Windows 11 22H2 gets a slew of new group policy changes

Released officially last week, Windows 11 22H2 offers a number of new features and options, though many aren’t yet available — Microsoft will be “dribbling” out changes throughout the coming year. The much-touted Windows File Explorer tabs, for example, has not yet rolled out, but the items released do include Enhanced Phishing Protection, which is available to consumers as well as businesses. (To take advantage of the new reporting and alerts, you do need a license to the Microsoft 365 security portal, which is included in a Microsoft 365 E5 license, or a Microsoft 365 business premium license. The latter is a specific license for companies with fewer than 300 seats.)

Microsoft is being a bit cagey about its plans for pushing out the incremental changes in the months ahead, though it has said they won’t be enabled by default on a business or domain-joined computer. It’s also unclear whether these incremental tweaks can be controlled through registry keys on Windows 11 Home versions.

As Computerworld’s Preston Gralla explained in his Windows 11 22H2 review: “Microsoft says that from now on, Windows will get feature updates like 22H2 once a year, but that in between, individual new features may be released as often as once a month. That will happen in October, when Microsoft will release an update that delivers tabs to File Explorer. The update will be optional and delivered via a phased rollout, and will then be included in the normal monthly security update release in November.”

In addition to tabs in File Explorer, suggested actions — where Windows 11 recommends actions to take in certain applications — are also expected in October. And while Microsoft has sent signals indicating businesses will be able to control these new enhancements, it hasn’t documented exactly how.

One would think there’d be some sort of group policy setting to control these releases, but so far, the group policy templates related to the latest changes offer no clues.

With that background, here are the group policy adjustments we do see that are new in Windows 11 22H2. Many are self-explanatory, others showcase some of the operating system’s new options. They’re listed here in alphabetical order, along with brief explanations of what they do:

controlpanel.admx    
Hide messages when Windows system requirements are not met.

(Clearly, many of us are using this registry entry to go around the hardware mandates in Windows 11. This new setting allows administrators to hide the notification that your hardware won’t run Windows 11.)

desktop.admx  
Hide and disable all items on the desktop.

This removes icons, shortcuts, and other default and user-defined items from the desktop. While this policy is not new, it does offer new options.

desktopappinstaller.admx 
Enable App Installer.
Enable App Installer Settings.
Enable App Installer Experimental Features.
Enable App Installer Local Manifest Files.
Enable App Installer Hash Override.
Enable App Installer Default Source.
Enable App Installer Microsoft Store Source.
Set App Installer Source Auto Update Interval In Minutes.
Enable App Installer Additional Sources.
Enable App Installer Allowed Sources.
Enable App Installer ms-appinstaller protocol.

These settings control whether users can run the Windows Package Manager.

dnsclient.admx 
Configure Discovery of Designated Resolvers (DDR) protocol
Configure NetBIOS settings.

This policy specifies whether the DNS client would use the DDR protocol.  The Discovery of Designated Resolvers (DDR) protocol allows Windows to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. 

explorer.admx  
Turn off files from Office.com in Quick access view.

This also will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.

inetres.admx    
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
Enable global window list in Internet Explorer mode
Enable global window list in Internet Explorer mode
Reset zoom to default for HTML dialogs in Internet Explorer mode
Reset zoom to default for HTML dialogs in Internet Explorer mode
Disable HTML Application
Disable HTML Application

This enables various browser settings.

kdc.admx 
Configure hash algorithms for certificate logon.

This setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.

kerberos.admx 
Configure hash algorithms for certificate logon.
Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.

These policies control various Kerberos settings.

lanmanserver.admx  
Request traffic compression for all shares.
Disable SMB compression.

This controls various SMB compression settings.

lanmanworkstation.admx
Use SMB compression by default.
Disable SMB compression.

This, too, controls various SMB compression settings.

localsecurityauthority.admx      
Allow Custom SSPs and APs to be loaded into LSASS.
Configures LSASS to run as a protected process.

This is used to control new settings regarding LSASS protection (Local security secrets).

microsoftedge.admx 
Suppress the display of Edge Deprecation Notification.
Suppress the display of Edge Deprecation Notification.

This is used to control Edge notifications.

msapolicy.admx
Only allow device authentication for the Microsoft Account Sign-In Assistant.

This limits authentication techniques.

passport.admx 
Enable ESS with Supported Peripherals.

This Enhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions.

printing.admx   
Limits print driver installation to Administrators.
Manage processing of Queue-specific files.
Manage Print Driver signature validation.
Manage Print Driver exclusion list.
Configure RPC listener settings.
Configure RPC connection settings.
Configure RPC over TCP port.
Always send job page count information for IPP printers.
Configure Redirection Guard.

This allows settings for new printer protections.

search.admx
Fully disable Search UI.
Allow search highlights.

This allows settings for search.

sensors.admx   
Force Instant Dim.

This allows admins to tweak dim settings.

settingsync.admx      
Do not sync accessibility settings.

This limits sync of these settings.

startmenu.admx       
Remove Run menu from Start Menu.
Prevent changes to Taskbar and Start Menu Settings.
Remove access to the context menus for the taskbar.
Prevent users from uninstalling applications from Start.
Remove Recommended section from Start Menu.
Remove Recommended section from Start Menu.
Simplify Quick Settings Layout.
Disable Editing Quick Settings.
Remove Quick Settings.

This allows additional adjustments for Start menus.

taskbar.admx   
Remove pinned programs from the Taskbar.
Hide the TaskView button.
Hide the TaskView button.

This allows additional adjustments for the Taskbar.

terminalserver.admx
Do not allow WebAuthn redirection.
Disable Cloud Clipboard integration for server-to-client data transfer.

This provides adjustments for terminal server settings.

webthreatdefense.admx
Service Enabled.
Notify Malicious.
Notify Password Reuse.
Notify Unsafe App.
Device Control.
Select Device Control Default Enforcement Policy.
Define Device Control evidence data remote location.
Control whether or not exclusions are visible to Local Admins.
Select the channel for Microsoft Defender monthly platform updates.
Select the channel for Microsoft Defender monthly engine updates.
Select the channel for Microsoft Defender daily security intelligence updates.
Configure time interval for service health reports.
CPU throttling type.
Disable gradual rollout of Microsoft Defender updates.

These are new adjustments for Enhanced Phishing Protection.

winlogon.admx
Enable MPR notifications for the system.

This policy controls the configuration under which winlogon sends MPR notifications in the system.

It remains unclear exactly how we will be able to control these new features and whether Windows 11 2022 Home users will be able to control these new incremental changes. Stay tuned. Windows 11 is clearly still a work in progress.