What’s new in Windows 10 1709 GPO? Below are descriptions, names, and paths of GPOs.
Use a common set of exploit protection settingswindows Components\Windows Defender Exploit Guard\Exploit Protection
Specify a common set of Windows Defender Exploit Guard systems and application mitigation settings that can be applied to all endpoints that have this GP setting configured. There are some prerequisites before you can enable this setting: – Manually configure a device’s system and application mitigation settings using the Set-ProcessMitigation PowerShell cmdlet, the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet, or directly in the Windows Defender Security Center. – Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in the Windows Defender Security Center. – Place the generated XML file in a shared or local path. Note: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied. Enabled Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following: – C:\MitigationSettings\Config.XML – \\Server\Share\Config.xml – https://localhost:8080/Config.xml The settings in the XML file will be applied to the endpoint. Disabled Common settings will not be applied, and the locally configured settings will be used instead. Not configured Same as Disabled.
Handwriting Panel Default Mode DockedWindows Components\Handwriting
The handwriting panel has 2 modes – floats near the text box, or, attached to the bottom of the screen. The default is floating near the text box. If you want the panel to be fixed, use this policy to fix it to the bottom.
Allow Message Service Cloud SyncWindows Components\Messaging
This policy setting allows the backup and restoration of cellular text messages to Microsoft’s cloud services.
Provision FavoritesWindows Components\Microsoft Edge
This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export, or delete these provisioned favorites. If you enable this setting, you can set favorite URLs and favorite folders to appear on top of users’ favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge settings. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
Prevent changes to Favorites on Microsoft EdgeWindows Components\Microsoft Edge
This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won’t be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as Create a new folder) are all turned off. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge settings. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting (default), employees can add, import, and make changes to the Favorites list.
Prevent changes to Favorites on Microsoft EdgeWindows Components\Microsoft Edge
This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won’t be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge settings. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting (default), employees can add, import, and make changes to the Favorites list.
Specify global DNSNetwork\Network Connectivity Status Indicator
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
Allow downloading updates to the Disk Failure Prediction ModelSystem\Storage Health
Allows downloading new updates to ML Model parameters for predicting storage disk failure. Enabled: Updates would be downloaded for the Disk Failure Prediction Failure Model. Disabled: Updates would not be downloaded for the Disk Failure Prediction Failure Model. Not configured: Same as Enabled.
Enable Device Health Attestation Monitoring and ReportingSystem\Device Health Attestation Service
This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows.
Configure the system to clear the TPM if it is not in a ready state.System\Trusted Platform Module Services
This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
Prevent users and apps from accessing dangerous websitesWindows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection
Enable or disable Windows Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Block: Users and applications will not be able to access dangerous domains -Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs. Disabled: Users and applications will not be blocked from connecting to dangerous domains. Not configured: Same as Disabled.
Configure Controlled folder accessWindows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access
Enable or disable controlled folder access for untrusted applications. Block: Untrusted applications cannot modify or delete files in protected folders, such as the Documents folder. Disabled: All applications can modify or delete files in protected folders, such as the Documents folder. Audit Mode: Applications that would normally be considered “”untrusted”” if the setting was Enabled will still be able to modify or delete files in protected folders. However, each event will be recorded in the Windows event log. Not configured: Same as Disabled. Windows Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the configure allowed applications GP setting. Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
Configure Attack Surface Reduction rulesWindows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: – Block: the rule will be applied – Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) – Off: the rule will not be applied Enabled: Specify the state for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: – Name column: Enter a valid ASR rule ID – Value column: Enter the status ID that relates to state you want to specify for the associated rule The following status IDs are permitted under the value column: – 1 (Block) – 0 (Off) – 2 (Audit) Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: No ASR rules will be configured. Not configured: Same as Disabled. You can exclude folders or files in the “”Exclude files and paths from Attack Surface Reduction Rules”” GP setting.
Exclude files and paths from Attack Surface Reduction RulesWindows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: – Name column: Enter a folder path or a fully qualified resource name. For example, “”C:\Windows”” will exclude all files in that directory. “”C:\Windows\App.exe”” will exclude only that specific file in that specific folder – Value column: Enter “”0″” for each item Disabled: No exclusions will be applied to the ASR rules. Not configured: Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
Configure allowed applicationsWindows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access
Add additional applications that should be considered “trusted” by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. Windows Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled: Specify additional allowed applications in the Options section. Disabled: No additional applications will be added to the trusted list. Not configured: Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
Configure protected foldersWindows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access
Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or deleted by untrusted applications. Default system folders are automatically protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown in the Windows Defender Security Center. Enabled: Specify additional folders that should be protected in the Options section. Disabled: No additional folders will be protected. Not configured: Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. Windows Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
Hide the Virus and threat protection areaWindows Components\Windows Defender Security Center\Virus and threat protection
Hide the Firewall and network protection area in the Windows Defender Security Center. wn. Not configured: Same as Disabled.
Hide the Firewall and network protection areaWindows Components\Windows Defender Security Center\Firewall and network protection
Hide the Firewall and network protection area in the Windows Defender Security Center. Enabled: The Firewall and network protection area will be hidden. Disabled: The Firewall and network protection area will be shown. Not configured: Same as Disabled.
Hide the App and browser protection areaWindows Components\Windows Defender Security Center\App and browser protection
Hide the App and browser protection area in the Windows Defender Security Center. Enabled: The App and browser protection area will be hidden. Disabled: The App and browser protection area will be shown. Not configured: Same as Disabled.
Prevent users from modifying settingsWindows Components\Windows Defender Security Center\App and browser protection
Prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center. Enabled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to make changes in the Exploit protection settings area. Not configured: Same as Disabled.
Hide the Device performance and health areaWindows Components\Windows Defender Security Center\Device performance and health
Hide the Device performance and health area in the Windows Defender Security Center. Enabled: The Device performance and health area will be hidden. Disabled: The Device performance and health area will be shown. Not configured: Same as Disabled.
Hide the Family options areaWindows Components\Windows Defender Security Center\Family options
Hide the Family options area in the Windows Defender Security Center. Enabled: The Family options area will be hidden. Disabled: The Family options area will be shown. Not configured: Same as Disabled.
Hide all notificationsWindows Components\Windows Defender Security Center\Notifications
Hide notifications from the Windows Defender Security Center. Enabled: Local users will not see notifications from the Windows Defender Security Center. Disabled: Local users can see notifications from the Windows Defender Security Center. Not configured: Same as Disabled.
Hide non-critical notificationsWindows Components\Windows Defender Security Center\Notifications
Only show critical notifications from the Windows Defender Security Center. If the Suppress all notifications GP setting has been enabled, this setting will have no effect. Enabled: Local users will only see critical notifications from the Windows Defender Security Center. They will not see other types of notifications, such as regular PC or device health information. Disabled: Local users will see all types of notifications from the Windows Defender Security Center. Not configured: Same as Disabled.
Configure customized notificationsWindows Components\Windows Defender Security Center\Enterprise Customization
Display specified contact information to local users in Windows Defender Security Center notifications. Enabled: Your company contact information will be displayed in notifications that come from the Windows Defender Security Center. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Specify contact website Disabled: No contact information will be shown on notifications. Not configured: Same as Disabled.
Configure customized contact informationWindows Components\Windows Defender Security Center\Enterprise Customization
Display specified contact information to local users in a contact card flyout menu in the Windows Defender Security Center Enabled: Your company contact information will be displayed in a flyout menu in the Windows Defender Security Center. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Specify contact website Disabled: No contact information will be shown in the Windows Defender Security Center. Not configured: Same as Disabled.
Specify contact company nameWindows Components\Windows Defender Security Center\Enterprise Customization
Specify the company name that will be displayed in the Windows Defender Security Center and associated notifications. This setting must be enabled for any contact information to appear. Enabled: information will not be shown at all in either the Windows Defender Security Center or any notifications that it creates. Not configured: Same as Disabled.
Specify contact phone number or Skype IDWindows Components\Windows Defender Security Center\Enterprise Customization
Specify the phone number or Skype ID that will be displayed in the Windows Defender Security Center and associated notifications. Users can click on the contact information to automatically call the supplied number. Skype will be used to initiate the call. Enabled: Enter the phone number or Skype ID in the Options section. Disabled: A contact phone number or Skype ID will not be shown in either the Windows Defender Security Center or any notifications it creates. Not configured: Same as Disabled
Specify contact email address or Email IDWindows Components\Windows Defender Security Center\Enterprise Customization
Specify the email address or email ID that will be displayed in the Windows Defender Security Center and associated notifications. Users can click on the contact information to create an email that will be sent to the specified address. The default email application will be used. Enabled: Enter the email address or email ID in the Options section. Disabled: A contact email address or email ID will not be shown in either the Windows Defender Security Center or any notifications it creates. Not configured: Same as Disabled.
Specify contact websiteWindows Components\Windows Defender Security Center\Enterprise Customization
Specify the URL that will be displayed in the Windows Defender Security Center and associated notifications. site. The default web browser will be used. Enabled: Enter the URL in the Options section. Disabled: A contact website URL will not be shown in either the Windows Defender Security Center or any notifications it creates. Not configured: Same as Disabled.
Manage preview buildsWindows Components\Windows Update\Windows Update for Business
Selecting “Disable preview builds” will prevent preview builds from installing on the device. This will prevent users from opting into the Windows Insider Program, through Settings -> Update and Security. Selecting “Disable preview builds once next release is public” will prevent preview builds from installing once the next Windows release is public. This option is useful when your device is set up to install preview and you want to gracefully opt out the device for flighting. This option will provide preview builds until devices reaches the next public release. Selecting “Enable preview builds” will enable preview builds installation on the device. Users can download and install Windows preview builds on their devices by opting-in through Settings -> Update and Security -> Windows Insider Program. Admins can also use other policies to manage flight settings on behalf of users when this value is set.
