Microsoft has released Windows 10 version 2004 build 19041 (or ‘Windows 10 May 2020 Update’) through Windows Server Update Services (WSUS) and Windows Update for Business. It was previously already available as download from Visual Studio Subscriptions, the Software Download Center (via Update Assistant or the Media Creation Tool), and the Volume Licensing Service Center. This Windows version introduces 134 new Group Policy settings.
New Group Policy Settings
Windows 10, version 2004, build 19041 introduces the following new Group Policy settings:
Turn on Microsoft Defender Application Guard in Managed Mode
Configure Microsoft Defender Application Guard clipboard settings
Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user’s device
Configure Microsoft Defender Application Guard print settings
Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
Allow camera and microphone access in Microsoft Defender Application Guard
Allow data persistence for Microsoft Defender Application Guard
Allow hardware-accelerated rendering for Microsoft Defender Application Guard
Allow auditing events in Microsoft Defender Application Guard
Allow files to download and save to the host operating system from Microsoft Defender Application Guard
The above ten Group Policy settings are all part of the new apphvsi.admx template file. Their aim is to allow admins to configure Windows Defender Application Guard.
These settings can be found in the Microsoft Defender Application Guard node underneath Windows Components and Administrative Templates for the computer configuration and are supported on all Windows 10 installations running Windows Defender Application Guard.
Let Windows apps access user movements while running in the background
The Let Windows apps access user movements while running in the background Group Policy setting from the appprivacy.admx template file specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. A per-app setting overrides the default setting.
This setting can be found in the App Privacy node underneath Windows Components and Administrative Templates for the computer configuration and apply to Windows Server 2016 and Windows 10.
Prevent non-admin users from installing packaged Windows apps
The Prevent non-admin users from installing packaged Windows apps Group Policy setting from the appxpackagemanager.admx template file manages non-Administrator users' ability to install Windows app packages.
If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.
This setting can be found in the App Package Deployment node underneath Windows Components and Administrative Templates for the computer configuration and apply to Windows Server 2016 and Windows 10.
Turn on security key sign-in
The Turn on security key sign-in Group Policy setting from the credentialproviders.admx template file allows admins to control whether users can sign in using external security keys. If you enable this policy setting, users can sign in with external security keys. If you disable or don't configure this policy setting, users can't sign in with external security keys.
This setting can be found in the Logon node underneath System and Administrative Templates for the computer configuration and apply to Windows 10 only.
Maximum Background Download Bandwidth (in KB/s)
Maximum Foreground Download Bandwidth (in KB/s)
Cache Server Hostname
Cache Server Hostname Source
The above four Group Policy settings are all part of the deliveryoptimization.admx template file. Their aim is to allow admins to configure Delivery Optimization for Windows Updates, Windows Upgrades and Windows applications.
These settings can be found in the Delivery Optimization node underneath Windows Components for the computer configuration and are supported on all Windows Server 2016, and up and Windows 10 installations.
Configure Simplified Chinese IME version
Configure Traditional Chinese IME version
Configure Japanese IME version
The above three Group Policy settings are all part of the eaime.admx template file. Their aim is to allow admins to configure Input Method Editors (IMEs).
These settings can be found in the IME node underneath Windows Components for the user configuration and are supported on all Windows 10 installations running version 1903, and up.
Use a common set of exploit protection settings
The Use a common set of exploit protection settings Group Policy setting from the exploitguard.admx template file specifies the common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this Group Policy setting configured.
This setting can be found in the Exploit Protection node underneath the Microsoft Defender Exploit Guard node underneath Windows Components for the computer configuration and apply to Windows Server 2016 and Windows 10, version 1709, and up.
Configure which channel of Microsoft Edge to use for opening redirected sites
The Configure which channel of Microsoft Edge to use for opening redirected sites Group Policy setting from the inetres.admx template file enables admins to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge.
This setting can be found in the Internet Explorer node underneath Windows Components and Administrative Templates for both the computer configuration and the user configuration. It applies only to Windows 10 version 1709, and up.
Allow Graphing Calculator
The Allow Graphing Calculator Group Policy setting from the programs.admx template file allows admins to control whether graphing functionality is available in the Windows Calculator app.
These settings can be found in the Calculator node underneath Windows Components for the user configuration and are supported on all Windows 10 installations running version 1903, and up.
Allow uninstallation of language features when a language is uninstalled
The Allow uninstallation of language features when a language is uninstalled Group Policy setting from the textinput.admx template file controls whether some language features (such as handwriting recognizers and spell checking dictionaries) included with a language can be uninstalled from a user’s machine when the language is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setting is disabled, language features remain on the user’s machine when the language is uninstalled.
These settings can be found in the Text Input node underneath Windows Components and Administrative Templates for the computer configuration and are supported on all Windows Server 2016, and up and Windows 10 installations.
Turn off Auto Exclusions
Allow antimalware service to startup with normal priority
Turn off Microsoft Defender Antivirus
Configure local administrator merge behavior for lists
Turn off routine remediation
Define addresses to bypass proxy server
Define proxy auto-config (.pac) for connecting to the network
Define proxy server for connecting to the network
Randomize scheduled task times
Allow antimalware service to remain running always
Configure detection for potentially unwanted applications
Extension Exclusions
Path Exclusions
Process Exclusions
Turn on protocol recognition
Turn on definition retirement
Specify additional definition sets for network traffic inspection
Configure local setting override for the removal of items from Quarantine folder
Configure removal of items from Quarantine folder
Turn on behavior monitoring
Scan all downloaded files and attachments
Monitor file and program activity on your computer
Turn on raw volume write notifications
Turn off real-time protection
Turn on process scanning whenever real-time protection is enabled
Define the maximum size of downloaded files and attachments to be scanned
Configure local setting override for turn on behavior monitoring
Configure local setting override for monitoring file and program activity on your computer
Configure local setting override for scanning all downloaded files and attachments
Configure local setting override to turn on real-time protection
Configure local setting override for monitoring for incoming and outgoing file activity
Configure monitoring for incoming and outgoing file and program activity
Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Specify the day of the week to run a scheduled full scan to complete remediation
Specify the time of day to run a scheduled full scan to complete remediation
Configure time out for detections requiring additional action
Configure time out for detections in critically failed state
Configure Watson events
Configure time out for detections in non-critical failed state
Configure time out for detections in recently remediated state
Configure Windows software trace preprocessor components
Configure WPP tracing level
Turn off enhanced notifications
Allow users to pause scan
Specify the maximum depth to scan archive files
Specify the maximum size of archive files to be scanned
Specify the maximum percentage of CPU utilization during a scan
Check for the latest virus and spyware security intelligence before running a scheduled scan
Scan archive files
Turn on catch-up full scan
Turn on catch-up quick scan
Turn on e-mail scanning
Turn on heuristics
Scan packed executables
Scan removable drives
Turn on reparse point scanning
Create a system restore point
Run full scan on mapped network drives
Scan network files
Configure local setting override for maximum percentage of CPU utilization
Configure local setting override for the scan type to use for a scheduled scan
Configure local setting override for schedule scan day
Configure local setting override for scheduled quick scan time
Configure local setting override for scheduled scan time
Turn on removal of items from scan history folder
Specify the interval to run quick scans per day
Start the scheduled scan only when computer is on but not in use
Specify the scan type to use for a scheduled scan
Specify the day of the week to run a scheduled scan
Specify the time for a daily quick scan
Specify the time of day to run a scheduled scan
Define the number of days after which a catch-up scan is forced
Configure low CPU priority for scheduled scans
Define the number of days before spyware security intelligence is considered out of date
Define the number of days before virus security intelligence is considered out of date
Define file shares for downloading security intelligence updates
Define security intelligence location for VDI clients.
Turn on scan after security intelligence update
Allow security intelligence updates when running on battery power
Initiate security intelligence update on startup
Define the order of sources for downloading security intelligence updates
Allow security intelligence updates from Microsoft Update
Allow real-time security intelligence updates based on reports to Microsoft MAPS
Specify the day of the week to check for security intelligence updates
Specify the time to check for security intelligence updates
Allow notifications to disable security intelligence based reports to Microsoft MAPS
Define the number of days after which a catch-up security intelligence update is required
Specify the interval to check for security intelligence updates
Check for the latest virus and spyware security intelligence on startup
Configure the 'Block at First Sight' feature
Configure local setting override for reporting to Microsoft MAPS
Join Microsoft MAPS
Send file samples when further analysis is required
Specify threats upon which default action should not be taken when detected
Specify threat alert levels at which default action should not be taken when detected
Enable headless UI mode
Suppresses reboot notifications
Suppress all notifications
Display additional text to clients when they need to perform an action
Select cloud protection level
Configure extended cloud check
Enable file hash computation feature
Prevent users and apps from accessing dangerous websites
Configure Controlled folder access
Configure Attack Surface Reduction rules
Exclude files and paths from Attack Surface Reduction Rules
Configure allowed applications
Configure protected folders
The above 108 Group Policy settings from the new windowsdefender.admx template file control settings for Microsoft Defender Antivirus. They contain settings to manage:
- Client interface
- Exclusions
- MAPS
- MpEngine
- Network inspection System
- Quarantine
- Real-time Protection
- Remediation
- Reporting
- Scan
- Security Intelligence Updates
- Threats
These settings can be found in their respective nodes underneath the Microsoft Defender Antivirus node underneath Windows Components and Administrative Templates for the computer configuration and apply to all supported Windows and Windows Server operating systems.
Select the target Feature Update version
The Select the target Feature Update version Group Policy setting from the windowsupdate.admx template file specifies a Feature Update version to be requested in subsequent scans.
This setting can be found in the Windows Update for Business node underneath the Windows Update node underneath Windows Components and Administrative Templates for the computer configuration and apply to Windows Server 2016 and Windows 10.
Login