What’s New in Group Policy in the Windows 11 2022 Update (22H2, build 22621)

Reading Time: 24 minutes

Windows 11

Microsoft introduced its first update to Windows 11 on September 20th, 2022. As part of this release, new features have been released and previously optional products have been integrated. Some of these actions have lead to new Group Policy settings, as detailed by Microsoft in the Group Policy Settings Reference Spreadsheet for Windows 11 2022 Update (22H2).

Let’s see what’s new:

Control Panel

For the Control Panel, one new Group Policy setting was introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\System:

Hide messages when Windows system requirements are not met

This policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for the installed Operating System (OS) version. If you enable this policy setting, these messages will never appear on desktop or in the Settings app. If you disable or do not configure this policy setting, these messages will appear on desktop and in the Settings app when Windows is running on a device that does not meet the minimum system requirements.

Desktop App Installer (WinGet)

For the desktop, new Group Policy settings were introduced for the Desktop App Installer, Previously known as the Windows Package Manager (WinGet.exe) in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer:

Enable App Installer

This policy controls whether the Windows Package Manager can be used by users. If you enable or do not configure this setting, users will be able to use the Windows Package Manager. If you disable this setting, users will not be able to use the Windows Package Manager.

Enable App Installer Settings

This policy controls whether users can change their settings. If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager. If you disable this setting, users will not be able to change settings for the Windows Package Manager.

Enable App Installer Experimental Features

This policy controls whether users can enable experimental features in the Windows Package Manager. If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager. If you disable this setting, users will not be able to enable experimental features for the Windows Package Manager.

Enable App Installer Local Manifest Files

This policy controls whether users can install packages with local manifest files. If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.

Enable App Installer Hash Override

This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings. If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings. If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.

Enable App Installer Default Source

This policy controls the default source included with the Windows Package Manager. If you do not configure this setting, the default source for the Windows Package Manager will be available and can be removed. If you enable this setting, the default source for the Windows Package Manager will be available and cannot be removed. If you disable this setting the default source for the Windows Package Manager will not be available.

Enable App Installer Microsoft Store Source

This policy controls the Microsoft Store source included with the Windows Package Manager. If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and cannot be removed. If you disable this setting the Microsoft Store source for the Windows Package Manager will not be available.

Set App Installer Source Auto Update Interval In Minutes

This policy controls the auto update interval for package-based sources. If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the Windows Package Manager. If you enable this setting, the number of minutes specified will be used by the Windows Package Manager.

Enable App Installer Additional Sources

This policy controls additional sources provided by the enterprise IT administrator. If you do not configure this policy, no additional sources will be configured for the Windows Package Manager. If you enable this policy, the additional sources will be added to the Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using winget source export. If you disable this policy, no additional sources can be configured for the Windows Package Manager.

Enable App Installer Allowed Sources

This policy controls additional sources allowed by the enterprise IT administrator. If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy. If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export. If you disable this policy, no additional sources can be configured for the Windows Package Manager.

Enable App Installer ms-appinstaller protocol

This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol. If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. If you disable this setting, users will not be able to install packages from websites that use this protocol.

DNS Client

For the Domain Name System (DNS) client in the Windows 11 2022 Update, two new Group Policy settings were introduced in the context of Computer Configuration\Policies\Administrative Templates\Network\DNS Client:

Configure Discovery of Designated Resolvers (DDR) protocol

Specifies if the DNS client would use the DDR protocol. The Discovery of Designated Resolvers (DDR) protocol allows Windows to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. If you enable this policy, the DNS client will use the DDR protocol. If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.

Configure NetBIOS settings

Specifies if the DNS client will perform name resolution over NetBIOS. By default, the DNS client will disable NetBIOS name resolution on public networks for security reasons. To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:

  • Disable NetBIOS name resolution
    Never allow NetBIOS name resolution.
  • Allow NetBIOS name resolution
    Always allow NetBIOS name resolution.
  • Disable NetBIOS name resolution on public networks
    Only allow NetBIOS name resolution on network adapters which are not connected to public networks.
  • NetBIOS learning mode
    Always allow NetBIOS name resolution and use it as a fallback after mDNS/LLMNR queries fail.

If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.

File Explorer

For File Explorer in the Windows 11 2022 Update, one new Group Policy settings was introduced in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer:

Turn off files from Office.com in Quick access view

Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.

Internet Explorer

For Internet Explorer and in Internet Explorer mode, four new Group Policy settings were introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer and in the context of User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer:

Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects

This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects.  If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.

Enable global window list in Internet Explorer mode

This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. If you enable this policy, Internet Explorer mode will use the global window list. If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list.

Reset zoom to default for HTML dialogs in Internet Explorer mode

This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.

Disable HTML Application

This policy setting specifies if running HTML Applications (HTA files) is blocked or allowed. If you enable this policy setting, running an HTML Application (HTA file) will be blocked. If you disable or do not configure this policy setting, running an HTML Application (HTA file) is allowed.

Authentication

In terms of Kerberos and the Kerberos Key Distribution Center (KDC), the Windows 11 2022 Update offers three new Group Policy settings, scattered between Computer Configuration\Policies\Administrative Templates\System\KDC and Computer Configuration\Policies\Administrative Templates\System\Kerberos:

Configure hash algorithms for certificate logon

This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. If you enable this policy, you will be able to configure one of four states for each algorithm:

  • Default
    This setting sets the algorithm to the recommended state.
  • Supported
    This setting enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
  • Audited
    This setting enables usage of the algorithm and reports an event (ID 309) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled.
  • Not Supported
    This setting disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.

If you disable or do not configure this policy, each algorithm will assume the Default state.

Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon

This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket (TGT) during logon. If you disable or do not configure this policy setting, the Azure AD Kerberos TGT is not retrieved during logon. If you enable this policy setting, the Azure AD Kerberos TGT is retrieved during logon.

The Local Security Authority Subsystem Service (LSASS) also received updates in the Windows 11 2022 Update, resulting in two new Group Policy settings in the context of Computer Configuration\Policies\Administrative Templates\System\Local Security Authority:

Allow Custom SSPs and APs to be loaded into LSASS

This policy controls the configuration under which LSASS loads custom security support packages (SSPs) and authentication packages (APs). If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded. If you disable this setting, LSA does not load custom SSPs and APs.

Configures LSASS to run as a protected process

This policy controls the configuration under which LSASS is run. If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for cleanly installed, HVCI capable, client SKUs that are domain-joined or Azure AD-joined devices. This configuration is not UEFI locked. This setting can be overridden if the policy is configured:

  • If you configure and set this policy setting to Disabled, LSA will not run as a protected process.
  • If you configure and set this policy setting to EnabledWithUEFILock, LSA will run as a protected process and this configuration is UEFI locked.
  • If you configure and set this policy setting to EnabledWithoutUEFILock, LSA will run as a protected process and this configuration is not UEFI locked.

The Microsoft Account (MSA) sign-in assistant features one new Group Policy setting in the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account:

Only allow device authentication for the Microsoft Account Sign-In Assistant

This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, the Microsoft Account Sign-in Assistant service only allows device authentication, and blocks user authentication.

For Windows Hello for Business, one new Group Policy setting is available in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Hello for Business:

Enable ESS with Supported Peripherals

Enhanced Sign-in Security (ESS) isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. While this policy is enabled on Windows 11 devices, external biometric authentication with Windows Hello will be blocked. Any non-authentication operational functionalities such as camera usage will be unaffected.

If you enable this policy then it can have following possible values:

  • 0
    With this value, ESS is disabled (not recommended). ESS will be disabled on all systems, enabling the use of external biometric authentication. If a user has enrolled in Windows Hello with ESS enabled, when the feature gets disabled, they will lose their enrollment and must reset PIN. At that point they will have the option to re-enroll in biometrics. OS will not attempt to start secure components, even if the secure hardware and software components are present.
  • 1
    With this value, ESS is enabled (default and recommended for highest security). ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that ESS does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.

If you disable or not configure this policy then ESS is preferred on the device.

SMB

Server Message Block (SMB) in the Windows 11 2022 Update received two new Group Policy settings, distributed between Computer Configuration\Policies\Administrative Templates\System\Lanman Server and Computer Configuration\Policies\Administrative Templates\System\Lanman Client:

Request traffic compression for all shares (Server)

This policy controls whether the SMB server requests SMB client to use traffic compression for all SMB shares. If you enable this policy setting, the SMB server will by default request the SMB client to compress traffic when SMB compression is enabled. If you disable or do not configure this policy setting, the SMB server will not by default request the SMB client to compress traffic. However traffic compression may be requested by other means.

Note:
If this policy is disabled, traffic compression may be requested by server-side per-share properties or by the SMB Client. If this is undesired, and one wishes to completely disable compression, configure the accompanying Disable SMB compression policy below.

Note:
Traffic compression can only be used when both the SMB client and SMB server support and enable traffic compression.

Disable SMB compression (Server)

This policy controls whether the SMB server will disable and completely prevent traffic compression. If you enable this policy setting, the SMB server will never compress data, irrespective of other policies or share properties. If you disable or do not configure this policy setting, the SMB server may compress traffic.

Use SMB compression by default (Client)

This policy controls whether the SMB client uses traffic compression by default. If you enable this policy setting, the SMB client will attempt to compress traffic by default when SMB compression is enabled. If you disable or do not configure this policy setting, the SMB client will not by default attempt to compress traffic.

Disable SMB Compression (Client)

This policy controls whether the SMB client will disable (completely prevent) traffic compression. If you enable this policy setting, the SMB client will never compress data, irrespective of other policies. If you disable or do not configure this policy setting, the SMB client may compress traffic.

Edge Spartan

Edge Spartan was deprecated on March 9, 2021, but some organizations have a need to remain using this legacy technology. For these organizations, the Windows 11 2022 Update has a new Group Policy setting in the context of both Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge and User Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge:

Suppress the display of Edge Deprecation Notification

You can configure Microsoft Edge to suppress the display of the notification that informs users that support of Microsoft Edge Spartan ended. If enabled, the notification will not show. If disabled or not configured, the notification will show every time Edge Spartan is launched.

Printing

For people not working in paperless offices, the Windows 11 2022 Update features 9 new Group Policy settings in the context of Computer Configuration\Policies\Administrative Templates\Printers:

Limits print driver installation to Administrators

Determines whether users that aren't Administrators can install print drivers on this computer. By default, users that aren't Administrators can't install print drivers on this computer. If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer. If you disable this setting, the system won't limit installation of print drivers to this computer.

Manage processing of Queue-specific files

Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. You can enable this setting to change the default behavior involving queue-specific files.

To use this setting, select one of the options below from the Manage processing of Queue-specific files field:

  1. Do not allow Queue-specific files
    This setting specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation.
  2. Limit Queue-specific files to Color profiles
    This setting specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value.
  3. Allow all Queue-specific files
    This setting specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation.

If you disable or do not configure this policy setting, the default behavior is Limit Queue-specific files to Color profiles.

Manage Print Driver signature validation

This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation. You can enable this setting to change the default signature validation method.

To use this setting, select one of the options below from the Select the driver signature mechanism for this computer field:

  • Require inbox signed drivers
    This setting specifies only drivers that are shipped as part of a Windows image are allowed on this computer.
  • Allow inbox and Print Drivers Trusted Store signed drivers
    This setting specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the PrintDrivers certificate store are allowed on this computer.
  • Allow inbox, Print Drivers Trusted Store, and WHQL signed drivers
    This setting specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the PrintDrivers certificate store, or signed by the Windows Hardware Quality Lab (WHQL).
  • Allow inbox, Print Drivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers
    This setting specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the PrintDrivers certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the Trusted Publishers certificate store.
  • Allow all validly signed drivers
    This setting specifies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. The PrintDrivers certificate store needs to be created by an administrator under the local machine store location. The Trusted Publishers certificate store can contain certificates from sources that are not related to print drivers.

If you disable or do not configure this policy setting, the default method is Allow all validly signed drivers.

Manage Print Driver exclusion list

This policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system. This checks outranks the signature check and allows drivers that have a valid signature level for the Print Driver signature validation policy to be excluded. Entries in the exclusion list consist of a SHA256 hash of the *.inf file and/or main driver *.dll file of the driver and the name of the file. If you disable or do not configure this policy setting, the registry key and values associated with this policy setting will be deleted, if currently set to a value.

Configure RPC listener settings

This policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use. By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol. Choose between the following Protocols to allow for incoming RPC connections:

  1. RPC over named pipes
    Incoming RPC connections are only allowed over named pipes
  2. RPC over TCP
    Incoming RPC connections are only allowed over TCP (the default option)
  3. RPC over named pipes and TCP
    Incoming RPC connections will be allowed over TCP and named pipes

Then, select an Authentication protocol to use for incoming RPC connections:

  1. Negotiate
    Use the Negotiate authentication protocol (the default option)
  2. Kerberos
    Use the Kerberos authentication protocol

If you disable or do not configure this policy setting, Negotiate will be used.

Configure RPC connection settings

This policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler. By default, RPC over TCP is used and authentication is always enabled. For RPC over named pipes, authentication is always enabled for domain joined machines but disabled for non domain joined machines. Choose between the following Protocol to use for outgoing RPC connections:

  1. RPC over TCP
    Use RPC over TCP for outgoing RPC connections to a remote print spooler
  2. RPC over named pipes
    Use RPC over named pipes for outgoing RPC connections to a remote print spooler

Then, select an option to Use authentication for outgoing RPC over named pipes connections:

  1. Default
    By default, domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes
  2. Authentication enabled
    RPC authentication will be used for outgoing RPC over named pipes connections
  3. Authentication disabled
    RPC authentication will not be used for outgoing RPC over named pipes connections

If you disable or do not configure this policy setting, domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes.

Configure RPC over TCP port

This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. By default dynamic TCP ports are used. When enabled, the RPC over TCP port needs to be set. A value of 0 is the default and indicates that dynamic TCP ports will be used If you disable or do not configure this policy setting, dynamic TCP ports are used.

Always send job page count information for IPP printers

Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver. By default, pages are sent to the printer as soon as they are rendered and page count information is not sent to the printer unless pages must be reordered. If you enable this setting the system will render all print job pages up front and send the printer the total page count for the print job. If you disable this setting or do not configure it, pages are printed as soon as they are rendered and page counts are only sent when page reordering is required to process the job.

Configure Redirection Guard

Determines whether Redirection Guard is enabled for the print spooler. You can enable this setting to configure the Redirection Guard policy being applied to spooler. If you disable or do not configure this policy setting, Redirection Guard will default to being Enabled. If you enable this setting you may select the following options:

  1. Redirection Guard Enabled
    Redirection Guard will prevent any file redirections from being followed
  2. Redirection Guard Disabled
    Redirection Guard will not be enabled and file redirections may be used within the spooler process
  3. Redirection Guard Audit Only
    Redirection Guard will log events as though it were enabled but will not actually prevent file redirections from being used within the spooler.

Search

For search, two new Group Policy settings were introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Search:

Fully disable Search UI

If you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu's search box and Search Taskbar button will also be hidden. If you disable or don't configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown.

Allow search highlights

Disabling this setting turns off search highlights in the start menu search box and in search home. Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.

Sensors

In terms of sensors, the Windows 11 2022 Update offers one new Group Policy setting in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Human Presence:

Force Instant Dim

This setting determines whether Attention Based Display Dimming is forced on/off by the MDM policy. When this setting is enabled, the user will not be able to change this setting and the toggle in the user interface (UI) will be greyed out.

Settings synchronization

For synchronization of settings, the Windows 11 2022 Update offers one new Group Policy setting in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Sync your settings:

Do not sync accessibility settings

This policy setting prevents the accessibility group of settings from syncing to and from this PC. This turns off and disables the accessibility group on the Windows backup settings page in PC settings. If you enable this policy setting, the accessibility, group will not be synchronized. Use the option Allow users to turn accessibility syncing on so that syncing is turned off by default but not disabled. If you do not set or disable this setting, syncing of the accessibility group is on by default and configurable by the user.

Start menu and Taskbar

Windows 11 22H2 (the Windows 11 2022 Update) introduces 7 new Group Policy settings to manage the Start menu and Taskbar. These settings are located in Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar:

Remove Run menu from Start Menu

This policy setting allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. If you enable this setting, the following changes occur:

  • The Run command is removed from the Start menu.
  • The New Task (Run) command is removed from Task Manager.
  • The user will be blocked from entering the following into the Internet Explorer Address Bar:
    • A UNC path: \\<server>\<share>
    • Accessing local drives: e.g., C:
    • Accessing local folders: e.g., \temp>

Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing Win + R.

If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar.

Note:
This setting affects the specified interfaces only. It does not prevent users from using other methods to run programs.

Note:
It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.

Prevent changes to Taskbar and Start Menu Settings

This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. If you enable this policy setting, the user will be prevented from opening the Taskbar Properties dialog box. If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu.

Remove access to the context menus for the taskbar

This policy setting allows you to remove access to the context menus for the taskbar. If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. If you disable or do not configure this policy setting, the context menus for the taskbar are available. This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.

Prevent users from uninstalling applications from Start

If you enable this setting, users cannot uninstall apps from Start. If you disable this setting or do not configure it, users can access the uninstall command from Start.

Remove Recommended section from Start Menu

This policy setting allows you to prevent the Start Menu from displaying a list of recommended applications and files. If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps.

Simplify Quick Settings Layout

If you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. If you disable or don't configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked.

Disable Editing Quick Settings

If you enable this policy setting, the user will be unable to modify Quick Settings. If you disable or don't configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons.

Remove pinned programs from the Taskbar

This policy setting allows you to remove pinned programs from the taskbar. If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.

Hide the TaskView button

This policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled.

In the context of User Configuration\Policies\Administrative Templates\Start Menu and Taskbar, one additional Group Policy settings is introduced, whereas the Remove Recommended section from Start Menu and Hide the TaskView button settings are also applicable in this context:

Remove Quick Settings

This policy setting removes Quick Settings from the bottom right area on the taskbar. The quick settings area is located at the left of the clock in the taskbar and includes icons for current network and volume. If this setting is enabled, Quick Settings is not displayed in the quick settings area. A reboot is required for this policy setting to take effect.

Remote Desktop

For Remote Desktop connections, two new Group Policy settings were introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services:

Do not allow WebAuthn redirection

This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator, e.g., Windows Hello for Business, security key, or other. By default, Remote Desktop allows redirection of WebAuthn requests. If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session. If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session.

Disable Cloud Clipboard integration for server-to-client data transfer

This policy setting lets you control whether data transferred from the remote session to the client using clipboard redirection is added to the client-side Cloud Clipboard. By default, Remote Desktop disables integration with the client-side Cloud Clipboard for data transfered from the remote session using clipboard redirection. If you enable or do not configure this policy setting, data copied in the remote session and pasted on the client, will not be added to the client-side Cloud Clipboard. If you disable this policy setting, data copied in the remote session and pasted on the client, will be added to the client-side Cloud Clipboard (if enabled).

Defender

Microsoft Defender got a nice update in the Windows 11 2022 Update. 14 new Group Policy settings accompany it in the context of Computer Configuration\Policies\Administrative Templates\Windows Defender SmartScreen and Computer Configuration\Policies\Administrative Templates\Microsoft Defender Antivirus:

Service Enabled

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. Users do not see notifications for any protection scenarios when Enhanced Phishing Protection in Microsoft Defender is in audit mode. Audit mode captures unsafe password entry events and sends telemetry through Microsoft Defender. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is enabled in audit mode and your users are unable to turn it off. If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it will not capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. If you don’t configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.

Notify Malicious

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn your users if they type their work or school password into one of the malicious scenarios described above.

Notify Password Reuse

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns users if they reuse their work or school password and encourages them to change it. If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they reuse their work or school password.

Notify Unsafe App

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Wordpad or Microsoft 365 Office apps like OneNote, Word, Excel, etc. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps. If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps.

Device Control

This policy setting allows you to enable or disable Defender Device Control on this device.

Note:
You must be enrolled as E3 or E5 in order for Device Control to be enabled.

Select Device Control Default Enforcement Policy

This policy setting allows for three settings:

  • Default Allow
    Choosing this default enforcement, will Allow any operations to occur on the attached devices if no policy rules are found to match.
  • Default Deny
    Choosing this default enforcement, will Deny any operations to occur on the attached devices if no policy rules are found to match.

Default Enforcement will establish what decision should be made during the Device Control access checks when none of the policy rules match.

Define Device Control evidence data remote location

This policy setting defines the evidence file remote location, where Device Control service will move evidence data captured.

Control whether or not exclusions are visible to Local Admins

This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled. If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App or via PowerShell. If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.

Note:
Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in the Get-MpPreference PowerShell cmdlet.

Select the channel for Microsoft Defender monthly platform updates

Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.​ Then select one of the channels:

  • Beta Channel
    Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
  • Current Channel (Preview)
    Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
  • Current Channel (Staged)
    Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
  • Current Channel (Broad)
    Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
  • Critical – Time delay
    Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. This is suitable for most devices.

Select the channel for Microsoft Defender monthly engine updates

Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.​ Then select one of the channels:

  • Beta Channel
    Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
  • Current Channel (Preview)
    Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
  • Current Channel (Staged)
    Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
  • Current Channel (Broad)
    Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
  • Critical – Time delay
    Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. This is suitable for most devices.

Select the channel for Microsoft Defender daily security intelligence updates

Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. ​ Then select one of the channels:

  • Current Channel (Staged)
    Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
  • Current Channel (Broad)
    Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
  • Critical – Time delay
    Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. This is suitable for most devices.

Configure time interval for service health reports

This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints. If you disable or do not configure this setting, the default value will be applied. The default value is set at 60 minutes (1 hour). If you configure this setting to 0, no service health reports will be sent. The maximum value allowed to be set is 14400 minutes (10 days).

CPU throttling type

This policy setting determines whether the maximum percentage CPU utilization permitted during a scan applies only to scheduled scans, or to both scheduled and custom scans (but not real-time protection). The maximum CPU utilization limit is also referred to as CPU throttling, or a CPU usage limit. The default value for this policy setting is True, which means CPU throttling is applied only to scheduled scans. If you either enable or do not configure this setting, CPU throttling will apply only to scheduled scans. If you disable this setting, CPU throttling will apply to scheduled and custom scans.

Disable gradual rollout of Microsoft Defender updates

Enable this policy to disable gradual rollout of Defender updates. When enabled, the device will use the Current Channel (Broad). Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates.

If you disable or do not configure this policy, the device will remain in Current Channel (Default), unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. This is suitable for most devices.

Note:
This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.