Microsoft provides an extensive set of Group Policy Objects for managing Windows 10 computers. Only a handful -- 12 to be exact -- are specific to Windows 10 Enterprise.
Even so, those 12 Windows 10 GPOs can go a long way in IT's quest to control users' desktops. The group policies allow IT to enable Windows Spotlight, prevent the lock screen from displaying, manage the Start layout and more.
The administrative template files (ADMX), which are where the group policies live, are made up of structured Extensible Markup Language (XML) that provides a language-neutral reference to each policy. The files work in conjunction with language-specific resource files (ADML) that provide the actual display name and help descriptions for those policies.
A quick introduction to the ADMX file
Each ADMX file includes a set of related policies that corresponds to a policy path within the Group Policy structure. For example, the CloudContent.admx file includes the policy Configure Windows spotlight on lock screen. If IT pros use the Group Policy Editor on a Windows 10 machine to view the local group policies, they would find the policy at the following path:
User Configuration > Administrative Templates > Windows Components > Cloud Content
User Configuration indicates the scope of the policy, which, in this case, is User. If the scope were Machine, the first element would read Computer Configuration. A policy can be available at the User scope, Machine scope or both.
Administrative Templates is common to all policies in the ADMX files. As a result of this structure, the Computer Configuration node and the User Configuration node are both in the Group Policy Editor, with each node containing the Administrative Templates subnode.
The remaining elements in the policy path are specific to the policies within a particular ADMX file. In this case, the elements Windows Components > Cloud Content correspond to the CloudContent.admx file, which includes the Configure Windows spotlight on lock screen policy, along with other policies.
Each policy has a friendly display name and a formal reference name. Configure Windows spotlight on lock screen is the display name in this example. The reference name is ConfigureWindowsSpotlight. The ADMX and ADML files use the reference names to sync with one another. The display name appears only in the applicable ADML file and is the name that shows up within the local Group Policy Editor in Windows.
Test your knowledge about Windows 10 performance concerns
When it comes to Windows 10 performance issues, there is a lot to cover. Use this quiz to refresh your knowledge on the top problems and how to solve them.
The following sections provide an overview of the Windows 10 Enterprise Group Policy that is specific to that version of the OS based on their ADMX files.
CloudContent.admx template file
Policy path: [scope] > Administrative Templates > Windows Components > Cloud Content
The CloudContent.admx file contains several policies related primarily to Windows Spotlight, an option for displaying different background images on the lock screen and for automatically displaying suggestions about Windows 10 features. A few of them are Windows 10 GPOs exclusively.
Configure Windows spotlight on lock screen
Reference name: ConfigureWindowsSpotlight
Implements Windows Spotlight on the lock screen and prevents users from modifying the lock screen. IT can also set up the lock screen to display internal communications.
Turn off all Windows Spotlight features
Reference name: DisableWindowsSpotlightFeatures
Turns off Windows Spotlight on the lock screen. It also turns off Microsoft consumer features, Windows tips and other related features.
Turn off Microsoft consumer experiences
Reference name: DisableWindowsConsumerFeatures
Prevents users from receiving notifications about their Microsoft accounts or personalized recommendations from Microsoft.
Do not show Windows Tips
Reference name: DisableSoftLanding
Prevents users from receiving Windows tips, which are contextual pop-up messages explaining how to use Windows.
ControlPanelDisplay.admx template file
Policy path: [scope] > Administrative Templates > Control Panel > Personalization
The ControlPanelDisplay.admx file contains a number of policies for managing personalization settings on the desktop.
Do not display the lock screen
Reference name: CPL_Personalization_NoLockScreen
Allows users to see their selected tiles after locking their PCs, rather than seeing the lock screen. This policy only applies to users who do not have to press CTRL+ALT+DEL when they log on.
Force a specific default lock screen and logon image
Reference name: CPL_Personalization_ForceDefaultLockScreen
IT can specify the default image users see on their lock and logon screens. When configuring this policy, IT must provide the fully qualified path and file name for the image.
Logon.admx template file
Policy path: [scope] > Administrative Templates > System > Logon
The Logon.admx file contains a number of policies specific to users starting up and logging onto their systems. Although none of these are Windows 10 GPOs only, there is an important issue IT should be aware of related to the policy Turn off app notifications on the lock screen.
If IT enables this policy and also enables the local security policy Do not require CTRL+ALT+DEL -- in the Windows Settings node -- Windows automatically disables lock screen apps. As a result, IT cannot configure assigned access on the device, which limits users to interacting with only one application, something IT might want to do when setting up a device in kiosk mode.
Turn off app notifications on the lock screen
Reference name: DisableLockScreenAppNotifications
Prevents applications from appearing on the lock screen. Otherwise, users can choose which notifications appear on the lock screen.
Do not require CTRL+ALT+DEL
Policy path: Computer Configuration > Windows Settings > Local Policies > Security Options
The policy is not part of the Logon.admx template file. That said, if IT enables it, the user is not required to press CTRL+ALT+DEL when logging on. This policy is disabled by default on domain-controlled computers.
Search.admx template file
Policy path: [scope] > Administrative Templates > Windows Components > Search
The policies in the Search.admx file let IT control search-related features on users' desktops.
Don't search the web or display web results
Reference name: DoNotUseWebResults
Prevents Search from querying the web and prevents Search from displaying web results.
StartMenu.admx template file
Policy path: [scope] > Administrative Templates > Start Menu and Taskbar
The StartMenu.admx file includes a wide range of policies related to the Start menu, only one of which applies exclusively to Windows 10 Enterprise.
Reference name: LockedStartLayout
Scope: User and Machine
IT can specify the Start layout for managed devices and prevent users from modifying the Start configuration. IT must first generate the XML files necessary to store the Start layout configuration.
WindowsStore.admx template file
Policy path: [scope] > Administrative Templates > Windows Components > Store
The WindowsStore.admx file includes several policies related to the Windows Store application and application updates.
Turn off the Store application
Reference name: RemoveWindowsStore
Scope: User and Machine
Prevents users from accessing the Windows Store application. Access to the Windows Store application is required to install application updates.
Only display the private store within the Windows Store app
Reference name: RequirePrivateStoreOnly
Scope: User and Machine
This policy prevents users from viewing the retail catalog in the Windows Store app. It does not affect users' ability to view apps in a private store.
A look at new Group Policy settings in Windows 10
How to use Group Policy to alter the Windows 10 UI
Explore the Group Policy Object Editor