A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy (LGPO or LocalGPO) allows Group Policy Object management without Active Directory on standalone computers. Group policy can be launched via “gpedit.msc” locally or just by typing “gpedit” to launch the Local group policy console. In this guide, I will be discussing how to Configure new GPO settings and Security baseline for Windows 10 21H1. Plese see what is Group Policy Object and how can it be launched in Windows.

They are as follows “show or hide the Most used list from the Start menu”. “Not allow sideloaded apps to auto-update in the background”. “Not allow sideloaded apps to auto-update in the background on a metered network”. “Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria”. “Do not allow location redirection”. And Specify source service for specific classes of Windows Updates”.

Here is how to know what group policies are enabled or analyze GPO computers. Also, see Why use RSAT? How to Install RSAT on Windows 10, and Remote Server Administration Tools: To install RSAT on Windows Server.

Windows 10, version 21H1 is a client only release. Windows Server, version 20H2 is the current Windows Server Semi-Annual Channel release and per our lifecycle policy is supported until May 10, 2022. This Windows 10 feature update brings very few new policy settings. At this point, no new 21H1 policy settings meet the criteria for inclusion in the security baseline. We are, however, refreshing the package to ensure the latest content is available to you. The refresh contains an updated administrative template for SecGuide.admx/adml that are released with Microsoft 365 Apps for Enterprise baseline.

Show or hide the list from the menu

Windows 10 has an option that lets you hide the apps list in the Start menu.

Computer Configuration > Administrative Templates > Start Menu and Taskbar.

Via Windows Settings

These settings can also use the Start settings page to hide the all apps list from the menu for a more compact and personal design as shown in the image below.

To do this follow the steps discussed here. Open Settings, and click on Personalisation. Turn on or off the Show app list in the Start menu toggle switch.

If you enable this policy setting, you can configure the Start menu to show or hide the list of used apps. The Start menu will only display the tiles section henceforth. However, the menu will now include two buttons in the top-left corner to switch between all apps and pinned tiles sections.

Both the “Not allow sideloaded apps to auto-update in the background on a metered network” and “Not allow sideloaded apps to auto-update in the background” can be accessed and configured via the Computer Configuration > Administrative Templates > Windows Components.

Computer Configuration > Administrative Templates > Windows Components > App Package Deployment.

Disable auto-update for sideloaded apps

Below are the respective settings for “Not allow sideloaded apps to auto-update in the background on a metered network” and “Not allow sideloaded apps to auto-update in the background“.

Apply layered order of evaluation to Allow and Prevent device installation policies across all device match criteria:

Additionally, When this policy setting is enabled. Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create.

Unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:

Prevent installation of devices that match these device IDs
Prevent installation of devices that match any of these device instance IDs

If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.

Therefore, Both the “Do not allow location redirection” and the “Allow UI Automation redirection” can be found under Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host.

Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

Do not allow location redirection

This policy setting lets you control the redirection of location data to the remote computer in a Remote Desktop Services session.

By default, Remote Desktop Services allows redirection of location data.
Similarly, users cannot redirect their location data to the remote computer if you enable this policy setting.
Nevertheless, Users can redirect their location data to the remote computer if you disable or do not configure this policy setting.

Allow UI Automation redirection

This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server.

Furthermore, UI Automation gives programs access to most UI elements, which lets you use assistive technology products like Magnifier and Narrator that need to interact with the UI to work correctly. However, UI information also allows automated test scripts to interact with the UI.

Security Baseline

Moreover, Microsoft announced the final release of the Windows 10, version 21H1 (a.k.a. May 2021 Update) security baseline package, which can be downloaded from the Microsoft Security Compliance Toolkit. Nonetheless, you can test the recommended configurations and customize/implement them as appropriate in your environment.

I hope you found this blog post on how to Configure new GPO settings and Security baseline for Windows helpful. Consequently, Please let me know in the comment session if you have any questions.