New GPO settings in Windows 10 1903
| Filename | Setting Name | Description | Explanation |
|---|---|---|---|
| AppPrivacy.admx | LetAppsActivateWithVoice | Let Windows apps activate with voice | This policy setting specifies whether Windows apps can be activated by voice. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device. If you choose the "Force Allow" option, Windows apps are allowed to be activated with a voice keyword and employees in your organization cannot change it. If you choose the "Force Deny" option, Windows apps are not allowed to be activated with a voice keyword and employees in your organization cannot change it. If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana. |
| AppPrivacy.admx | LetAppsActivateWithVoiceAboveLock | Let Windows apps activate with voice while the system is locked | This policy setting specifies whether Windows apps can be activated by voice while the system is locked. If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. If you choose the "Force Allow" option, users can interact with applications using speech while the system is locked and employees in your organization cannot change it. If you choose the "Force Deny" option, users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it. If you disable or do not configure this policy setting, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana. It takes precedence of the “Allow Cortana above lock” policy. This policy is applicable only when “Allow voice activation” policy is configured to allow applications to be activated with voice. |
| CredUI.admx | NoLocalPasswordResetQuestions | Prevent the use of security questions for local accounts | If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. |
| DataCollection.admx | AllowCommercialDataPipeline | Allow commercial data pipeline | AllowCommercialDataPipeline opts the device into the Windows enterprise data pipeline. If you enable this setting, data collected from the device will be opted into the Windows enterprise data pipeline. If you disable or don't configure this setting, all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline. Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10. |
| DeliveryOptimization.admx | DelayCacheServerFallbackBackground | Delay Background download Cache Server fallback (in seconds) | Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds. Note: if you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). |
| DeliveryOptimization.admx | DelayCacheServerFallbackForeground | Delay Foreground download Cache Server fallback (in seconds) | Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds. Note: if you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). |
| Logon.admx | DisableAcrylicBackgroundOnLogon | Show clear logon background | This policy setting disables the acrylic blur effect on logon background image. If you enable this policy, the logon background image shows without blur. If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. |
| MSDT.admx | TroubleshootingAllowRecommendations | Troubleshooting: Allow users to access recommended troubleshooting for known problems | This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: 0 = Turn this feature off. 1 = Turn this feature off but still apply critical troubleshooting. 2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. 3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. 4 = Run recommended troubleshooting automatically without notifying the user. 5 = Allow the user to choose their own recommended troubleshooting settings. After setting this new setting, to trigger recommended troubleshooting for devices in your domain, follow these instructions: 1. Create a bat script with the following contents: rem The following batch script triggers Recommended Troubleshooting C:\Windows\System32\mitigationscanner.exe 2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. 3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7). 4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox. 5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1. 6. Configure the task to deploy to your domain. |
| ServiceControlManager.admx | SvchostProcessMitigationEnable | Enable svchost.exe mitigation options | This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, these stricter security settings will not be applied. |
| StorageSense.admx | SS_AllowStorageSenseGlobal | Allow Storage Sense | Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy. Enabled: Storage Sense is turned on for the machine, with the default cadence as ‘during low free disk space’. Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy). Disabled: Storage Sense is turned off the machine. Users cannot enable Storage Sense. Not Configured: By default, Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. |
| StorageSense.admx | SS_ConfigStorageSenseGlobalCadence | Configure Storage Sense cadence | Storage Sense can automatically clean some of the user’s files to free up disk space. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: You must provide the desired Storage Sense cadence. Supported options are: daily, weekly, monthly, and during low free disk space. The default is 0 (during low free disk space). Disabled or Not Configured: By default, the Storage Sense cadence is set to “during low free disk space”. Users can configure this setting in Storage settings. |
| StorageSense.admx | SS_AllowStorageSenseTemporaryFilesCleanup | Allow Storage Sense Temporary Files cleanup | When Storage Sense runs, it can delete the user’s temporary files that are not in use. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: Storage Sense will delete the user’s temporary files that are not in use. Users cannot disable this setting in Storage settings. Disabled: Storage Sense will not delete the user’s temporary files. Users cannot enable this setting in Storage settings. Not Configured: By default, Storage Sense will delete the user’s temporary files. Users can configure this setting in Storage settings. |
| StorageSense.admx | SS_ConfigStorageSenseRecycleBinCleanupThreshold | Configure Storage Sense Recycle Bin cleanup threshold | When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Support values are: 0 - 365. If you set this value to zero, Storage Sense will not delete files in the user’s Recycle Bin. The default is 30 days. Disabled or Not Configured: By default, Storage Sense will delete files in the user’s Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings. |
| StorageSense.admx | SS_ConfigStorageSenseDownloadsCleanupThreshold | Configure Storage Storage Downloads cleanup threshold | When Storage Sense runs, it can delete files in the user’s Downloads folder if they have been there for over a certain amount of days. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: You must provide the minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it. Support values are: 0 - 365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. Disabled or Not Configured: By default, Storage Sense will not delete files in the user’s Downloads folder. Users can configure this setting in Storage settings. |
| StorageSense.admx | SS_ConfigStorageSenseCloudContentDehydrationThreshold | Configure Storage Sense Cloud Content dehydration threshold | When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: You must provide the number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it. Support values are: 0 - 365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, or never dehydrating cloud-backed content. Disabled or Not Configured: By default, Storage Sense will not dehydrate any cloud-backed content. Users can configure this setting in Storage settings. |
| TerminalServer.admx | TS_SERVER_WDDM_GRAPHICS_DRIVER | Use WDDM graphics display driver for Remote Desktop Connections | This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections. If you enable this policy setting, Remote Desktop Connections will use WDDM graphics display driver. If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. If you do not configure this policy setting, Remote Desktop Connections on the RD Session Host server will NOT use WDDM graphics display driver. In all other cases, Remote Desktop Connections will use WDDM graphics display driver. For this change to take effect, you must restart Windows. |
| WindowsDefender.admx | SignatureUpdate_SharedSignaturesLocation | Define security intelligence location for VDI clients. | This policy setting allows you to define the security intelligence location for VDI-configured computers. If you disable or do not configure this setting, security intelligence will be referred from the default local source. |
| WindowsUpdate.admx | ComplianceDeadline | Specify deadlines for automatic updates and restarts | This policy lets you specify the number of days that a user has before quality and feature updates are installed on their devices automatically, and a grace period after which required restarts occur automatically. Updates and restarts will occur regardless of active hours, and the user will not be able to reschedule. Deadlines for feature updates and quality updates can be up to 30 days. The auto-restart grace period can be from 0 to 7 days. You can also disable auto-restarts until the end of the auto-restart grace period. If you disable or do not configure this policy, devices will get updates and will restart according to the default schedule. This policy will override the following policies: 1. Specify deadline before auto restart for update installation 2. Specify Engaged restart transition and notification schedule for updates 3. Always automatically restart at the scheduled time 4. No auto-restart with logged on users for scheduled automatic updates installation |
| WinLogon.admx | ConfigAutomaticRestartSignOn | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot | This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured. If you enable this policy setting, you can choose one of the following two options: 1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: - The device doesn’t have TPM 2.0 and PCR7, or - The device doesn’t use a TPM-only protector 2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. If you disable or don’t configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior. |