- Configuring Defender Antivirus: Exclusions, real-time protection, scans, and remediations - Mon, Sep 26 2022
- Get updates for Windows Server 2022 in WSUS - Mon, Sep 19 2022
- Microsoft Defender: Control updates for malware signatures using Group Policy or PowerShell - Thu, Sep 15 2022
As with version 20H2 last fall, Microsoft is delivering the few new features of 21H1 (see an overview here) in advance via a cumulative update. This time they were included in the May update for versions 2004 or 20H2. However, the new features remain inactive until the enablement package unlocks them.
This is delivered via WSUS and Windows Update for Business as KB5000736, and is also available in the Download and Volume Licensing Center. The official release also marks the start of the support period of 18 months, which Microsoft generally grants for all editions of the spring update.
Users who are still running a version older than 2004 will need a conventional upgrade, which requires several reboots.
New GPO settings ^
Windows 10 21H1 doesn't include any new features that would require additional group policies for their configuration. Nevertheless, the update brings ten new settings for components that have been in place for a while.
Most of them serve to drive the transition from legacy web browsers to Edge Chromium. Internet Explorer can now be deactivated as a standalone browser. IE then only serves as a rendering engine for Edge in Internet Explorer Mode. If a user tries to start IE, this group policy automatically redirects the page to load in Edge.
Two other settings control the behavior of IE when it is run as a component of Edge. You can now show the Save target as entry in the context menu of a link. The other option allows you to activate hot keys, such as CTRL+S.
The legacy browsers also include the first generation of Edge, which Microsoft is now replacing with the Chromium version during Windows 10 feature upgrades. Until this change has taken place, a dialog warns the user that the current browser is outdated. This message can be suppressed via another setting.
In addition, there is an option for Windows Update. It is used to deactivate the so-called safeguards. These prevent the installation of feature upgrades on computers that contain components known to cause problems with a particular version of the operating system.
Another setting allows you to switch off the news feed in the taskbar. The next one removes the icon for Meet Now, which is a feature for video conferencing on Skype.
The remaining settings control text recognition for TIFF files, which is a feature of Windows Search. They allow, for example, the selection of the language based on the code page or cause the OCR function to always capture all pages of a TIFF.
In the past, searchOCR.admx, which contains these settings, was a constant source of error messages; while the language files were available, the actual template for them was missing.
Detailed information about all settings can be found in the Group Policy Settings Reference Spreadsheet. It also explicitly marks new options.
ADMX download ^
The templates with all current settings for the group policies are, as usual, part of the operating system and can be found under% SystemRoot%\PolicyDefinitions. In addition, the complete templates can now be downloaded from Microsoft's Download Center.
As usual, this package comes with 22 language files, whereas on a workstation, only en-US or the language of the localized Windows is available. The ADMX download primarily benefits users who use Windows 10 in multiple language versions.
In addition, there are ADMXs that are not relevant to local group policies and are therefore not part of the operating system. This includes GroupPolicyPreferences.admx for the configuration of Group Policy Preferences, which are available only in domains. Overall, the download is particularly recommended if you want to keep the templates in a central store.
Security Baseline, ADK, and RSAT ^
The Security Baseline is another tool that Microsoft provides with the release of Windows 10 21H1. It contains the manufacturer's recommended settings to harden the system. The update does not add any new settings or remove existing ones.
The baseline was refreshed primarily to bring the documentation up to date with the new GPO settings. It can be downloaded as part of the Microsoft Security Compliance Toolkit. This also includes the baselines for Edge and the Microsoft 365 applications.
The same applies to the Assessment and Deployment Kit (ADK). Since 21H1 shares the kernel and system files with the predecessors, there is no need for an update here. This is also true for WinPE, which has been a separate download since Windows 10 1809. Thus, you can continue to use the existing deployment tools.
21H1 does not bring any changes to the Remote Server Administration Tools (RSAT). Since version 1809, it has not been necessary to download these tools separately, but the RSAT are installed as an optional feature.
Subscribe to 4sysops newsletter!
The small number of innovations in Windows 10 21H1 is reflected in the tools for the administration and deployment of the system. Only the group policies bring some additional settings; otherwise, the toolbox remains largely unchanged.