Fotolia

Tip

12 Windows 10 GPO settings IT must know

Group Policy Objects in Windows 10 are powerful. IT can use them to turn off the Windows Store app, reshape the Start menu, change how users log in and more.

Microsoft provides an extensive set of Group Policy Objects for managing Windows 10 computers. Only a handful -- 12 to be exact -- are specific to Windows 10 Enterprise.

Even so, those 12 Windows 10 GPOs can go a long way in IT's quest to control users' desktops. The group policies allow IT to enable Windows Spotlight, prevent the lock screen from displaying, manage the Start layout and more.

The administrative template files (ADMX), which are where the group policies live, are made up of structured Extensible Markup Language (XML) that provides a language-neutral reference to each policy. The files work in conjunction with language-specific resource files (ADML) that provide the actual display name and help descriptions for those policies.

A quick introduction to the ADMX file

Each ADMX file includes a set of related policies that corresponds to a policy path within the Group Policy structure. For example, the CloudContent.admx file includes the policy Configure Windows spotlight on lock screen. If IT pros use the Group Policy Editor on a Windows 10 machine to view the local group policies, they would find the policy at the following path:

User Configuration > Administrative Templates > Windows Components > Cloud Content

User Configuration indicates the scope of the policy, which, in this case, is User. If the scope were Machine, the first element would read Computer Configuration. A policy can be available at the User scope, Machine scope or both.

Windows 10 GPOs can go a long way in IT's quest to control users' desktops.

Administrative Templates is common to all policies in the ADMX files. As a result of this structure, the Computer Configuration node and the User Configuration node are both in the Group Policy Editor, with each node containing the Administrative Templates subnode.

The remaining elements in the policy path are specific to the policies within a particular ADMX file. In this case, the elements Windows Components > Cloud Content correspond to the CloudContent.admx file, which includes the Configure Windows spotlight on lock screen policy, along with other policies.

Each policy has a friendly display name and a formal reference name. Configure Windows spotlight on lock screen is the display name in this example. The reference name is ConfigureWindowsSpotlight. The ADMX and ADML files use the reference names to sync with one another. The display name appears only in the applicable ADML file and is the name that shows up within the local Group Policy Editor in Windows.

Test your knowledge about Windows 10 performance concerns

When it comes to Windows 10 performance issues, there is a lot to cover. Use this quiz to refresh your knowledge on the top problems and how to solve them.

The following sections provide an overview of the Windows 10 Enterprise Group Policy that is specific to that version of the OS based on their ADMX files.

CloudContent.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Cloud Content

The CloudContent.admx file contains several policies related primarily to Windows Spotlight, an option for displaying different background images on the lock screen and for automatically displaying suggestions about Windows 10 features. A few of them are Windows 10 GPOs exclusively.

Configure Windows spotlight on lock screen
Reference name: ConfigureWindowsSpotlight
Scope: User

Implements Windows Spotlight on the lock screen and prevents users from modifying the lock screen. IT can also set up the lock screen to display internal communications.

Turn off all Windows Spotlight features
Reference name: DisableWindowsSpotlightFeatures
Scope: User

Turns off Windows Spotlight on the lock screen. It also turns off Microsoft consumer features, Windows tips and other related features.

Turn off Microsoft consumer experiences
Reference name: DisableWindowsConsumerFeatures
Scope: Machine

Prevents users from receiving notifications about their Microsoft accounts or personalized recommendations from Microsoft.

Do not show Windows Tips
Reference name: DisableSoftLanding
Scope: Machine

Prevents users from receiving Windows tips, which are contextual pop-up messages explaining how to use Windows.

ControlPanelDisplay.admx template file

Policy path: [scope] > Administrative Templates > Control Panel > Personalization

The ControlPanelDisplay.admx file contains a number of policies for managing personalization settings on the desktop.

Do not display the lock screen
Reference name: CPL_Personalization_NoLockScreen
Scope: Machine

Allows users to see their selected tiles after locking their PCs, rather than seeing the lock screen. This policy only applies to users who do not have to press CTRL+ALT+DEL when they log on.

Force a specific default lock screen and logon image
Reference name: CPL_Personalization_ForceDefaultLockScreen
Scope: Machine

IT can specify the default image users see on their lock and logon screens. When configuring this policy, IT must provide the fully qualified path and file name for the image.

Logon.admx template file

Policy path: [scope] > Administrative Templates > System > Logon

The Logon.admx file contains a number of policies specific to users starting up and logging onto their systems. Although none of these are Windows 10 GPOs only, there is an important issue IT should be aware of related to the policy Turn off app notifications on the lock screen.

If IT enables this policy and also enables the local security policy Do not require CTRL+ALT+DEL -- in the Windows Settings node -- Windows automatically disables lock screen apps. As a result, IT cannot configure assigned access on the device, which limits users to interacting with only one application, something IT might want to do when setting up a device in kiosk mode.

Turn off app notifications on the lock screen
Reference name: DisableLockScreenAppNotifications
Scope: Machine

Prevents applications from appearing on the lock screen. Otherwise, users can choose which notifications appear on the lock screen.

Do not require CTRL+ALT+DEL
Policy path: Computer Configuration > Windows Settings > Local Policies > Security Options
Scope: Machine

The policy is not part of the Logon.admx template file. That said, if IT enables it, the user is not required to press CTRL+ALT+DEL when logging on. This policy is disabled by default on domain-controlled computers.

Search.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Search

The policies in the Search.admx file let IT control search-related features on users' desktops.

Don't search the web or display web results
Reference name: DoNotUseWebResults
Scope: Machine

Prevents Search from querying the web and prevents Search from displaying web results.

StartMenu.admx template file

Policy path: [scope] > Administrative Templates > Start Menu and Taskbar

The StartMenu.admx file includes a wide range of policies related to the Start menu, only one of which applies exclusively to Windows 10 Enterprise.

Start layout
Reference name: LockedStartLayout
Scope: User and Machine

IT can specify the Start layout for managed devices and prevent users from modifying the Start configuration. IT must first generate the XML files necessary to store the Start layout configuration.

WindowsStore.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Store

The WindowsStore.admx file includes several policies related to the Windows Store application and application updates.

Turn off the Store application
Reference name: RemoveWindowsStore
Scope: User and Machine

Prevents users from accessing the Windows Store application. Access to the Windows Store application is required to install application updates.

Only display the private store within the Windows Store app
Reference name: RequirePrivateStoreOnly
Scope: User and Machine

This policy prevents users from viewing the retail catalog in the Windows Store app. It does not affect users' ability to view apps in a private store.

Next Steps

A look at new Group Policy settings in Windows 10

How to use Group Policy to alter the Windows 10 UI

Explore the Group Policy Object Editor

Dig Deeper on Windows OS and management

Virtual Desktop
SearchWindowsServer
Close