Windows

How to configure the new GPO settings and Security baseline available for Windows 10 21H1

Windows10

A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy (LGPO or LocalGPO) allows Group Policy Object management without Active Directory on standalone computers. Group policy can be launched via “gpedit.msc” locally or just by typing “gpedit” to launch the Local group policy console. In this guide, I will be discussing some new group policies that are being added to Windows 10 21H1. They are as follows “show or hide the Most used list from Start menu, Not allow sideloaded apps to auto-update in the background, Not allow sideloaded apps to auto-update in the background on a metered network, Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria, Do not allow location redirection, and Specify source service for specific classes of Windows Updates”. For other articles I have written on GPO, see the following link. See this guide if you ever wanted to know what group policies are enabled or analyze GPO computers, Why use RSAT? How to Install RSAT on Windows 10Remote Server Administration Tools: To install RSAT on Windows Server, and what is Group Policy Object and how can it be launched in Windows.

Windows 10, version 21H1 is a client only release. Windows Server, version 20H2 is the current Windows Server Semi-Annual Channel release and per our lifecycle policy is supported until May 10, 2022. This Windows 10 feature update brings very few new policy settings. At this point, no new 21H1 policy settings meet the criteria for inclusion in the security baseline. We are, however, refreshing the package to ensure the latest content is available to you. The refresh contains an updated administrative template for SecGuide.admx/adml that are released with Microsoft 365 Apps for Enterprise baseline. Also, Microsoft CEO has announced new changes that will be introduced in Windows10. Here is a link for more information. 

Show or hide the list from the menu: Windows 10 has an option that lets you hide the apps list in the Start menu. This policy can be found in the following area below.

Computer Configuration > Administrative Templates > Start Menu and Taskbar.

Via Windows Settings: These settings can also use the Start settings page to hide the all apps list from the menu for a more compact and personal design as shown in the image below. To do this follow the steps discussed here. Open Settings, and click on Personalisation.
– Turn on or off the Show app list in the Start menu toggle switch.

If you enable this policy setting, you can configure the Start menu to show or hide the list of used apps. The Start menu will only display the tiles section henceforth. However, the menu will now include two buttons in the top-left corner to switch between all apps and pinned tiles sections.

Both the “Not allow sideloaded apps to auto-update in the background on a metered network” and “Not allow sideloaded apps to auto-update in the background” can be accessed and configured via the Computer Configuration > Administrative Templates > Windows Components.

Computer Configuration > Administrative Templates > Windows Components > App Package Deployment.
Screenshot-2021-06-06-at-17.19.00

Below are the respective settings for “Not allow sideloaded apps to auto-update in the background on a metered network” and “Not allow sideloaded apps to auto-update in the background“.

Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria: When this policy setting is enabled, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
– Prevent installation of devices that match these device IDs
– Prevent installation of devices that match any of these device instance IDs

If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.

Both the “Do not allow location redirection” and the “Allow UI Automation redirection” can be found under Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host. This policy can be found in the following area below.

Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Screenshot-2021-06-06-at-17.25.57

Do not allow location redirection: This policy setting lets you control the redirection of location data to the remote computer in a Remote Desktop Services session.
– By default, Remote Desktop Services allows redirection of location data.
– If you enable this policy setting, users cannot redirect their location data to the remote computer.
– If you disable or do not configure this policy setting, users can redirect their location data to the remote computer.

Allow UI Automation redirection: This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. UI Automation gives programs access to most UI elements, which lets you use assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI.

Security Baseline: Microsoft announced the final release of the Windows 10, version 21H1 (a.k.a. May 2021 Update) security baseline package which can be download from the Microsoft Security Compliance Toolkit. You are free to test the recommended configurations and customize/implement them as appropriate in your environment.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x