With each new version of Windows, I try to write up something to summarize what’s new in Group Policy from the last version. As those of you who follow me know, I’ve noted that the list of “What’s Changed” in Group Policy has grown shorter and shorter with each subsequent release. Windows 10 is no exception to this trend. You won’t find any big new pieces of functionality in this release. What you will find is more and newer Administrative Template settings. If you follow me on twitter, you’ll know that I announced the release of the latest download of ADMX files for the November update of Windows 10 (Build 1511). This latest Windows build added quite a few new Admin Template settings for managing Windows 10-specific features, so I would suggest you start with these ADMXs when you are ready to start deploying and managing Windows 10, rather than the ones that came with RTM.
I think this latest release represents the future of Group Policy innovation for Microsoft. Rather than building new Client Side Extensions (CSEs), and corresponding GP editor MMC extensions to support editing those new CSEs, Microsoft is instead opting to leverage ADMX files as a way of continuing to expand GP’s capabilities without big changes to the GP engine. This makes sense, given the evolving role of GP in the Microsoft configuration management universe (I’ll be blogging more about this soon so stay tuned!). There was one “structural” change that I’ll talk about, that came in Windows 10, so let’s dig in and look at what’s new in GP!
Administrative Templates
As I mentioned above, Build 1511 of Windows 10–the “November Update”–shipped a bunch of new and updated ADMX files, which broadened the support for Group Policy amongst Windows 10-specific features. The 1511 ADMX download brought 5 new ADMX files, 20 existing files were updated and 2 ADMX files that were shipped in Windows 10 RTM were removed in this latest download, including the pesky Microsoft-Windows-Geolocation-WLPAdm.ADMX file, which caused errors whenever you loaded GP Editor on Windows 10 RTM.
Of these new and updated ADMX files, a number of features were added to the following Windows 10 components:
- App Privacy: lets you control what hardware features and devices that Windows Universal apps can interact with.
- Cloud Content: lets you turn of consumer features (e.g. Microsoft Account features) in Windows 10 for enterprise users)
- Microsoft Edge: lets you configure a few more options for the Edge browser, including Home Pages (interestingly, per computer only)
- Microsoft Passport: a few new options for managing Passport authentication options.
- Start Screen: adds the ability to let you force the size of the Start Screen
- Volume Encryption: add additional controls on the types of volume encryption you can enforce
- Windows Store: Adds support for how the Windows Store behaves for the user–lets you control if OS updates are received through the store.
- Windows Update: Adds an option that lets you defer updates of the OS
- Wireless LAN: Adds Wireless network options like the ability to control the WiFi Sense feature.
This is not a complete list, but instead highlights the most interesting changes in the newest ADMX files.
Structural Changes
As I mentioned, there is not a lot that I would consider to be “structural” in the new GP features in Windows 10. The one interesting change that Microsoft made in Windows 10, was to roll back a behavior that they introduced in Windows 8.1–namely the 5 minute logon script delay— which I blogged about previously. In Windows 10, while the delay is still supported via a Group Policy Administrative Template setting, it now appears to be turned OFF by default–logon scripts will not run delayed on Windows 10. I think that’s probably a good thing as my experience is that many people were confused by having this turned on by default.
The other change, which was brought to my attention by our friend Patrick Gotsch, was that there are a number of new Client Side Extensions (CSEs) that have been introduced in Windows 10. Normally these CSEs would correspond to seeing new “nodes” of functionality within the GP Editor, but that’s not the case with these new CSEs. Most of them are actually being used within Administrative Templates policy. Administrative Templates have long supported calling different CSEs rather than the default registry one–to process those settings defined by those ADMXs. An example of this is shown in the Device Guard ADMX here, where a new Windows 10 CSE is referenced in the ADMX using the clientExtension attribute:
ADMX files that call other CSEs
This approach is interesting, because it allows Microsoft to add new Group Policy functionality without having to build a new setting storage structure and new editor UI. It is essentially, “GP extension on the cheap”. We’ll take it!
That’s about all of the substantive things that I’ve found in GP in Windows 10. Like I said, outside of the new ADMXs, there isn’t much to write home about, and Microsoft still has big gaps when it comes to managing all the new features in Windows 10. For example, today there is no way to control what a user sees in the “Settings” application like you could with the control panel. There are more examples like this sprinkled throughout the OS. What would you like to see covered by GP for Windows 10? Drop a comment here to let me know!
Darren
I’d like to point to a potential ADMX issue:
if you still have the (older) “WinStoreUI.admx” in you CentralStore this will raise a conflict with the new “WindowsStore.admx”. To solve it, just delete “WinStoreUI.admx” + the corresponding ADML file. The newer ADMX contains all settings of the old one + 1 new, so it is fine to remove the superseded file completely.
Good one Patrick! Thanks.
The new WindowsUpdate.admx 11/14/2015 is missing the setting
‘Turn off the upgrade to the latest version of Windows through Windows Update”
Neat. Good info Ron! Thanks.
Darren
Maybe not a typical scenario for many of you, but anyhow I’d like to share this:
while in Windows XP, Vista, 7, 8 and 8.1 it was possible to use GPP Folder Items to create Sub Folders underneath %windir%\system32\Tasks in order to group your custom Scheduled Tasks underneath that Folder, this is no longer possible with Windows 10.
I admit, these are not just regular folders – there are some extra attributes which are created if you do the same via GUI or API.
But nevertheless, it worked with GPP so far and it was nice to be able to do all that from within one GPO: create the subfolder + a set of tasks.
Now with Win 10 other ways (outside of GPO) are required…
Thanks for leaving that comment, Patrick. I’ve been banging my head on this one for a while–thought I was missing something. Good to know it’s not just me. 🙂
We are finally ready to start messing with Windows 10 and its new settings. I thought I remember something stating you should not copy the Win 10 ADMX into your existing Central Store because it would adversely affect your current GPOs. Am I remembering wrong? I cannot find anything that states this so, I might have been just a bad dream. Thanks SDM for being my source for trusted GPO knowledge and tools.
Adam-
There was an issue where some of the syntactical changes that MS introduced in the Win10 version of the ADMXs, introduced parsing errors if you viewed/edited GPOs from downlevel Windows systems. There were also some policy that were removed in the Win10 ADMXs. If you had those set in GPOs that were edited with downlevel OS versions/ADMX files, then they would show up as “Extra Registry Settings” and not be easily editable once the Win10 ADMX files were introduced. There are ways around that, of course, but what I would say is that if you plan to introduce the Win10 ADMX into your Central Store, that you start managing GP only from Win10 or Server 2016 from then on.