are not relevant to local group policies and are therefore not part of the operating system. This includes GroupPolicyPreferences.admx for the configuration of Group Policy Preferences, which are available only in domains. Overall, the download is particularly recommended if you want to keep the templates in a central store.

Security Baseline, ADK, and RSAT

The Security Baseline is another tool that Microsoft provides with the release of Windows 10 21H1. It contains the manufacturer's recommended settings to harden the system. The update does not add any new settings or remove existing ones.

The baseline was refreshed primarily to bring the documentation up to date with the new GPO settings. It can be downloaded as part of the Microsoft Security Compliance Toolkit. This also includes the baselines for Edge and the Microsoft 365 applications.

The Security Compliance Toolkit contains the baselines for Windows 10 21H1 Edge und Microsoft 365

The Security Compliance Toolkit contains the baselines for Windows 10 21H1 Edge und Microsoft 365

The same applies to the Assessment and Deployment Kit (ADK). Since 21H1 shares the kernel and system files with the predecessors, there is no need for an update here. This is also true for WinPE, which has been a separate download since Windows 10 1809. Thus, you can continue to use the existing deployment tools.

21H1 does not bring any changes to the Remote Server Administration Tools (RSAT). Since version 1809, it has not been necessary to download these tools separately, but the RSAT are installed as an optional feature.

Subscribe to 4sysops newsletter!


The small number of innovations in Windows 10 21H1 is reflected in the tools for the administration and deployment of the system. Only the group policies bring some additional settings; otherwise, the toolbox remains largely unchanged.

  1. Avatar
    Bruce 2 years ago

    Hello Wolfgang –
    Have you experienced a problem with Windows Update and Office 365 Update? I have. neither will update automatically. (I am an MSCE+I/MVP) so I have done all the usual. Even using the latest ADMX .msi for my version 21H2 and OS 19044.1620, no auto update is working. So REGEDIT and gpedit.msc. I discovered that there is NO Policies folder and searching for all features in both Computer and User Configuration results in no hits for “office” or “update”. Office 365 Help pop-up was of no use. After 29 back and forth, the technician gave up. Your thoughts if any? Danke schoen!

  2. Avatar
    Majkel 2 years ago

    Let’s take a sample “Passport.admx” file. In the package “Administrative Templates (.admx) for Windows 10 November 2021 Update” the modification date is 2021.10.06, while in the newer edition “Administrative Templates (.admx) for Windows Server 2022 August 2021 Update” the same file is modified 2021.05. 08. Why does the newer set contain an older file? I would like to add that the files differ in size and, after analyzing the contents, they have different parameters.

    • Avatar
      Bruce 2 years ago

      Now THIS ONE I can answer. Server is a dedicated OS and while similar to PC based, it is not identical. Hence the different versions of any updates. I understood this back in WIN Server 2003 and nothing has changed. DO NOT DOWNLOAD/INSTALL Server versions on a home PC. WIN 8/10 should prevent this automatically – but not always.

      • Avatar
        Majkel 2 years ago

        Bruce. There is no distinction between the PC and Server versions for the files I am talking about. ADMX files contain policies for both workstations and server stations.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account