This document lists all known Group Policy / Intune Policy CSP differences between Windows 10/11 Pro and the Windows 10/11 Enterprise/Windows 10/11 Education. Microsoft might change the Group Policy / Intune Policy CSP behavior in feature upgrades.
- AppLocker
- BranchCache
- Credential Guard
- DirectAccess
- Device Guard
- Configure Windows spotlight on lock screen
- Turn off Spotlight collection on Desktop
- Turn off all Windows spotlight features
- Turn off Windows Spotlight on Action Center
- Turn off Windows Spotlight on Settings
- Turn off the Windows Welcome Experience
- Enable Organizational Messages
- Force a specific default lock screen and logon image
- Show lock in the user tile menu
- Prevent non-admin users from installing packaged Windows apps
- Disable all apps from Microsoft Store
- Turn off the Store application
- Only display the private store within the Microsoft Store
- Do not sync browser settings / Allow users to turn "browser" syncing on
- Enable svchost.exe mitigation options
- Turn off cloud optimized content
- Turn off cloud consumer account state content
- Do not show Windows tips
- Turn off Microsoft consumer experiences
- Allow Telemetry / Diagnostic data off
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
This Microsoft document gives a general overview of the differences between the Windows 10 editions.
If you know of another Group Policy / Intune difference between the Windows 10 editions, please update the document. Only registered 4sysops members can edit wiki docs.
The following Group Policies / Intune only work in Windows 10/11 Enterprise/Education and not in Windows 10/11 Pro. A number of the settings described below refer to a folder with several Group Policies that are related to the corresponding features. The descriptions are from Microsoft.
AppLocker
Description
Allows you to specify which users or groups can run particular applications in your organization based on unique identities of files.
Path
Computer Configuration > Windows Settings > Security Settings > Application Control Polices > AppLocker
Additional Information
BranchCache
Description
BranchCache copies content from your main office or hosted cloud content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN.
Path
Computer Configuration > Network > BranchCache
Additional Information
BranchCache Client Configuration
Credential Guard
Description
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Path
Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security
Additional Information
DirectAccess
Description
DirectAccess allows connectivity to organizational network resources without the need for traditional virtual private network (VPN) connections.
Path
Computer Configuration > Administrative Templates > Network > DirectAccess Client Experience Settings
Additional Information
Configure the DirectAccess Infrastructure
Device Guard
Description
Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies.
Path
Computer Configuration > Administrative Templates > System > Device Guard
Additional Information
Configure Windows spotlight on lock screen
Description
This policy setting lets you configure Windows spotlight on the lock screen.
Policy path
User Configuration > Windows Components > Cloud Content > Configure Windows spotlight on lock screen
Additional information
Configure Windows spotlight on lock screen
ConfigureWindowsSpotlightOnLockScreen
Turn off Spotlight collection on Desktop
Description
This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequentyly download daily images from Microsoft to desktop.
Policy path
User Configuration > Windows Components > Cloud Content > Turn off Spotlight collection on Desktop
Additional information
Turn off Spotlight collection on Desktop
Turn off all Windows spotlight features
Description
This policy setting lets you turn off all Windows Spotlight features at once.
Policy path
User Configuration > Windows Components > Cloud Content > Turn off all Windows spotlight features
Additional information
Turn off all Windows spotlight features
Turn off Windows Spotlight on Action Center
Description
Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed
Policy path
User Configuration > Windows Components > Cloud Content > Turn off Windows Spotlight on Action Center
Additional information
Turn off Windows Spotlight on Action Center
AllowWindowsSpotlightOnActionCenter
Turn off Windows Spotlight on Settings
Description
Turn off the Windows Spotlight in the Settings app.
Policy path
User Configuration > Windows Components > Cloud Content > Turn off Windows Spotlight on Settings
Additional information
Turn off Windows Spotlight on Settings
AllowWindowsSpotlightOnSettings
Turn off the Windows Welcome Experience
Description
This policy setting lets you turn off the Windows Spotlight Windows Welcome experience. This feature helps onboard users to Windows, for instance launching Microsoft Edge with a web page highlighting new features.
Policy path
User Configuration > Windows Components > Cloud Content > Turn off the Windows Welcome Experience
Additional information
Turn off the Windows Welcome Experience
AllowWindowsSpotlightWindowsWelcomeExperience
Enable Organizational Messages
Description
Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager.
Policy path
User Configuration > Windows Components > Cloud Content > Enable Organizational Messages
Additional information
Organizational messages for Windows 11 now in public preview
Force a specific default lock screen and logon image
Description
This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens.
Policy path
Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen and logon image
Additional information
Force a specific default lock screen and logon image
CPL_Personalization_ForceDefaultLockScreen
Show lock in the user tile menu
Description
Shows or hides lock from the user tile menu.
Policy path
Computer Configuration > Administrative Templates > Windows Components > File Explorer > Show lock in the user tile menu
Additional information
Show lock in the user tile menu
Prevent non-admin users from installing packaged Windows apps
Description
Manages non-Administrator users' ability to install Windows app packages.
If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies.
If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Store > Prevent non-admin users from installing packaged Windows apps
Additional information
Prevent non-administrator users from installing Windows app packages via Windows 10 MDM
Prevent non-admin users from installing packaged Windows apps
Disable all apps from Microsoft Store
Description
Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will also be disabled.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Store > Disable all apps from Microsoft Store
Additional information
Disable all apps from Microsoft Store
Turn off the Store application
Description
Turn off the Store application
Denies or allows access to the Store application.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
Additional information
Configure access to Microsoft Store - Block Microsoft Store using Group Policy
Can't disable Windows Store in Windows 10 Pro through Group Policy
Turn off the Store application
Turn off the Store application
Only display the private store within the Microsoft Store
Description
Denies access to the retail catalog in the Microsoft Store, but displays the private store.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store
Additional information
Configure access to Microsoft Store - Show private store only using Group Policy
Only display the private store within the Microsoft Store
Do not sync browser settings / Allow users to turn "browser" syncing on
Description
Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites. Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled - only this option is restricted under Windows Enterprise.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync browser settings > Allow users to turn "browser" syncing on
Additional information
PreventUsersFromTurningOnBrowserSyncing
Enable svchost.exe mitigation options
Description
This policy setting enables process mitigation options on svchost.exe processes.
Policy path
Computer Configuration > Administrative Templates > System > Service Control Manager Settings > Security Settings > Enable svchost.exe mitigation options
Additional information
Enable svchost.exe mitigation options
Turn off cloud optimized content
Description
This policy setting lets you turn off cloud optimized content in all Windows experiences.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off cloud optimized content
Additional information
Turn off cloud optimized content
Turn off cloud consumer account state content
Description
This policy setting lets you turn off cloud consumer account state content in all Windows experiences.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Do not show Windows tips
Additional information
Turn off cloud consumer account state content
DisableConsumerAccountStateContent
Do not show Windows tips
Description
This policy setting prevents Windows tips from being shown to users.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Do not show Windows tips
Additional information
Turn off Microsoft consumer experiences
Description
This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. Includes Start menu suggestions, Membership notifications, consumer app installations (e.g. Candy Crush, Minecraft, Royal Revolt post-OOBE install), redirect tiles.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft consumer experiences
Additional information
Turn off Microsoft customer experiences
Allow Telemetry / Diagnostic data off
Description
By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and does not apply to any additional apps installed by your organization. This setting was previously labelled as Security. Using the value 'Diagnostic data off', no diagnostic data is sent from the device - this is only available on Windows Server, Windows Enterprise, and Windows Education editions.
Policy path
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Diagnostic Data > Diagnostic data off (not recommended)
Additional information
Configure Windows diagnostic data in your organisation - Diagnostic data off
A few more ones to add (see the descriptions):
‘Configure Windows spotlight on lock screen’
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::ConfigureWindowsSpotlight
‘Turn off Microsoft consumer experiences’
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures
‘Do not show Windows Tips’
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding
‘Allow Telemetry’ – specifically, ‘Diagnostic data off (not recommended)’ setting is ‘Enterprise Only’
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowTelemetry