New Group Policy Updates for Windows 10 in 2020

The Windows 10 May 2020 Update brings some changes to Group Policy so that administrators can better manage security, delivery optimization, and apps. But while the update still includes Microsoft’s legacy Edge browser, the Group Policy settings related to it have been removed.

Internet Explorer redirection

The Configure which channel of Microsoft Edge to use for opening redirected sites setting can be found under Computer Configuration > Administrative Templates > Windows Components > Internet Explorer and User Configuration > Administrative Templates > Windows Components > Internet Explorer.

If you have set up Internet Explorer 11 to redirect sites to Microsoft Edge, the new setting lets you specify which channel release of Microsoft’s new Edge browser should be used. If the setting is not configured, the Stable channel is used. If you enable the setting, you can specify a first, second, and third choice from the following options:

  1. Microsoft Edge Stable
  2. Microsoft Edge Beta version 77 or later
  3. Microsoft Edge Dev version 77 or later
  4. Microsoft Edge Canary version 77 or later.
Image # Expand
Figure1 17
Group Policy Changes in the Windows 10 May 2020 Update (Image Credit: Russell Smith)

Password policies

There are two new password policies under Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policies. Relax minimum password length limits and Minimum password length audit are designed to make it easier for organizations to implement passphrases instead of passwords.

A passphrase is a sentence that replaces a usually shorter password. The length of passphrases makes them harder to crack but easier for people to remember.

Image # Expand
Figure2 11
Group Policy Changes in the Windows 10 May 2020 Update (Image Credit: Russell Smith)

 

Relax minimum password length limits controls whether the minimum password length can be set beyond the legacy maximum of 14 to a maximum of 128 characters.

The increased minimum password length can cause compatibility issues, so the Minimum password length audit setting enables logging of password length audit warning events. Microsoft says that you should only enable this setting when trying to determine the potential impact of increasing the minimum password length setting. Minimum password length audit can be set to a value from 1 to 128.

FIDO2 security key sign-in

Turn on security key sign-in under Computer Configuration > Administrative Templates > System > Logon is a new setting that determines whether users can sign in to Windows using security keys instead of passwords. For more information on passwordless sign-in in Windows 10, check out Understanding Windows 10 and Microsoft 365 Passwordless Sign-In on Petri.

Delivery optimization

Windows 10 version 2004 includes new settings to control how updates are delivered using Windows Update for Business (WuFB). These settings are collectively referred to by Microsoft as enterprise network throttling. Delivery optimization also works with Windows Server Update Services (WSUS) providing that clients have an Internet connection to communicate with Microsoft’s delivery optimization servers.

Maximum Background Download Bandwidth and Maximum Foreground Download Bandwidth can be used to set limits in KB/s. Both settings can be found under Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization.

Image # Expand
Figure3 7
Group Policy Changes in the Windows 10 May 2020 Update (Image Credit: Russell Smith)

 

The settings can also be found in the Settings app as Absolute bandwidth for foreground and background downloading.

Microsoft Connected Cache

For organizations using Microsoft Connected Cache, previously called Delivery Optimization In-Network Cache, the Cache Server Hostname Source setting can be used to control how clients discover cache servers dynamically. There are two options:

  1. DHCP Option 235
  2. DHCP Option 235 Force

If the policy is set to either option, clients will query DHCP for the Cache Server Hostname. Option 2 overrides any value set in the Cache Server Hostname policy setting.

For more information on Microsoft Connected Cache, see Microsoft Announces Azure Managed Version of Connected Cache on Petri.

Windows Update for Business

WUfB gets a new setting called Select the target Feature Update version under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.

The setting allows you to specify a specific feature update to scan for, like 2004, instead of WUfB scanning for all available feature updates.

Microsoft Defender ATP

There is a new setting for Microsoft Defender Advanced Threat Protection (ATP) called Enable file hash computation feature under Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MpEngine. When the setting is enabled, it forces the engine to generate file hashes for every executable file scanned if not previously computed. The new setting is for improving blocking for custom indicators in Microsoft Defender ATP.

Enabling Enable file hash computation feature can have a performance impact on devices. Microsoft recommends a gradual deployment to establish if there is a significant performance impact on devices.

Application settings

Administrators can use the Allow Graphing Calculator setting under User Configuration > Administrative Templates > Windows Components > Calculator to disable the graphing features of the Windows Calculator app.

The Prevent non-admin users from installing packaged Windows apps setting, under Computer Configuration > Administrative Templates > Windows Components > App Package Deployment, prevents non-administrative users installing Windows app packages. But all users would still be able to install app packages from the Microsoft Store. The Microsoft Store can be restricted using separate policy settings.

The Let Windows apps access user movements while running in the background setting under Computer Configuration > Administrative Templates > Windows Components > App Privacy determines whether Windows apps can access movement of the user’s head, hands, motion controllers, and other tracked objects while apps are running in the background. The policy setting lets you specify a default setting for all apps or per-app setting.

Input Method Editor for East Asian languages

Finally, there are three additional settings that specify whether users can control the version of the Input Method Editor (IME) that is used for Japanese, simplified Chinese, and traditional Chinese. The settings are under User Configuration > Administrative Templates > Windows Components > IME as Configure Japanese IME version, Configure Simplified Chinese IME version, and Configure Traditional Chinese IME version.