Based on my results, the following Group Policy settings were added in Windows 10 version 1903 (Insider build 18341), or modified to an extent that warrants listing them here:
Note: An Excel spreadsheet containing policy descriptions, registry paths and possible settings (where applicable) is attached to this post. Please keep in mind, that the text-based analysis is somewhat error-prone, so take the information below with a grain of salt.
ADMX File | Parent Category | Policy | Class |
AppPrivacy.admx | App Privacy | Let Windows apps activate with voice | Machine |
AppPrivacy.admx | App Privacy | Let Windows apps activate with voice while the system is locked | Machine |
CredUI.admx | Credential User Interface | Prevent the use of security questions for local accounts | Machine |
DataCollection.admx | Allow commercial data pipeline | Machine | |
DeliveryOptimization.admx | Delivery Optimization | Delay Background download Cache Server fallback (in seconds) | Machine |
DeliveryOptimization.admx | Delivery Optimization | Delay Foreground download Cache Server fallback (in seconds) | Machine |
MDM.admx | MDM | Enable automatic MDM enrollment using default Azure AD credentials | Machine |
MSDT.admx | Microsoft Support Diagnostic Tool | Troubleshooting: Allow users to access recommended troubleshooting for known problems | Machine |
ServiceControlManager.admx | Security Settings | Enable svchost.exe mitigation options | Machine |
StorageSense.admx | Storage Sense | Allow Storage Sense | Machine |
StorageSense.admx | Storage Sense | Configure Storage Sense cadence | Machine |
StorageSense.admx | Storage Sense | Allow Storage Sense Temporary Files cleanup | Machine |
StorageSense.admx | Storage Sense | Configure Storage Sense Recycle Bin cleanup threshold | Machine |
StorageSense.admx | Storage Sense | Machine | |
StorageSense.admx | Storage Sense | Configure Storage Sense Cloud Content dehydration threshold | Machine |
TerminalServer.admx | Remote Session Environment | Use WDDM graphics display driver for Remote Desktop Connections | Machine |
WindowsUpdate.admx | Windows Update | Specify deadlines for automatic updates and restarts | Machine |
WindowsUpdate.admx | Windows Update | Specify deadlines for automatic updates and restarts | Machine |
WinLogon.admx | Windows Logon Options | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot | Machine |
In terms of new features, there aren’t any fancy features to be excited about the Windows 10 19H1 Update as Microsoft's primary focus appears to be the improving the overall OS quality as well as simplifying and aligning Windows servicing terminology with Office instead of implementing new features which are so meaningless, that they could literally make your brain hurt.
Notable changes are:
Privacy:
- You can now configure whether employees in your organization can activate Windows apps by voice. This policy is applied to Windows apps and Cortana.
- You can now control whether users can interact with applications using speech while the system is locked. This policy is applied to Windows apps and Cortana.
- You can now decide whether data collected from the device will be opted into the Windows enterprise data pipeline.
Note: If you don't configure this setting, all data from the device will be collected and processed in accordance with Microsoft's policies for the Windows standard data pipeline. Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10.
Security:
- You can now configure whether local users are able to set up and use security questions to reset their passwords.
- You can enable stricter svchost.exe mitigation options, meaning that built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.
Deployment:
- You can now specify whether to automatically enroll the device to the Mobile Device Management (MDM) service configured in Azure Active Directory (Azure AD). If the enrollment is successful, the device will be managed by the MDM service.
- Windows 10 April 2019 Update setup process is going to offer some significant improvements when it comes to helping users in your organization to resolve any of the problems that it finds. The corresponding group policy setting allows you to configure how recommended troubleshooting for known problems on the device are being applied in your domains/IT environments.
Note: Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied.
Windows Update:
- You can now specify the number of days that a user has before quality and feature updates are installed on their devices automatically, and a grace period after which required restarts occur automatically.
Note: Updates and restarts will occur regardless of active hours, and the user will not be able to reschedule. Deadlines for feature updates and quality updates can be up to 30 days. The auto-restart grace period can be from 0 to 7 days.- It is worth noting, that beginning with Windows 10, version 1903, the following Windows Readiness levels have been deprecated and are only applicable to 1809 and below: SAC & SAC-T.
Misc:
- Starting with Windows 10, Version 1903, Microsoft introduces several Storage Sense group policy settings designed to keep storage of employees in your organization optimized allowing you to configure default behavior thus negating the need for your end users to configure it.
- You can now configure whether Remote Desktop Connections will use WDDM graphics display driver.
- As Microsoft is making continuous improvements in every update, you can now configure the mode of automatically signing in and locking last interactive user after a restart or cold boot.
Note: If you disable or don't configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended behavior."
Additionally, Microsoft added a bunch of Delivery Optimization configuration settings allowing you to restrict peer selection to AAD Tenant ID as well as to delay the fallback from Cache Server to the HTTP source for background (or foreground) content download by X seconds.
As a side note, BitLocker will use software-based encryption irrespective of hardware-based encryption availability for fixed and removable data drives. Previously, BitLocker Drive Encryption used hardware-based encryption with the encryption algorithm set for the drive by default.
And finally, the Remote Desktop licensing now supports AAD Per User licensing mode which requires that each user account connecting to an RD Session Host server have a service plan that supports RDS licenses assigned in AAD.