Apr 2017
18
What's new in ADMX and Group Policy for Windows 1703 Creators Edition
The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080
Here’s my (usual) advice:
1. If you don’t have a central store, please first watch this video I made on it.
2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.
3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.
4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:
https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/ . Note: This isn’t updated yet for 1703, but hopefully soon.
<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)
If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.
There are 107 new policy settings.
| Scope | Policy Path | Policy Setting |
| Machine | Control Panel | Settings Page Visibility |
| Machine | Network\Network Isolation | Domains categorized as both work and personal |
| Machine | Network\Network Isolation | Enterprise resource domains hosted in the cloud |
| Machine | System\App-V\PackageManagement | Enable automatic cleanup of unused appv packages |
| Machine | System\App-V\PowerManagement | Enable background sync to server when on battery power |
| Machine | System\Credentials Delegation | Remote host allows delegation of non-exportable credentials |
| Machine | System\Display | Turn off GdiDPIScaling for applications |
| Machine | System\Display | Turn on GdiDPIScaling for applications |
| Machine | System\Group Policy | Configure web-to-app linking with app URI handlers |
| Machine | System\Logon | Configure Dynamic Lock |
| Machine | System\Trusted Platform Module Services | Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0. |
| Machine | Windows Components\App Privacy | Let Windows apps access diagnostic information about other apps |
| Machine | Windows Components\App Privacy | Let Windows apps access Tasks |
| Machine | Windows Components\App Privacy | Let Windows apps run in the background |
| Machine | Windows Components\BitLocker Drive Encryption | Disable new DMA devices when this computer is locked |
| Machine | Windows Components\BitLocker Drive Encryption\Operating System Drives | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. |
| Machine | Windows Components\Data Collection and Preview Builds | Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service |
| Machine | Windows Components\Delivery Optimization | Allow uploads while the device is on battery while under set Battery level (percentage) |
| Machine | Windows Components\Delivery Optimization | Enable Peer Caching while the device connects via VPN |
| Machine | Windows Components\Delivery Optimization | Minimum disk size allowed to use Peer Caching (in GB) |
| Machine | Windows Components\Delivery Optimization | Minimum Peer Caching Content File Size (in MB) |
| Machine | Windows Components\Delivery Optimization | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
| Machine | Windows Components\Find My Device | Turn On/Off Find My Device |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Content Page | Show Content Advisor on Internet Options |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone | Allow VBScript to run in Internet Explorer |
| Machine | Windows Components\Microsoft account | Block all consumer Microsoft account user authentication |
| Machine | Windows Components\Microsoft Edge | Allow Address bar drop-down list suggestions |
| Machine | Windows Components\Microsoft Edge | Allow Adobe Flash |
| Machine | Windows Components\Microsoft Edge | Allow clearing browsing data on exit |
| Machine | Windows Components\Microsoft Edge | Allow Microsoft Compatibility List |
| Machine | Windows Components\Microsoft Edge | Allow search engine customization |
| Machine | Windows Components\Microsoft Edge | Configure additional search engines |
| Machine | Windows Components\Microsoft Edge | Configure the Adobe Flash Click-to-Run setting |
| Machine | Windows Components\Microsoft Edge | Disable lockdown of Start pages |
| Machine | Windows Components\Microsoft Edge | Keep favorites in sync between Internet Explorer and Microsoft Edge |
| Machine | Windows Components\Microsoft Edge | Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start |
| Machine | Windows Components\Microsoft Edge | Prevent the First Run webpage from opening on Microsoft Edge |
| Machine | Windows Components\Microsoft Edge | Set default search engine |
| Machine | Windows Components\Speech | Allow Automatic Update of Speech Data |
| Machine | Windows Components\Windows Defender Antivirus\MpEngine | Configure extended cloud check |
| Machine | Windows Components\Windows Defender Antivirus\MpEngine | Select cloud protection level |
| Machine | Windows Components\Windows Defender Antivirus\Reporting | Turn off enhanced notifications |
| Machine | Windows Components\Windows Defender Application Guard | Block Entperise websites to load non-Enterprise content in IE and Edge |
| Machine | Windows Components\Windows Defender Application Guard | Configure Windows Defender Application Guard clipboard settings |
| Machine | Windows Components\Windows Defender Application Guard | Configure Windows Defender Application Guard Print Settings |
| Machine | Windows Components\Windows Defender Application Guard | Turn On/Off Windows Defender Application Guard (WDAG) |
| Machine | Windows Components\Windows Defender SmartScreen\Explorer | Configure App Install Control |
| Machine | Windows Components\Windows Defender SmartScreen\Explorer | Configure Windows Defender SmartScreen |
| Machine | Windows Components\Windows Defender SmartScreen\Microsoft Edge | Configure Windows Defender SmartScreen |
| Machine | Windows Components\Windows Defender SmartScreen\Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files |
| Machine | Windows Components\Windows Defender SmartScreen\Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites |
| Machine | Windows Components\Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting |
| Machine | Windows Components\Windows Hello for Business | Use certificate for on-premises authentication |
| Machine | Windows Components\Windows Update | Configure auto-restart reminder notifications for updates |
| Machine | Windows Components\Windows Update | Configure auto-restart required notification for updates |
| Machine | Windows Components\Windows Update | Configure auto-restart warning notifications schedule for updates |
| Machine | Windows Components\Windows Update | Remove access to use all Windows Update features |
| Machine | Windows Components\Windows Update | Specify active hours range for auto-restarts |
| Machine | Windows Components\Windows Update | Specify deadline before auto-restart for update installation |
| Machine | Windows Components\Windows Update | Specify Engaged restart transition and notification schedule for updates |
| Machine | Windows Components\Windows Update | Turn off auto-restart notifications for update installations |
| Machine | Windows Components\Windows Update | Update Power Policy for Cart Restarts |
| User | Start Menu and Taskbar | Show additional calendar |
| User | Windows Components\Cloud Content | Do not use diagnostic data for tailored experiences |
| User | Windows Components\Cloud Content | Turn off the Windows Spotlight on Action Center |
| User | Windows Components\Cloud Content | Turn off the Windows Welcome Experience |
| User | Windows Components\IME | Turn on lexicon update |
| User | Windows Components\Internet Explorer\Internet Control Panel\Content Page | Show Content Advisor on Internet Options |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone | Allow VBScript to run in Internet Explorer |
| User | Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing | Hide the button (next to the New Tab button) that opens Microsoft Edge |
| User | Windows Components\Microsoft Edge | Allow Address bar drop-down list suggestions |
| User | Windows Components\Microsoft Edge | Allow Adobe Flash |
| User | Windows Components\Microsoft Edge | Allow clearing browsing data on exit |
| User | Windows Components\Microsoft Edge | Allow Microsoft Compatibility List |
| User | Windows Components\Microsoft Edge | Allow search engine customization |
| User | Windows Components\Microsoft Edge | Configure additional search engines |
| User | Windows Components\Microsoft Edge | Configure the Adobe Flash Click-to-Run setting |
| User | Windows Components\Microsoft Edge | Disable lockdown of Start pages |
| User | Windows Components\Microsoft Edge | Keep favorites in sync between Internet Explorer and Microsoft Edge |
| User | Windows Components\Microsoft Edge | Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start |
| User | Windows Components\Microsoft Edge | Prevent the First Run webpage from opening on Microsoft Edge |
| User | Windows Components\Microsoft Edge | Set default search engine |
| User | Windows Components\Windows Defender SmartScreen\Microsoft Edge | Configure Windows Defender SmartScreen |
| User | Windows Components\Windows Defender SmartScreen\Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files |
| User | Windows Components\Windows Defender SmartScreen\Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites |
| User | Windows Components\Windows Hello for Business | Use certificate for on-premises authentication |
| User | Windows Components\Windows Hello for Business | Use Windows Hello for Business |
| User | Windows Components\Work Folders | Enables the use of Token Broker for AD FS authentication |
Comments (0)