Select Page

With each new version of Windows, I try to write up something to summarize what’s new in Group Policy from the last version. As those of you who follow me know, I’ve noted that the list of “What’s Changed” in Group Policy has grown shorter and shorter with each subsequent release. Windows 10 is no exception to this trend. You won’t find any big new pieces of functionality in this release. What you will find is more and newer Administrative Template settings. If you follow me on twitter, you’ll know that I announced the release of the latest download of ADMX files for the November update of Windows 10 (Build 1511). This latest Windows build added quite a few new Admin Template settings for managing Windows 10-specific features, so I would suggest you start with these ADMXs when you are ready to start deploying and managing Windows 10, rather than the ones that came with RTM.

I think this latest release represents the future of Group Policy innovation for Microsoft. Rather than building new Client Side Extensions (CSEs), and corresponding GP editor MMC extensions to support editing those new CSEs, Microsoft is instead opting to leverage ADMX files as a way of continuing to expand GP’s capabilities without big changes to the GP engine. This makes sense, given the evolving role of GP in the Microsoft configuration management universe (I’ll be blogging more about this soon so stay tuned!). There was one “structural” change that I’ll talk about, that came in Windows 10, so let’s dig in and look at what’s new in GP!

Administrative Templates

As I mentioned above, Build 1511 of Windows 10–the “November Update”–shipped a bunch of new and updated ADMX files, which broadened the support for Group Policy amongst Windows 10-specific features. The 1511 ADMX download brought 5 new ADMX files, 20 existing files were updated and 2 ADMX files that were shipped in Windows 10 RTM were removed in this latest download, including the pesky Microsoft-Windows-Geolocation-WLPAdm.ADMX file, which caused errors whenever you loaded GP Editor on Windows 10 RTM.

Of these new and updated ADMX files, a number of features were added to the following Windows 10 components:

  • App Privacy: lets you control what hardware features and devices that Windows Universal apps can interact with.
  • Cloud Content: lets you turn of consumer features (e.g. Microsoft Account features)  in Windows 10 for enterprise users)
  • Microsoft Edge: lets you configure a few more options for the Edge browser, including Home Pages (interestingly, per computer only)
  • Microsoft Passport: a few new options for managing Passport authentication options.
  • Start Screen: adds the ability to let you force the size of the Start Screen
  • Volume Encryption: add additional controls on the types of volume encryption you can enforce
  • Windows Store: Adds support for how the Windows Store behaves for the user–lets you control if OS updates are received through the store.
  • Windows Update: Adds an option that lets you defer updates of the OS
  • Wireless LAN: Adds Wireless network options like the ability to control the WiFi Sense feature.

This is not a complete list, but instead highlights the most interesting changes in the newest ADMX files.

Structural Changes

As I mentioned, there is not a lot that I would consider to be “structural” in the new GP features in Windows 10. The one interesting change that Microsoft made in Windows 10, was to roll back a behavior that they introduced in Windows 8.1–namely the 5 minute logon script delay— which I blogged about previously. In Windows 10, while the delay is still supported via a Group Policy Administrative Template setting, it now appears to be turned OFF by default–logon scripts will not run delayed on Windows 10. I think that’s probably a good thing as my experience is that many people were confused by having this turned on by default.

The other change, which was brought to my attention by our friend Patrick Gotsch, was that there are a number of new Client Side Extensions (CSEs) that have been introduced in Windows 10. Normally these CSEs would correspond to seeing new “nodes” of functionality within the GP Editor, but that’s not the case with these new CSEs. Most of them are actually being used within Administrative Templates policy. Administrative Templates have long supported calling different CSEs rather than the default registry one–to process those settings defined by those ADMXs. An example of this is shown in the Device Guard ADMX here, where a new Windows 10 CSE is referenced in the ADMX using the clientExtension attribute:

ADMX files that call other CSEs

ADMX files that call other CSEs

 

 

 

 

 

This approach is interesting, because it allows Microsoft to add new Group Policy functionality without having to build a new setting storage structure and new editor UI. It is essentially, “GP extension on the cheap”. We’ll take it!

That’s about all of the substantive things that I’ve found in GP in Windows 10. Like I said, outside of the new ADMXs, there isn’t much to write home about, and Microsoft still has big gaps when it comes to managing all the new features in Windows 10. For example, today there is no way to control what a user sees in the “Settings” application like you could with the control panel. There are more examples like this sprinkled throughout the OS. What would you like to see covered by GP for Windows 10? Drop a comment here to let me know!

 

Darren