What’s new in ADMX and Group Policy for Windows 1703 Creators Edition

Apr
18
2017

The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080

Here’s my (usual) advice:

1. If you don’t have a central store, please first watch this video I made on it.

2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.

3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.

4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/  . Note: This isn’t updated yet for 1703, but hopefully soon.

<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)

If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.

There are 107 new policy settings.

Scope Policy Path Policy Setting
Machine Control Panel Settings Page Visibility
Machine Network\Network Isolation Domains categorized as both work and personal
Machine Network\Network Isolation Enterprise resource domains hosted in the cloud
Machine System\App-V\PackageManagement Enable automatic cleanup of unused appv packages
Machine System\App-V\PowerManagement Enable background sync to server when on battery power
Machine System\Credentials Delegation Remote host allows delegation of non-exportable credentials
Machine System\Display Turn off GdiDPIScaling for applications
Machine System\Display Turn on GdiDPIScaling for applications
Machine System\Group Policy Configure web-to-app linking with app URI handlers
Machine System\Logon Configure Dynamic Lock
Machine System\Trusted Platform Module Services Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
Machine Windows Components\App Privacy Let Windows apps access diagnostic information about other apps
Machine Windows Components\App Privacy Let Windows apps access Tasks
Machine Windows Components\App Privacy Let Windows apps run in the background
Machine Windows Components\BitLocker Drive Encryption Disable new DMA devices when this computer is locked
Machine Windows Components\BitLocker Drive Encryption\Operating System Drives Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Machine Windows Components\Data Collection and Preview Builds Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
Machine Windows Components\Delivery Optimization Allow uploads while the device is on battery while under set Battery level (percentage)
Machine Windows Components\Delivery Optimization Enable Peer Caching while the device connects via VPN
Machine Windows Components\Delivery Optimization Minimum disk size allowed to use Peer Caching (in GB)
Machine Windows Components\Delivery Optimization Minimum Peer Caching Content File Size (in MB)
Machine Windows Components\Delivery Optimization Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
Machine Windows Components\Find My Device Turn On/Off Find My Device
Machine Windows Components\Internet Explorer\Internet Control Panel\Content Page Show Content Advisor on Internet Options
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Microsoft account Block all consumer Microsoft account user authentication
Machine Windows Components\Microsoft Edge Allow Address bar drop-down list suggestions
Machine Windows Components\Microsoft Edge Allow Adobe Flash
Machine Windows Components\Microsoft Edge Allow clearing browsing data on exit
Machine Windows Components\Microsoft Edge Allow Microsoft Compatibility List
Machine Windows Components\Microsoft Edge Allow search engine customization
Machine Windows Components\Microsoft Edge Configure additional search engines
Machine Windows Components\Microsoft Edge Configure the Adobe Flash Click-to-Run setting
Machine Windows Components\Microsoft Edge Disable lockdown of Start pages
Machine Windows Components\Microsoft Edge Keep favorites in sync between Internet Explorer and Microsoft Edge
Machine Windows Components\Microsoft Edge Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
Machine Windows Components\Microsoft Edge Prevent the First Run webpage from opening on Microsoft Edge
Machine Windows Components\Microsoft Edge Set default search engine
Machine Windows Components\Speech Allow Automatic Update of Speech Data
Machine Windows Components\Windows Defender Antivirus\MpEngine Configure extended cloud check
Machine Windows Components\Windows Defender Antivirus\MpEngine Select cloud protection level
Machine Windows Components\Windows Defender Antivirus\Reporting Turn off enhanced notifications
Machine Windows Components\Windows Defender Application Guard Block Entperise websites to load non-Enterprise content in IE and Edge
Machine Windows Components\Windows Defender Application Guard Configure Windows Defender Application Guard clipboard settings
Machine Windows Components\Windows Defender Application Guard Configure Windows Defender Application Guard Print Settings
Machine Windows Components\Windows Defender Application Guard Turn On/Off Windows Defender Application Guard (WDAG)
Machine Windows Components\Windows Defender SmartScreen\Explorer Configure App Install Control
Machine Windows Components\Windows Defender SmartScreen\Explorer Configure Windows Defender SmartScreen
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Configure Windows Defender SmartScreen
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for files
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for sites
Machine Windows Components\Windows Game Recording and Broadcasting Enables or disables Windows Game Recording and Broadcasting
Machine Windows Components\Windows Hello for Business Use certificate for on-premises authentication
Machine Windows Components\Windows Update Configure auto-restart reminder notifications for updates
Machine Windows Components\Windows Update Configure auto-restart required notification for updates
Machine Windows Components\Windows Update Configure auto-restart warning notifications schedule for updates
Machine Windows Components\Windows Update Remove access to use all Windows Update features
Machine Windows Components\Windows Update Specify active hours range for auto-restarts
Machine Windows Components\Windows Update Specify deadline before auto-restart for update installation
Machine Windows Components\Windows Update Specify Engaged restart transition and notification schedule for updates
Machine Windows Components\Windows Update Turn off auto-restart notifications for update installations
Machine Windows Components\Windows Update Update Power Policy for Cart Restarts
User Start Menu and Taskbar Show additional calendar
User Windows Components\Cloud Content Do not use diagnostic data for tailored experiences
User Windows Components\Cloud Content Turn off the Windows Spotlight on Action Center
User Windows Components\Cloud Content Turn off the Windows Welcome Experience
User Windows Components\IME Turn on lexicon update
User Windows Components\Internet Explorer\Internet Control Panel\Content Page Show Content Advisor on Internet Options
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing Hide the button (next to the New Tab button) that opens Microsoft Edge
User Windows Components\Microsoft Edge Allow Address bar drop-down list suggestions
User Windows Components\Microsoft Edge Allow Adobe Flash
User Windows Components\Microsoft Edge Allow clearing browsing data on exit
User Windows Components\Microsoft Edge Allow Microsoft Compatibility List
User Windows Components\Microsoft Edge Allow search engine customization
User Windows Components\Microsoft Edge Configure additional search engines
User Windows Components\Microsoft Edge Configure the Adobe Flash Click-to-Run setting
User Windows Components\Microsoft Edge Disable lockdown of Start pages
User Windows Components\Microsoft Edge Keep favorites in sync between Internet Explorer and Microsoft Edge
User Windows Components\Microsoft Edge Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
User Windows Components\Microsoft Edge Prevent the First Run webpage from opening on Microsoft Edge
User Windows Components\Microsoft Edge Set default search engine
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Configure Windows Defender SmartScreen
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for files
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for sites
User Windows Components\Windows Hello for Business Use certificate for on-premises authentication
User Windows Components\Windows Hello for Business Use Windows Hello for Business
User Windows Components\Work Folders Enables the use of Token Broker for AD FS authentication