What’s new in 视窗 10 1709 GPO? Below are descriptions, names, and paths of GPOs.
Use a common set of exploit protection settingswindows Components\Windows Defender Exploit Guard\Exploit Protection
Specify a common set of 视窗 Defender Exploit Guard systems and application mitigation settings that can be applied to all endpoints that have this GP setting configured. There are some prerequisites before you can enable this setting: – Manually configure a device’s system and application mitigation settings using the Set-ProcessMitigation 电源外壳 cmdlet, the ConvertTo-ProcessMitigationPolicy 电源外壳 cmdlet, or directly in the 视窗 Defender Security Center. – Generate an XML file with the settings from the device by running the Get-ProcessMitigation 电源外壳 cmdlet or using the Export button at the bottom of the Exploit Protection area in the 视窗 Defender Security Center. – Place the generated XML file in a shared or local path. 笔记: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied. Enabled Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following: – C:\MitigationSettings\Config.XML – \\Server\Share\Config.xml – https://localhost:8080/Config.xml The settings in the XML file will be applied to the endpoint. Disabled Common settings will not be applied, and the locally configured settings will be used instead. Not configured Same as Disabled.
Handwriting Panel Default Mode Docked视窗 Components\Handwriting
The handwriting panel has 2 模式 – floats near the text box, 或者, attached to the bottom of the screen. The default is floating near the text box. If you want the panel to be fixed, use this policy to fix it to the bottom.
Allow Message Service Cloud Sync视窗 Components\Messaging
This policy setting allows the backup and restoration of cellular text messages to Microsoft’s cloud services.
Provision Favorites视窗 Components\Microsoft Edge
This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export, or delete these provisioned favorites. If you enable this setting, you can set favorite URLs and favorite folders to appear on top of users’ favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge settings. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
Prevent changes to Favorites on Microsoft Edge视窗 Components\Microsoft Edge
This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won’t be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as Create a new folder) are all turned off. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge settings. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting (default), employees can add, import, and make changes to the Favorites list.
Prevent changes to Favorites on Microsoft Edge视窗 Components\Microsoft Edge
This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won’t be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (例如, Create a new folder) are all turned off. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge settings. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting (default), employees can add, import, and make changes to the Favorites list.
Specify global 域名系统Network\Network Connectivity Status Indicator
This policy setting enables you to specify 域名系统 binding behavior. NCSI by default will restrict 域名系统 lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the 域名系统 lookups to happen on any interface.
Allow downloading updates to the Disk Failure Prediction ModelSystem\Storage Health
Allows downloading new updates to ML Model parameters for predicting storage disk failure. Enabled: Updates would be downloaded for the Disk Failure Prediction Failure Model. Disabled: Updates would not be downloaded for the Disk Failure Prediction Failure Model. Not configured: Same as Enabled.
Enable Device Health Attestation Monitoring and ReportingSystem\Device Health Attestation Service
This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM 证书, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows.
Configure the system to clear the TPM if it is not in a ready state.System\Trusted Platform Module Services
This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
Prevent users and apps from accessing dangerous websites视窗 Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection
Enable or disable 视窗 Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Block: Users and applications will not be able to access dangerous domains -Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs. Disabled: Users and applications will not be blocked from connecting to dangerous domains. Not configured: Same as Disabled.
Configure Controlled folder access视窗 Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access
Enable or disable controlled folder access for untrusted applications. Block: Untrusted applications cannot modify or delete files in protected folders, such as the Documents folder. Disabled: All applications can modify or delete files in protected folders, such as the Documents folder. Audit Mode: Applications that would normally be considered “”untrusted”” if the setting was Enabled will still be able to modify or delete files in protected folders. 然而, each event will be recorded in the 视窗 event 日志. Not configured: Same as Disabled. 视窗 Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the configure allowed applications GP setting. Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
Configure Attack Surface Reduction rules视窗 Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: – Block: the rule will be applied – Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) – Off: the rule will not be applied Enabled: Specify the state for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: – Name column: Enter a valid ASR rule ID – Value column: Enter the status ID that relates to state you want to specify for the associated rule The following status IDs are permitted under the value column: – 1 (Block) – 0 (Off) – 2 (Audit) Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: No ASR rules will be configured. Not configured: Same as Disabled. You can exclude folders or files in the “”Exclude files and paths from Attack Surface Reduction Rules”” GP setting.
Exclude files and paths from Attack Surface Reduction Rules视窗 Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: – Name column: Enter a folder path or a fully qualified resource name. 例如, “”C:\视窗”” will exclude all files in that directory. “”C:\Windows\App.exe”” will exclude only that specific file in that specific folder – Value column: 进入 “”0″” for each item Disabled: No exclusions will be applied to the ASR rules. Not configured: Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
Configure allowed applications视窗 Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access
Add additional applications that should be considered “trusted” by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. 视窗 Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled: Specify additional allowed applications in the Options section. Disabled: No additional applications will be added to the trusted list. Not configured: Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
Configure protected folders视窗 Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access
Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or deleted by untrusted applications. Default system folders are automatically protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown in the 视窗 Defender Security Center. Enabled: Specify additional folders that should be protected in the Options section. Disabled: No additional folders will be protected. Not configured: Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. 视窗 Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
Hide the Virus and threat protection area视窗 Components\Windows Defender Security Center\Virus and threat protection
Hide the Firewall and network protection area in the 视窗 Defender Security Center. wn. Not configured: Same as Disabled.
Hide the Firewall and network protection area视窗 Components\Windows Defender Security Center\Firewall and network protection
Hide the Firewall and network protection area in the 视窗 Defender Security Center. Enabled: The Firewall and network protection area will be hidden. Disabled: The Firewall and network protection area will be shown. Not configured: Same as Disabled.
Hide the App and browser protection area视窗 Components\Windows Defender Security Center\App and browser protection
Hide the App and browser protection area in the 视窗 Defender Security Center. Enabled: The App and browser protection area will be hidden. Disabled: The App and browser protection area will be shown. Not configured: Same as Disabled.
Prevent users from modifying settings视窗 Components\Windows Defender Security Center\App and browser protection
Prevent users from making changes to the Exploit protection settings area in the 视窗 Defender Security Center. Enabled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to make changes in the Exploit protection settings area. Not configured: Same as Disabled.
Hide the Device performance and health area视窗 Components\Windows Defender Security Center\Device performance and health
Hide the Device performance and health area in the 视窗 Defender Security Center. Enabled: The Device performance and health area will be hidden. Disabled: The Device performance and health area will be shown. Not configured: Same as Disabled.
Hide the Family options area视窗 Components\Windows Defender Security Center\Family options
Hide the Family options area in the 视窗 Defender Security Center. Enabled: The Family options area will be hidden. Disabled: The Family options area will be shown. Not configured: Same as Disabled.
Hide all notifications视窗 Components\Windows Defender Security Center\Notifications
Hide notifications from the 视窗 Defender Security Center. Enabled: Local users will not see notifications from the 视窗 Defender Security Center. Disabled: Local users can see notifications from the 视窗 Defender Security Center. Not configured: Same as Disabled.
Hide non-critical notifications视窗 Components\Windows Defender Security Center\Notifications
Only show critical notifications from the 视窗 Defender Security Center. If the Suppress all notifications GP setting has been enabled, this setting will have no effect. Enabled: Local users will only see critical notifications from the 视窗 Defender Security Center. They will not see other types of notifications, such as regular PC or device health information. Disabled: Local users will see all types of notifications from the 视窗 Defender Security Center. Not configured: Same as Disabled.
Configure customized notifications视窗 Components\Windows Defender Security Center\Enterprise Customization
Display specified contact information to local users in 视窗 Defender Security Center notifications. Enabled: Your company contact information will be displayed in notifications that come from the 视窗 Defender Security Center. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Specify contact website Disabled: No contact information will be shown on notifications. Not configured: Same as Disabled.
Configure customized contact information视窗 Components\Windows Defender Security Center\Enterprise Customization
Display specified contact information to local users in a contact card flyout menu in the 视窗 Defender Security Center Enabled: Your company contact information will be displayed in a flyout menu in the 视窗 Defender Security Center. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Specify contact website Disabled: No contact information will be shown in the 视窗 Defender Security Center. Not configured: Same as Disabled.
Specify contact company name视窗 Components\Windows Defender Security Center\Enterprise Customization
Specify the company name that will be displayed in the 视窗 Defender Security Center and associated notifications. This setting must be enabled for any contact information to appear. Enabled: information will not be shown at all in either the 视窗 Defender Security Center or any notifications that it creates. Not configured: Same as Disabled.
Specify contact phone number or Skype ID视窗 Components\Windows Defender Security Center\Enterprise Customization
Specify the phone number or Skype ID that will be displayed in the 视窗 Defender Security Center and associated notifications. Users can click on the contact information to automatically call the supplied number. Skype will be used to initiate the call. Enabled: Enter the phone number or Skype ID in the Options section. Disabled: A contact phone number or Skype ID will not be shown in either the 视窗 Defender Security Center or any notifications it creates. Not configured: Same as Disabled
Specify contact email address or Email ID视窗 Components\Windows Defender Security Center\Enterprise Customization
Specify the email address or email ID that will be displayed in the 视窗 Defender Security Center and associated notifications. Users can click on the contact information to create an email that will be sent to the specified address. The default email application will be used. Enabled: Enter the email address or email ID in the Options section. Disabled: A contact email address or email ID will not be shown in either the 视窗 Defender Security Center or any notifications it creates. Not configured: Same as Disabled.
Specify contact website视窗 Components\Windows Defender Security Center\Enterprise Customization
Specify the URL that will be displayed in the 视窗 Defender Security Center and associated notifications. site. The default web browser will be used. Enabled: Enter the URL in the Options section. Disabled: A contact website URL will not be shown in either the 视窗 Defender Security Center or any notifications it creates. Not configured: Same as Disabled.
Manage preview builds视窗 Components\Windows Update\Windows Update for Business
Selecting “Disable preview builds” will prevent preview builds from installing on the device. This will prevent users from opting into the 视窗 Insider Program, through Settings -> Update and Security. Selecting “Disable preview builds once next release is public” will prevent preview builds from installing once the next 视窗 release is public. This option is useful when your device is set up to install preview and you want to gracefully opt out the device for flighting. This option will provide preview builds until devices reaches the next public release. Selecting “Enable preview builds” will enable preview builds installation on the device. Users can 下载 并安装 视窗 preview builds on their devices by opting-in through Settings -> Update and Security -> 视窗 Insider Program. Admins can also use other policies to manage flight settings on behalf of users when this value is set.