As a fan of Group Policies I took a peak under the hood of the new Windows 10 and Windows Server 10. Hoping there’d be loads of new settings I searched through the PolicyDefinitions folder found in Windows folder of the system volume. To my disappointment I only found one. 🙁
Group Policy Definitions
In each setting in the Group Policy Editor there is a Requirements heading that says like “At least Windows 7 or Windows Server 2008 R2“. With the current release the new settings should say something like “At least Windows 10 or Windows Server 10“. After going through the settings in the Group Policy Management Console for a while I could not find a single one indicating a new setting. This requires thorough investigation I say.
PowerShell to the task
The above mentioned requirements are defined in the Group Policy definition files found in PolicyDefinitions folder under Windows folder. Group Policies are defined in ADMX files (with descriptions and help strings in ADML files). Windows 8.1, for example, is defined as “Windows_6_3” with a leading “SUPPORTED” string. Windows 10’s internal version is 6.4 so running the following in PolicyDefinitions folder:
Select-String -Path .\*.admx -Pattern "6_4"
Select-String -Path .\en-us\*.adml -Pattern "6_4"
revealed that there is just one(!) setting saying that it is supported on “SUPPORTED_Windows_6_4“. The strings also indicate the internal name of the Technical Preview, that is Windows Next and Windows Next Server. 🙂 By the way there are also a strings that say “Windows8_1Update2” that are not found in Windows 8.1 or Windows Server 2012 R2. Maybe they’ll come out before Windows Next…
The one and only new GPO setting
To be precise the new setting is found under the Kerberos folder, it’s name is “Support device authentication using certificate” and Requirements is “At least Windows Next Server, Windows Next or Windows Next RT“.
The explanation is as follows:
“Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. If you enable this policy setting, the devices credentials will be selected based on the following options:
Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.
Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail.
If you disable this policy setting, Disable will be used.
If you do not configure this policy setting, Automatic will be used.”
So there you go, not much to say, is there? Well, this for sure is going to change as the Technical Preview evolves… I’ll post new settings as they come along.