Group Policy differences between Windows 10 Enterprise and Windows 10 Pro

This document lists all known Group Policy / Intune Policy CSP differences between Windows 10/11 Pro and the Windows 10/11 Enterprise/Windows 10/11 Education. Microsoft might change the Group Policy / Intune Policy CSP behavior in feature upgrades.

Contents
  1. AppLocker
  2. BranchCache
  3. Credential Guard
  4. DirectAccess
  5. Device Guard
  6. Configure Windows spotlight on lock screen
  7. Turn off Spotlight collection on Desktop
  8. Turn off all Windows spotlight features
  9. Turn off Windows Spotlight on Action Center
  10. Turn off Windows Spotlight on Settings
  11. Turn off the Windows Welcome Experience
  12. Enable Organizational Messages
  13. Force a specific default lock screen and logon image
  14. Show lock in the user tile menu
  15. Prevent non-admin users from installing packaged Windows apps
  16. Disable all apps from Microsoft Store
  17. Turn off the Store application
  18. Only display the private store within the Microsoft Store
  19. Do not sync browser settings / Allow users to turn "browser" syncing on
  20. Enable svchost.exe mitigation options
  21. Turn off cloud optimized content
  22. Turn off cloud consumer account state content
  23. Do not show Windows tips
  24. Turn off Microsoft consumer experiences
  25. Allow Telemetry / Diagnostic data off
Latest posts by Michael Pietroforte (see all)

This Microsoft document gives a general overview of the differences between the Windows 10 editions.

If you know of another Group Policy / Intune difference between the Windows 10 editions, please update the document. Only registered 4sysops members can edit wiki docs.

The following Group Policies / Intune only work in Windows 10/11 Enterprise/Education and not in Windows 10/11 Pro. A number of the settings described below refer to a folder with several Group Policies that are related to the corresponding features. The descriptions are from Microsoft.

AppLocker

Description

Allows you to specify which users or groups can run particular applications in your organization based on unique identities of files.

Path

Computer Configuration > Windows Settings > Security Settings > Application Control Polices > AppLocker

Additional Information

Windows AppLocker

BranchCache

Description

BranchCache copies content from your main office or hosted cloud content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN.

Path

Computer Configuration > Network > BranchCache

Additional Information

BranchCache Client Configuration

Credential Guard

Description

Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

Path

Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security

Additional Information

Configure Credential Guard

DirectAccess

Description

DirectAccess allows connectivity to organizational network resources without the need for traditional virtual private network (VPN) connections.

Path

Computer Configuration > Administrative Templates > Network > DirectAccess Client Experience Settings

Additional Information

Configure the DirectAccess Infrastructure

Device Guard

Description

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies.

Path

Computer Configuration > Administrative Templates > System > Device Guard

Additional Information

Device Guard deployment guide

Configure Windows spotlight on lock screen

Description

This policy setting lets you configure Windows spotlight on the lock screen.

Policy path

User Configuration > Windows Components > Cloud Content > Configure Windows spotlight on lock screen

Additional information

Configure Windows spotlight on the lock screen - How do you disable Windows spotlight for managed devices?

Configure Windows spotlight on lock screen

ConfigureWindowsSpotlightOnLockScreen

Turn off Spotlight collection on Desktop

Description

This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequentyly download daily images from Microsoft to desktop.

Policy path

User Configuration > Windows Components > Cloud Content > Turn off Spotlight collection on Desktop

Additional information

Turn off Spotlight collection on Desktop

AllowSpotlightCollection

Turn off all Windows spotlight features

Description

This policy setting lets you turn off all Windows Spotlight features at once.

Policy path

User Configuration > Windows Components > Cloud Content > Turn off all Windows spotlight features

Additional information

Configure Windows spotlight on the lock screen - How do you disable Windows spotlight for managed devices?

Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services - 25. Personalized Experiences

Turn off all Windows spotlight features

AllowWindowsSpotlight

Turn off Windows Spotlight on Action Center

Description

Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed

Policy path

User Configuration > Windows Components > Cloud Content > Turn off Windows Spotlight on Action Center

Additional information

Configure Windows spotlight on the lock screen - How do you disable Windows spotlight for managed devices?

Turn off Windows Spotlight on Action Center

AllowWindowsSpotlightOnActionCenter

Turn off Windows Spotlight on Settings

Description

Turn off the Windows Spotlight in the Settings app.

Policy path

User Configuration > Windows Components > Cloud Content > Turn off Windows Spotlight on Settings

Additional information

Configure Windows spotlight on the lock screen - How do you disable Windows spotlight for managed devices?

Turn off Windows Spotlight on Settings

AllowWindowsSpotlightOnSettings

Turn off the Windows Welcome Experience

Description

This policy setting lets you turn off the Windows Spotlight Windows Welcome experience. This feature helps onboard users to Windows, for instance launching Microsoft Edge with a web page highlighting new features.

Policy path

User Configuration > Windows Components > Cloud Content > Turn off the Windows Welcome Experience

Additional information

Configure Windows spotlight on the lock screen - How do you disable Windows spotlight for managed devices?

Turn off the Windows Welcome Experience

AllowWindowsSpotlightWindowsWelcomeExperience

Enable Organizational Messages

Description

Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager.

Policy path

User Configuration > Windows Components > Cloud Content > Enable Organizational Messages

Additional information

Organizational messages for Windows 11 now in public preview

EnableOrganizationalMessages

Force a specific default lock screen and logon image

Description

This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens.

Policy path

Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen and logon image

Additional information

Configure Windows spotlight on the lock screen - How do you disable Windows spotlight for managed devices?

Force a specific default lock screen and logon image

CPL_Personalization_ForceDefaultLockScreen

Show lock in the user tile menu

Description

Shows or hides lock from the user tile menu.

Policy path

Computer Configuration > Administrative Templates > Windows Components > File Explorer > Show lock in the user tile menu

Additional information

Show lock in the user tile menu

ShowLockOnUserTile

Prevent non-admin users from installing packaged Windows apps

Description

Manages non-Administrator users' ability to install Windows app packages.

If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies.

If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Store > Prevent non-admin users from installing packaged Windows apps

Additional information

Prevent non-administrator users from installing Windows app packages via Windows 10 MDM

Prevent non-admin users from installing packaged Windows apps

BlockNonAdminUserInstall

Disable all apps from Microsoft Store

Description

Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will also be disabled.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Store > Disable all apps from Microsoft Store

Additional information

Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services - 26. Microsoft Store

Disable all apps from Microsoft Store

DisableStoreOriginatedApps

Turn off the Store application

Description

Turn off the Store application

Turn off the Store application

Denies or allows access to the Store application.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

Additional information

Configure access to Microsoft Store - Block Microsoft Store using Group Policy

Can't disable Windows Store in Windows 10 Pro through Group Policy

Turn off the Store application

Turn off the Store application

AllowStore

Only display the private store within the Microsoft Store

Description

Denies access to the retail catalog in the Microsoft Store, but displays the private store.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store

User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store

Additional information

Configure access to Microsoft Store - Show private store only using Group Policy

Only display the private store within the Microsoft Store

RequirePrivateStoreOnly

Do not sync browser settings / Allow users to turn "browser" syncing on

Description

Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites. Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled - only this option is restricted under Windows Enterprise.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync browser settings > Allow users to turn "browser" syncing on

Additional information

Do not sync browser settings

PreventUsersFromTurningOnBrowserSyncing

Enable svchost.exe mitigation options

Description

This policy setting enables process mitigation options on svchost.exe processes.

Policy path

Computer Configuration > Administrative Templates > System > Service Control Manager Settings > Security Settings > Enable svchost.exe mitigation options

Additional information

Enable svchost.exe mitigation options

SvchostProcessMitigation

Turn off cloud optimized content

Description

This policy setting lets you turn off cloud optimized content in all Windows experiences.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off cloud optimized content

Additional information

Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services - 25. Personalized Experiences

Turn off cloud optimized content

DisableCloudOptimizedContent

Turn off cloud consumer account state content

Description

This policy setting lets you turn off cloud consumer account state content in all Windows experiences.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Do not show Windows tips

Additional information

Turn off cloud consumer account state content

DisableConsumerAccountStateContent

Do not show Windows tips

Description

This policy setting prevents Windows tips from being shown to users.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Do not show Windows tips

Additional information

Do not show Windows tips

AllowWindowsTips

Turn off Microsoft consumer experiences

Description

This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. Includes Start menu suggestions, Membership notifications, consumer app installations (e.g. Candy Crush, Minecraft, Royal Revolt post-OOBE install), redirect tiles.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft consumer experiences

Additional information

Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services - 18.16 Feedback & diagnostics

Turn off Microsoft customer experiences

AllowWindowsConsumerFeatures

Allow Telemetry / Diagnostic data off

Description

By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and does not apply to any additional apps installed by your organization. This setting was previously labelled as Security. Using the value 'Diagnostic data off', no diagnostic data is sent from the device - this is only available on Windows Server, Windows Enterprise, and Windows Education editions.

Policy path

Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Diagnostic Data > Diagnostic data off (not recommended)

Additional information

Configure Windows diagnostic data in your organisation - Diagnostic data off

Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services - 18.16 Feedback & diagnostics

Allow Diagnostic Data

Subscribe to 4sysops newsletter!

AllowTelemetry

Discussion (1)

  1. A few more ones to add (see the descriptions):

    ‘Configure Windows spotlight on lock screen’
    https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::ConfigureWindowsSpotlight

    ‘Turn off Microsoft consumer experiences’
    https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures

    ‘Do not show Windows Tips’
    https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding

    ‘Allow Telemetry’ – specifically, ‘Diagnostic data off (not recommended)’ setting is ‘Enterprise Only’
    https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowTelemetry

Leave a Reply

Your email address will not be published. Required fields are marked *

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account