Oct 13, 2016

New Group Policy Settings in Windows 10 version 1607

In Windows 10 1607 (Anniversary Update), new Group Policy settings were introduced. This post lists all the new settings and discusses the most interesting ones.






Each time Microsoft releases a new Windows 10 version, new .ADMX templates become available for download. The latest Excel spreadsheet identifying settings can be downloaded here.

I found that some settings in the spreadsheet were not marked as new. Thus, I put together the list below. Please note that:
  • To make the list more readable, I removed all settings for the App-V and the UE-V client (except “Enable APP-V” and the “Enable UE-V”).
  • I included additional new settings I am aware of.
  • I will discuss the highlighted settings this post.

Policy Setting NameScopePolicy Path
Let Windows apps access account informationMachineWindows Components\App Privacy
Let Windows apps access notificationsMachineWindows Components\App Privacy
Enable App-V ClientMachineSystem\App-V
Control Device Reactivation for Retail devicesMachineWindows Components\Software Protection Platform
Allow Use of CameraMachineWindows Components\Camera
Configure Windows spotlight on lock screenUserWindows Components\Cloud Content
Turn off all Windows spotlight featuresUserWindows Components\Cloud Content
Do not suggest third-party content in Windows spotlightUserWindows Components\Cloud Content
Configure the Commercial IDMachineWindows Components\Data Collection and Preview Builds
Absolute Max Cache Size (in GB)MachineWindows Components\Delivery Optimization
Maximum Download Bandwidth (in KB/s)MachineWindows Components\Delivery Optimization
Maximum Download Bandwidth (Percentage)MachineWindows Components\Delivery Optimization
Minimum Background QoS (in KB/s)MachineWindows Components\Delivery Optimization
Modify Cache DriveMachineWindows Components\Delivery Optimization
Monthly Upload Data Cap (in GB)MachineWindows Components\Delivery Optimization
Allow companion device for secondary authenticationMachineWindows Components\Microsoft Secondary Authentication Factor
Turn on cloud candidate for CHSUserWindows Components\IME
Allow edge swipeMachineWindows Components\Edge UI
Allow edge swipeUserWindows Components\Edge UI
Enable Win32 long pathsMachineSystem\Filesystem
Continue experiences on this deviceMachineSystem\Group Policy
Enable Font ProvidersMachineNetwork\Fonts
Process Mitigation OptionsMachineSystem\Mitigation Options
Process Mitigation OptionsUserSystem\Mitigation Options
Allow Internet Explorer to use the SPDY/3 network protocolMachineInternet Control Panel\Advanced Page
Allow Internet Explorer to use the SPDY/3 network protocolUserInternet Control Panel\Advanced Page
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.MachineWindows Components\Internet Explorer
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.UserWindows Components\Internet Explorer
KDC support for PKInit Freshness ExtensionMachineSystem\KDC
Handle Caching on Continuous Availability SharesMachineNetwork\Lanman Workstation
Offline Files Availability on Continuous Availability SharesMachineNetwork\Lanman Workstation
Block user from showing account details on sign-inMachineSystem\Logon
Disable MDM EnrollmentMachineWindows Components\MDM
Prevent access to the about:flags page in Microsoft EdgeMachineWindows Components\Microsoft Edge
Prevent access to the about:flags page in Microsoft EdgeUserWindows Components\Microsoft Edge
Show message when opening sites in Internet ExplorerMachineWindows Components\Microsoft Edge
Show message when opening sites in Internet ExplorerUserWindows Components\Microsoft Edge
Allow ExtensionsMachineWindows Components\Microsoft Edge
Allow ExtensionsUserWindows Components\Microsoft Edge
Turn off Windows default printer managementUserControl Panel\Printers
Allow Cortana above lock screenMachineWindows Components\Search
Enable UEVMachineWindows Components\Microsoft User Experience Virtualization
Configure the ‘Block at First Sight’ featureMachineWindows Components\Windows Defender\MAPS
Define proxy auto-config (.pac) for connecting to the networkMachineWindows Components\Windows Defender
Suppress all notificationsMachineWindows Components\Windows Defender\Client Interface
Allow suggested apps in Windows Ink WorkspaceMachineWindows Components\Windows Ink Workspace
Allow Windows Ink WorkspaceMachineWindows Components\Windows Ink Workspace
Only display the private store within the Windows Store appUserWindows Components\Store
Only display the private store within the Windows Store appMachineWindows Components\Store
Do not include drivers with Windows UpdatesMachineWindows Components\Windows Update
Select when Feature Updates are receivedMachineWindows Components\Windows Update\Defer Windows Updates
Select when Quality Updates are receivedMachineWindows Components\Windows Update\Defer Windows Updates
Turn off auto-restart for updates during active hoursMachineWindows Components\Windows Update
Turn off unsolicited network traffic on the Offline Maps settings pageMachineWindows Components\Maps
Don’t allow this PC to be projected toMachineWindows Components\Connect
Require pin for pairingMachineWindows Components\Connect
Turn off notification mirroringUserStart Menu and Taskbar\Notifications

Enable App-V

The App-V client now is part of Windows 10 and can be enabled using Group Policy or PowerShell (Enable-Appv) on Windows Enterprise and Education.

Enable-Appv using Group Policy

Let’s hope that App-V being a part of Windows 10 will help spread it, because it is really good technology.

 

Send all sites not included in the Enterprise Mode Site List to Microsoft Edge ^

This is an interesting, new setting. Although Internet Explorer is still around to provide compatibility, a day will come when websites will have issues when used in Internet Explorer. This new setting can be used to ensure that sites that are not included in our Enterprise Mode Site List are opened in Edge.

 

Prevent access to the about:flags page in Microsoft Edge

The about:flags page in Edge allows you to enable experimental browser features or features that are of interest to developers. It might make sense to disable access to this page to prevent unnecessary service desk calls.

Windows 10 1607 introduced a new feature that allows you to set “active hours” when Windows Update won’t reboot the computer.


 

Allow extensions

Extensions in Edge are one of the new cool features. Most extensions target consumer users and are of little value in a corporate environment. Extensions also pose a security risk because it is often unclear what data they collect. With the help of this new Group Policy setting, we can disable extensions in Edge.


 

Turn off Windows default printer management

In with Windows 10 1511 that the last printer used is set as the default printer.


 
In many organizations this behavior is unwanted. We had to use a Group Policy preference setting and a Registry key to turn it off. In Windows 10 1607, we now have a new Group Policy setting that can be used to turn off the default printer management.








 

Only display the private store within the Windows Store app

This policy allows you to control which applications can be installed from the Store.

 

Turn off auto restart for updates during active hours

This policy allows you to configure the new Active hours feature in Windows 10. Please read this post for more information.

If you are aware of another new Group Policy in Windows 10 1607, please leave a comment below.

Post a Comment

 
TECH SUPPORT © 2012-2016