Windows 10, version 2004 introduces 134 new Group Policy settings

Windows 10

Microsoft has released Windows 10 version 2004 build 19041 (or ‘Windows 10 May 2020 Update’) through Windows Server Update Services (WSUS) and Windows Update for Business. It was previously already available as download from Visual Studio Subscriptions, the Software Download Center (via Update Assistant or the Media Creation Tool), and the Volume Licensing Service Center. This Windows version introduces 134 new Group Policy settings.

New Group Policy Settings

Windows 10, version 2004, build 19041 introduces the following new Group Policy settings:

Turn on Microsoft Defender Application Guard in Managed Mode

Configure Microsoft Defender Application Guard clipboard settings

Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user’s device

Configure Microsoft Defender Application Guard print settings

Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer

Allow camera and microphone access in Microsoft Defender Application Guard

Allow data persistence for Microsoft Defender Application Guard

Allow hardware-accelerated rendering for Microsoft Defender Application Guard

Allow auditing events in Microsoft Defender Application Guard

Allow files to download and save to the host operating system from Microsoft Defender Application Guard

The above ten Group Policy settings are all part of the new apphvsi.admx template file. Their aim is to allow admins to configure Windows Defender Application Guard.

These settings can be found in the Microsoft Defender Application Guard node underneath Windows Components and Administrative Templates for the computer configuration and are supported on all Windows 10 installations running Windows Defender Application Guard.

Let Windows apps access user movements while running in the background

The Let Windows apps access user movements while running in the background Group Policy setting from the appprivacy.admx template file specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. A per-app setting overrides the default setting.

This setting can be found in the App Privacy node underneath Windows Components and Administrative Templates for the computer configuration and apply to Windows Server 2016 and Windows 10.

Prevent non-admin users from installing packaged Windows apps

The Prevent non-admin users from installing packaged Windows apps Group Policy setting from the appxpackagemanager.admx template file manages non-Administrator users' ability to install Windows app packages.

If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.

This setting can be found in the App Package Deployment node underneath Windows Components and Administrative Templates for the computer configuration and apply to Windows Server 2016 and Windows 10.

Turn on security key sign-in

The Turn on security key sign-in Group Policy setting from the credentialproviders.admx template file allows admins to control whether users can sign in using external security keys. If you enable this policy setting, users can sign in with external security keys. If you disable or don't configure this policy setting, users can't sign in with external security keys.

This setting can be found in the Logon node underneath System and Administrative Templates for the computer configuration and apply to Windows 10 only.

Maximum Background Download Bandwidth (in KB/s)

Maximum Foreground Download Bandwidth (in KB/s)

Cache Server Hostname

Cache Server Hostname Source

The above four Group Policy settings are all part of the deliveryoptimization.admx template file. Their aim is to allow admins to configure Delivery Optimization for Windows Updates, Windows Upgrades and Windows applications.

These settings can be found in the Delivery Optimization node underneath Windows Components for the computer configuration and are supported on all Windows Server 2016, and up and Windows 10 installations.

Configure Simplified Chinese IME version

Configure Traditional Chinese IME version

Configure Japanese IME version

The above three Group Policy settings are all part of the eaime.admx template file. Their aim is to allow admins to configure Input Method Editors (IMEs).

These settings can be found in the IME node underneath Windows Components for the user configuration and are supported on all Windows 10 installations running version 1903, and up.

Use a common set of exploit protection settings

The Use a common set of exploit protection settings Group Policy setting from the exploitguard.admx template file specifies the common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this Group Policy setting configured.

This setting can be found in the Exploit Protection node underneath the Microsoft Defender Exploit Guard node underneath Windows Components for the computer configuration and apply to Windows Server 2016 and Windows 10, version 1709, and up.

Configure which channel of Microsoft Edge to use for opening redirected sites

The Configure which channel of Microsoft Edge to use for opening redirected sites Group Policy setting from the inetres.admx template file enables admins to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge.

This setting can be found in the Internet Explorer node underneath Windows Components and Administrative Templates for both the computer configuration and the user configuration. It applies only to Windows 10 version 1709, and up.

Allow Graphing Calculator

The Allow Graphing Calculator Group Policy setting from the programs.admx template file allows admins to control whether graphing functionality is available in the Windows Calculator app.

These settings can be found in the Calculator node underneath Windows Components for the user configuration and are supported on all Windows 10 installations running version 1903, and up.

Allow uninstallation of language features when a language is uninstalled

The Allow uninstallation of language features when a language is uninstalled Group Policy setting from the textinput.admx template file controls whether some language features (such as handwriting recognizers and spell checking dictionaries) included with a language can be uninstalled from a user’s machine when the language is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setting is disabled, language features remain on the user’s machine when the language is uninstalled.

These settings can be found in the Text Input node underneath Windows Components and Administrative Templates for the computer configuration and are supported on all Windows Server 2016, and up and Windows 10 installations.

Turn off Auto Exclusions

Allow antimalware service to startup with normal priority

Turn off Microsoft Defender Antivirus

Configure local administrator merge behavior for lists

Turn off routine remediation

Define addresses to bypass proxy server

Define proxy auto-config (.pac) for connecting to the network

Define proxy server for connecting to the network

Randomize scheduled task times

Allow antimalware service to remain running always

Configure detection for potentially unwanted applications

Extension Exclusions

Path Exclusions

Process Exclusions

Turn on protocol recognition

Turn on definition retirement

Specify additional definition sets for network traffic inspection

Configure local setting override for the removal of items from Quarantine folder

Configure removal of items from Quarantine folder

Turn on behavior monitoring

Scan all downloaded files and attachments

Monitor file and program activity on your computer

Turn on raw volume write notifications

Turn off real-time protection

Turn on process scanning whenever real-time protection is enabled

Define the maximum size of downloaded files and attachments to be scanned

Configure local setting override for turn on behavior monitoring

Configure local setting override for monitoring file and program activity on your computer

Configure local setting override for scanning all downloaded files and attachments

Configure local setting override to turn on real-time protection

Configure local setting override for monitoring for incoming and outgoing file activity

Configure monitoring for incoming and outgoing file and program activity

Configure local setting override for the time of day to run a scheduled full scan to complete remediation

Specify the day of the week to run a scheduled full scan to complete remediation

Specify the time of day to run a scheduled full scan to complete remediation

Configure time out for detections requiring additional action

Configure time out for detections in critically failed state

Configure Watson events

Configure time out for detections in non-critical failed state

Configure time out for detections in recently remediated state

Configure Windows software trace preprocessor components

Configure WPP tracing level

Turn off enhanced notifications

Allow users to pause scan

Specify the maximum depth to scan archive files

Specify the maximum size of archive files to be scanned

Specify the maximum percentage of CPU utilization during a scan

Check for the latest virus and spyware security intelligence before running a scheduled scan

Scan archive files

Turn on catch-up full scan

Turn on catch-up quick scan

Turn on e-mail scanning

Turn on heuristics

Scan packed executables

Scan removable drives

Turn on reparse point scanning

Create a system restore point

Run full scan on mapped network drives

Scan network files

Configure local setting override for maximum percentage of CPU utilization

Configure local setting override for the scan type to use for a scheduled scan

Configure local setting override for schedule scan day

Configure local setting override for scheduled quick scan time

Configure local setting override for scheduled scan time

Turn on removal of items from scan history folder

Specify the interval to run quick scans per day

Start the scheduled scan only when computer is on but not in use

Specify the scan type to use for a scheduled scan

Specify the day of the week to run a scheduled scan

Specify the time for a daily quick scan

Specify the time of day to run a scheduled scan

Define the number of days after which a catch-up scan is forced

Configure low CPU priority for scheduled scans

Define the number of days before spyware security intelligence is considered out of date

Define the number of days before virus security intelligence is considered out of date

Define file shares for downloading security intelligence updates

Define security intelligence location for VDI clients.

Turn on scan after security intelligence update

Allow security intelligence updates when running on battery power

Initiate security intelligence update on startup

Define the order of sources for downloading security intelligence updates

Allow security intelligence updates from Microsoft Update

Allow real-time security intelligence updates based on reports to Microsoft MAPS

Specify the day of the week to check for security intelligence updates

Specify the time to check for security intelligence updates

Allow notifications to disable security intelligence based reports to Microsoft MAPS

Define the number of days after which a catch-up security intelligence update is required

Specify the interval to check for security intelligence updates

Check for the latest virus and spyware security intelligence on startup

Configure the 'Block at First Sight' feature

Configure local setting override for reporting to Microsoft MAPS

Join Microsoft MAPS

Send file samples when further analysis is required

Specify threats upon which default action should not be taken when detected

Specify threat alert levels at which default action should not be taken when detected

Enable headless UI mode

Suppresses reboot notifications

Suppress all notifications

Display additional text to clients when they need to perform an action

Select cloud protection level

Configure extended cloud check

Enable file hash computation feature

Prevent users and apps from accessing dangerous websites

Configure Controlled folder access

Configure Attack Surface Reduction rules

Exclude files and paths from Attack Surface Reduction Rules

Configure allowed applications

Configure protected folders

The above 108 Group Policy settings from the new windowsdefender.admx template file control settings for Microsoft Defender Antivirus. They contain settings to manage:

  • Client interface
  • Exclusions
  • MAPS
  • MpEngine
  • Network inspection System
  • Quarantine
  • Real-time Protection
  • Remediation
  • Reporting
  • Scan
  • Security Intelligence Updates
  • Threats

These settings can be found in their respective nodes underneath the Microsoft Defender Antivirus node underneath Windows Components and Administrative Templates for the computer configuration and apply to all supported Windows and Windows Server operating systems.

Select the target Feature Update version

The Select the target Feature Update version Group Policy setting from the windowsupdate.admx template file specifies a Feature Update version to be requested in subsequent scans.

This setting can be found in the Windows Update for Business node underneath the Windows Update node underneath Windows Components and Administrative Templates for the computer configuration and apply to Windows Server 2016 and Windows 10.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.