Download Windows 11 22H2 Group Policy Settings and ADMX
In this article, I will list all the new Windows 11 22H2 group policy settings and cover the steps to download these settings. Microsoft has released the Group Policy Settings Reference Spreadsheet for Windows 11 2022 Update (22H2) and you can use these policy settings in your setup.
The GPO settings released for Windows 11 22H2 are the files used to expose policy settings when you use the Group Policy Management Console (GPMC) to edit Group Policy Objects (GPOs). The spreadsheet lists all the 80+ Windows 11 22H2 GPO settings for computer and user configurations that are included in the administrative template files (.admx and .adml) delivered with Windows 11, version 22H2.
Microsoft will offer Windows 11 22H2 update for free to eligible Windows 10 and Windows 11 devices. When I say eligible, it means the devices to meet the Windows 11 minimum requirements will be get Windows 11 22H2 upgrade.
There are different methods to upgrade to Windows 11 22H2 and for enterprises, you can use Configuration Manager or Microsoft Intune to move to version 22H2. Have a look at the detailed guide on how to upgrade to Windows 11 version 22H2 using Configuration Manager.
Download Windows 11 22H2 Group Policy Settings Reference Spreadsheet
Let’s look at the steps to download the group policy settings reference spreadsheet for Windows 11 (22H2). This spreadsheet shows the policy settings for computer and user configurations that come with Windows 11 2022 Update (22H2) and are part of the Administrative template files. You can configure these policy settings when you edit Group Policy Objects.
Use the following steps to download Group Policy settings reference spreadsheet for Windows 11 22H2:
- Launch the browser on your computer and browse to Group Policy Settings Reference Spreadsheet for Windows 11 2022 Update (22H2) download page.
- Click the Download button. In the File Download dialog box, click Save. In the Save As dialog box, browse to the directory on your computer to which you want to save the GPO spreadsheet file.
The file named Windows11andWindowsServer2019PolicySettings–22H2.xlsx is included in the download. You will require Microsoft Excel to open this file and view the data. Check out how to download and install Microsoft Office 2021.
Use the Excel program to access the Windows 11 22H2 Group Policy Settings Reference Spreadsheet. Select the Administrative Templates tab and here we can see a list of new Windows 11 22H2 Group Policy Settings.
List of Windows 11 22H2 Group Policy Settings
The below table lists all the new group policy settings released for Windows 11 22H2 by Microsoft. The table also lists the GPO name along with the policy path and policy description.
| Windows 11 22H2 Group Policy Settings Name | GPO Policy Path | Group Policy Description |
| Hide messages when Windows system requirements are not met | System | This policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version. If you enable this policy setting, these messages will never appear on desktop or in the Settings app. |
| Hide and disable all items on the desktop | Desktop | Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. |
| Enable App Installer | Windows Components\Desktop App Installer | This policy controls whether the Windows Package Manager can be used by users. If you enable or do not configure this setting, users will be able to use the Windows Package Manager. |
| Enable App Installer Settings | Windows Components\Desktop App Installer | This policy controls whether users can change their settings. If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager. If you disable this setting, users will not be able to change settings for the Windows Package Manager. |
| Enable App Installer Experimental Features | Windows Components\Desktop App Installer | This policy controls whether users can enable experimental features in the Windows Package Manager. If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager. |
| Enable App Installer Local Manifest Files | Windows Components\Desktop App Installer | This policy controls whether users can install packages with local manifest files. If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. |
| Enable App Installer Hash Override | Windows Components\Desktop App Installer | This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings. |
| Enable App Installer Default Source | Windows Components\Desktop App Installer | This policy controls the default source included with the Windows Package Manager. |
| Enable App Installer Microsoft Store Source | Windows Components\Desktop App Installer | This policy controls the Microsoft Store source included with the Windows Package Manager. |
| Set App Installer Source Auto Update Interval In Minutes | Windows Components\Desktop App Installer | This policy controls the auto-update interval for package-based sources. |
| Enable App Installer Additional Sources | Windows Components\Desktop App Installer | This policy controls additional sources provided by the enterprise IT administrator. |
| Enable App Installer Allowed Sources | Windows Components\Desktop App Installer | This policy controls additional sources allowed by the enterprise IT administrator. |
| Enable App Installer ms-appinstaller protocol | Windows Components\Desktop App Installer | This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol. |
| Configure Discovery of Designated Resolvers (DDR) protocol | Network\DNS Client | Specifies if the DNS client would use the DDR protocol. |
| Configure NetBIOS settings | Network\DNS Client | Specifies if the DNS client will perform name resolution over NetBIOS. |
| Turn off files from Office.com in Quick access view | Windows Components\File Explorer | Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view. |
| Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects | Windows Components\Internet Explorer\Security Features\Add-on Management | This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. |
| Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects | Windows Components\Internet Explorer\Security Features\Add-on Management | This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. |
| Enable global window list in Internet Explorer mode | Windows Components\Internet Explorer | This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. |
| Enable global window list in Internet Explorer mode | Windows Components\Internet Explorer | This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. |
| Reset zoom to default for HTML dialogs in Internet Explorer mode | Windows Components\Internet Explorer | This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. |
| Reset zoom to default for HTML dialogs in Internet Explorer mode | Windows Components\Internet Explorer | This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. |
| Disable HTML Application | Windows Components\Internet Explorer | This policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. If you enable this policy setting, running the HTML Application (HTA file) will be blocked. If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed. |
| Disable HTML Application | Windows Components\Internet Explorer | This policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. If you enable this policy setting, running the HTML Application (HTA file) will be blocked. If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed. |
| Configure hash algorithms for certificate logon | System\KDC | This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. |
| Configure hash algorithms for certificate logon | System\Kerberos | This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. |
| Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon | System\Kerberos | This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon. |
| Request traffic compression for all shares | Network\Lanman Server | This policy controls whether the SMB server requests SMB client to use traffic compression for all SMB shares. If you enable this policy setting, the SMB server will by default request the SMB client to compress traffic when SMB compression is enabled. |
| Disable SMB compression | Network\Lanman Server | This policy controls whether the SMB server will disable (completely prevent) traffic compression. |
| Use SMB compression by default | Network\Lanman Workstation | This policy controls whether the SMB client uses traffic compression by default. If you enable this policy setting, the SMB client will attempt to compress traffic by default when SMB compression is enabled. |
| Disable SMB compression | Network\Lanman Workstation | This policy controls whether the SMB client will disable (completely prevent) traffic compression. |
| Allow Custom SSPs and APs to be loaded into LSASS | System\Local Security Authority | This policy controls the configuration under which LSASS loads custom SSPs and APs. If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded. If you disable this setting, LSA does not load custom SSPs and APs. |
| Configures LSASS to run as a protected process | System\Local Security Authority | This policy controls the configuration under which LSASS is run. If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. |
| Suppress the display of Edge Deprecation Notification | Windows Components\Microsoft Edge | You can configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. If enabled, the notification will not show. If disabled or not configured, the notification will show every time Edge is launched. |
| Suppress the display of Edge Deprecation Notification | Windows Components\Microsoft Edge | You can configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. If enabled, the notification will not show. If disabled or not configured, the notification will show every time Edge is launched. |
| Only allow device authentication for the Microsoft Account Sign-In Assistant | Windows Components\Microsoft account | This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, only allow device authentication, and block user authentication. |
| Enable ESS with Supported Peripherals | Windows Components\Windows Hello for Business | While this policy is enabled on Windows 11 devices, external biometric authentication with Windows Hello will be blocked. |
| Limits print driver installation to Administrators | Printers | Determines whether users that aren’t Administrators can install print drivers on this computer. By default, users that aren’t Administrators can’t install print drivers on this computer. If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer. If you disable this setting, the system won’t limit installation of print drivers to this computer. |
| Manage processing of Queue-specific files | Printers | Manages how Queue-specific files are processed during printer installation. |
| Manage Print Driver signature validation | Printers | This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. |
| Manage Print Driver exclusion list | Printers | This policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system. |
| Configure RPC listener settings | Printers | This policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use. By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol. |
| Configure RPC connection settings | Printers | This policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler. |
| Configure RPC over TCP port | Printers | This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. |
| Always send job page count information for IPP printers | Printers | Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver. |
| Configure Redirection Guard | Printers | Determines whether Redirection Guard is enabled for the print spooler. You can enable this setting to configure the Redirection Guard policy being applied to spooler. If you disable or do not configure this policy setting, Redirection Guard will default to being ‘enabled’. |
| Fully disable Search UI | Windows Components\Search | If you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu’s search box and Search Taskbar button will also be hidden. If you disable or don’t configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown. |
| Allow search highlights | Windows Components\Search | Disabling this setting turns off search highlights in the start menu search box and in search home. Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. |
| Force Instant Dim | Windows Components\Human Presence | Determines whether Attention Based Display Dimming is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out. |
| Do not sync accessibility settings | Windows Components\Sync your settings | Prevent the “accessibility” group from syncing to and from this PC. This turns off and disables the “accessibility” group on the “Windows backup” settings page in PC settings. |
| Remove Run menu from Start Menu | Start Menu and Taskbar | Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. |
| Prevent changes to Taskbar and Start Menu Settings | Start Menu and Taskbar | This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. |
| Remove access to the context menus for the taskbar | Start Menu and Taskbar | This policy setting allows you to remove access to the context menus for the taskbar. If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. If you disable or do not configure this policy setting, the context menus for the taskbar are available. This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. |
| Prevent users from uninstalling applications from Start | Start Menu and Taskbar | If you enable this setting, users cannot uninstall apps from Start. If you disable this setting or do not configure it, users can access the uninstall command from Start |
| Remove Recommended section from Start Menu | Start Menu and Taskbar | This policy allows you to prevent the Start Menu from displaying a list of recommended applications and files. If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps. |
| Remove Recommended section from Start Menu | Start Menu and Taskbar | This policy allows you to prevent the Start Menu from displaying a list of recommended applications and files. If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps. |
| Simplify Quick Settings Layout | Start Menu and Taskbar | If you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. If you disable or don’t configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked. |
| Disable Editing Quick Settings | Start Menu and Taskbar | If you enable this policy, the user will be unable to modify Quick Settings. If you disable or don’t configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons. |
| Remove Quick Settings | Start Menu and Taskbar | This policy setting removes Quick Settings from the bottom-right area on the taskbar. |
| Remove pinned programs from the Taskbar | Start Menu and Taskbar | This policy setting allows you to remove pinned programs from the taskbar. |
| Hide the TaskView button | Start Menu and Taskbar | This policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled. |
| Hide the TaskView button | Start Menu and Taskbar | This policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled. |
| Do not allow WebAuthn redirection | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection | This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). |
| Disable Cloud Clipboard integration for server-to-client data transfer | Windows Components\Remote Desktop Services\Remote Desktop Connection Client | This policy setting lets you control whether data transferred from the remote session to the client using clipboard redirection is added to the client-side Cloud Clipboard. |
| Service Enabled | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. |
| Notify Malicious | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate. |
| Notify Password Reuse | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password. |
| Notify Unsafe App | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc. |
| Device Control | Windows Components\Microsoft Defender Antivirus\Features | Enable or Disable Defender Device Control on this machine. Note: You must be enrolled as E3 or E5 in order for Device Control to be enabled. |
| Select Device Control Default Enforcement Policy | Windows Components\Microsoft Defender Antivirus\Device Control | Default Allow: Choosing this default enforcement, will Allow any operations to occur on the attached devices if no policy rules are found to match. |
| Define Device Control evidence data remote location | Windows Components\Microsoft Defender Antivirus\Device Control | Define evidence file remote location, where Device Control service will move evidence data captured. |
| Control whether or not exclusions are visible to Local Admins. | Windows Components\Microsoft Defender Antivirus | This policy setting controls whether or not exclusions are visible to Local Admins. |
| Select the channel for Microsoft Defender monthly platform updates | Windows Components\Microsoft Defender Antivirus | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. |
| Select the channel for Microsoft Defender monthly engine updates | Windows Components\Microsoft Defender Antivirus | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. |
| Select the channel for Microsoft Defender daily security intelligence updates | Windows Components\Microsoft Defender Antivirus | Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. |
| Configure time interval for service health reports | Windows Components\Microsoft Defender Antivirus\Reporting | This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints. |
| CPU throttling type | Windows Components\Microsoft Defender Antivirus\Scan | This policy setting determines whether the maximum percentage CPU utilization permitted during a scan applies only to scheduled scans, or to both scheduled and custom scans (but not real-time protection). |
| Disable gradual rollout of Microsoft Defender updates. | Windows Components\Microsoft Defender Antivirus\MpEngine | Enable this policy to disable gradual rollout of Defender updates. Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. |
| Enable MPR notifications for the system | Windows Components\Windows Logon Options | This policy controls the configuration under which winlogon sends MPR notifications in the system. If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured. If you disable this setting, winlogon does not send MPR notifications. |
Download ADMX Templates for Windows 11 22H2
Along with new Windows 11 22H2 GPO settings, the ADMX templates for Windows 11 22H2 are also available for download. To install these new Windows 11 22H2 ADMX templates, refer to my guide on how to download and install Administrative Templates for Windows 11.
Follow the below steps to download Administrative Templates (.admx) for Windows 11 22H2:
- Launch the browser and browse to Administrative Templates (.admx) for Windows 11 2022 Update (22H2) link.
- Click the Download button. In the File Download dialog box, click Save. In the Save As dialog box, browse to the directory on your computer to which you want to save the Administrative Templates (.admx) for Windows 11 September 2022 Update.msi file.
