Jun 08 2020 08/06/2020 08/06/2020 by Pablo Villaronga

Windows 10 2004: 17 new settings for group policies

Posted in ,

Windows 10 2004 (20H1) introduces two new settings that enable the use of long passwords. Another new setting increases the security of LDAP authentication, and others relate to update management, store apps, FIDO authentication and East Asian characters.


Easy to use – Restore VMs, files or apps – VMware, Hyper-V – Free forever


Download FREE Nakivo Backup & Replication now!
Ad

If
you count all of the settings in the ADMX files using PowerShell, you
will see that their number has not increased but decreased, from 3,440
in Windows 10 1909 to 3,245 in the 2004 version. This mystery can be
solved by checking the contents of the PolicyDefinitions directory. In Windows 10 2004, msedge.admx, which contained approximately 200 settings for the old Edge browser, is missing.

New password policies ^

The
most interesting innovation is not in the administrative templates, but
rather the security policies. This new setting is called Relax minimum password length limits and it enables you to increase the minimum password length up to 128 characters, which previously was limited to 14 characters.

New settings increase the minimum length of passwords and enable you to monitor this action

New settings increase the minimum length of passwords and enable you to monitor this action

This
opens up the possibility of enforcing passphrases without using
third-party tools. Passphrases are comprised of several words or entire
sentences that users can remember more easily than single long
passwords. Due to their length, passphrases are not as easy to crack as
passwords by using brute force attacks, especially if they must also
meet complexity requirements.

However, Microsoft points out that
increasing the minimum password length can lead to compatibility
problems. Therefore, Windows 10 2004 adds another setting called Minimum password length audit. It enables you to activate logging for events that occur due to the increased password length.

FIDO authentication ^

Microsoft has supported FIDO2 with Windows Hello for some time as part of its efforts to eliminate passwords for logging on to Windows. A new setting, Turn on security key sign-in, can now allow users to use external security keys such as those from Yubico.

Setting to configure FIDO authentication

Setting to configure FIDO authentication

It can be found under Computer Configuration => Policies => Administrative Templates => System => Logon.

Regarding
authentication, there is another new setting that previously could only
be configured using a separate ADMX file. It can be found under Local Policies and is called Domain controller: LDAP server channel binding token requirements. An explanation is given in this Security Advisory.

No GPO settings for Edge and WSL 2 ^

The
previous version of Microsoft Edge is still included with Windows 10
2004, but the group policies that govern it have been removed. The
browser will ask if you want to download Edge Chromium the first time
you start it. The administrative templates of the new version are
therefore not included in the latest release of Windows 10.

For browser management, Windows 10 2004 introduces a setting for Internet Explorer called Configure which channel of Microsoft Edge to use for opening redirected sites. It was originally not available in 1909, but has been added via an update after Edge Chromium was released.

When redirecting pages from Internet Explorer to Edge, you can specify the version of the target browser

When redirecting pages from Internet Explorer to Edge, you can specify the version of the target browser

It
is used to determine the version of Edge used when redirecting certain
pages from IE to the new browser (e.g., using the option Send all websites that are not included in the Enterprise Mode Site List to Microsoft Edge). It is available under Computer Configuration and User Configuration.

For
the biggest single innovation of the operating system, the largely
rebuilt subsystem for Linux (WSL 2), Microsoft relies on a configuration file in text format (.wslconfig), as it does with Sandbox. Accordingly, there are no group policies for this.

Configuration of delivery optimization ^

Some
improvements have been made to Delivery Optimization, a cache mechanism
of Windows Update for Business (WUfB). In particular, admins can now
specify absolute values for the maximum bandwidth available for
downloading updates.

The group policies split this option into two
settings, for downloading in the foreground and the background. You can
find them under Computer Configuration => Policies => Administrative Templates => Windows Components => Delivery Optimization.

Setting the maximum bandwidth for downloading updates

Setting the maximum bandwidth for downloading updates

Another new setting, Cache Server Hostname Source,
is used to assign a cache host to the clients via DHCP (option 235). A
value of 2 is used to force this assignment, even if it has already been
specified by the GPO setting Cache Server Hostname.

Setting to assign the cache host via DHCP

Setting to assign the cache host via DHCP

WUfB also has a new option, Select the target Feature Update version, that limits the search for feature updates to a specific version.

The scan for feature updates can be limited to certain releases

The scan for feature updates can be limited to certain releases

The scan for feature updates can be limited to certain releases

The scan for feature updates can be limited to certain releases

Settings for apps ^

Three new settings control the installation and use of (certain) apps:

  • Prevent non-admin users from installing packaged Windows apps:
    This setting only affects the side loading of apps, but not
    installation via the store, which needs to be restricted separately.
  • Let Windows apps access user movements while running in the background:
    This privacy setting determines whether Windows apps are allowed to
    capture the movement of the user’s head, hands or motion controllers.
  • Allow Graphing Calculator: This setting relates to the new calculator, which is available as a store app, and can be deactivated.

New setting for apps to protect privacy

New setting for apps to protect privacy

Defender Antivirus ^

If you activate the Enable file hash computation feature setting, the virus scanner will create a hash for executable files. This setting is disabled by default.

Setting to configure Defender Antivirus to computate file hashes

Setting to configure Defender Antivirus to computate file hashes

You will note that the Enable file hash computation feature
setting affects the performance of the entire system, but this only
occurs during the first check. This setting is primarily useful in
conjunction with Defender ATP, so you probably will not activate it if
you have not booked this service.

IME for East Asian languages ^

Three
new settings determine whether users can control the version of the
Input Method Editor (IME) used for Japanese, Simplified, or Traditional
Chinese. The IME is used to enter complex characters. The newest
Microsoft IME is enabled by default.

You can find them under User Configuration => Policies => Administrative Templates => Windows Components => IME.

Removed settings ^

In
Windows 10 2004, Microsoft not only added 17 new settings, but also
removed five old ones. Three of them relate to delivery optimization, as
two new settings for foreground and background downloads have been
introduced for bandwidth control. As a result, the following settings
have been removed:

  • Maximum Upload Bandwidth (in KB/s)
  • Maximum Download Bandwidth (in KB/s)
  • Maximum Download Bandwidth (percentage)

Two settings for Application Guard will also be phased out:

  • Allow users to trust files that open in Windows Defender Application Guard
  • Configure additional sources for untrusted files in Windows Defender Application Guard

The
basic problem with the deleted settings is that they cannot be
configured in existing GPOs once you use the new ADMX templates.

Tags: