Download Windows 11 22H2 Group Policy Settings and ADMX

In this article, I will list all the new Windows 11 22H2 group policy settings and cover the steps to download these settings. Microsoft has released the Group Policy Settings Reference Spreadsheet for Windows 11 2022 Update (22H2) and you can use these policy settings in your setup.

The GPO settings released for Windows 11 22H2 are the files used to expose policy settings when you use the Group Policy Management Console (GPMC) to edit Group Policy Objects (GPOs). The spreadsheet lists all the 80+ Windows 11 22H2 GPO settings for computer and user configurations that are included in the administrative template files (.admx and .adml) delivered with Windows 11, version 22H2.

Microsoft will offer Windows 11 22H2 update for free to eligible Windows 10 and Windows 11 devices. When I say eligible, it means the devices to meet the Windows 11 minimum requirements will be get Windows 11 22H2 upgrade.

There are different methods to upgrade to Windows 11 22H2 and for enterprises, you can use Configuration Manager or Microsoft Intune to move to version 22H2. Have a look at the detailed guide on how to upgrade to Windows 11 version 22H2 using Configuration Manager.

Download Windows 11 22H2 Group Policy Settings Reference Spreadsheet

Let’s look at the steps to download the group policy settings reference spreadsheet for Windows 11 (22H2). This spreadsheet shows the policy settings for computer and user configurations that come with Windows 11 2022 Update (22H2) and are part of the Administrative template files. You can configure these policy settings when you edit Group Policy Objects.

Use the following steps to download Group Policy settings reference spreadsheet for Windows 11 22H2:

Download Windows 11 22H2 Group Policy Settings Reference Spreadsheet
Download Windows 11 22H2 Group Policy Settings Reference Spreadsheet

The file named Windows11andWindowsServer2019PolicySettings–22H2.xlsx is included in the download. You will require Microsoft Excel to open this file and view the data. Check out how to download and install Microsoft Office 2021.

Use the Excel program to access the Windows 11 22H2 Group Policy Settings Reference Spreadsheet. Select the Administrative Templates tab and here we can see a list of new Windows 11 22H2 Group Policy Settings.

List of New Windows 11 22H2 Group Policy Settings
List of New Windows 11 22H2 Group Policy Settings

List of Windows 11 22H2 Group Policy Settings

The below table lists all the new group policy settings released for Windows 11 22H2 by Microsoft. The table also lists the GPO name along with the policy path and policy description.

Windows 11 22H2 Group Policy Settings NameGPO Policy PathGroup Policy Description
Hide messages when Windows system requirements are not metSystemThis policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version.  If you enable this policy setting, these messages will never appear on desktop or in the Settings app.
Hide and disable all items on the desktopDesktopRemoves icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations.
Enable App InstallerWindows Components\Desktop App InstallerThis policy controls whether the Windows Package Manager can be used by users. If you enable or do not configure this setting, users will be able to use the Windows Package Manager.
Enable App Installer SettingsWindows Components\Desktop App InstallerThis policy controls whether users can change their settings.  If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager.  If you disable this setting, users will not be able to change settings for the Windows Package Manager.
Enable App Installer Experimental FeaturesWindows Components\Desktop App InstallerThis policy controls whether users can enable experimental features in the Windows Package Manager. If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager.
Enable App Installer Local Manifest FilesWindows Components\Desktop App InstallerThis policy controls whether users can install packages with local manifest files. If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
Enable App Installer Hash OverrideWindows Components\Desktop App InstallerThis policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
Enable App Installer Default SourceWindows Components\Desktop App InstallerThis policy controls the default source included with the Windows Package Manager.
Enable App Installer Microsoft Store SourceWindows Components\Desktop App InstallerThis policy controls the Microsoft Store source included with the Windows Package Manager.
Set App Installer Source Auto Update Interval In MinutesWindows Components\Desktop App InstallerThis policy controls the auto-update interval for package-based sources.
Enable App Installer Additional SourcesWindows Components\Desktop App InstallerThis policy controls additional sources provided by the enterprise IT administrator.
Enable App Installer Allowed SourcesWindows Components\Desktop App InstallerThis policy controls additional sources allowed by the enterprise IT administrator.
Enable App Installer ms-appinstaller protocolWindows Components\Desktop App InstallerThis policy controls whether users can install packages from a website that is using the ms-appinstaller protocol.
Configure Discovery of Designated Resolvers (DDR) protocolNetwork\DNS ClientSpecifies if the DNS client would use the DDR protocol.
Configure NetBIOS settingsNetwork\DNS ClientSpecifies if the DNS client will perform name resolution over NetBIOS.
Turn off files from Office.com in Quick access viewWindows Components\File ExplorerTurning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components\Internet Explorer\Security Features\Add-on ManagementThis policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components\Internet Explorer\Security Features\Add-on ManagementThis policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
Enable global window list in Internet Explorer modeWindows Components\Internet ExplorerThis setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.
Enable global window list in Internet Explorer modeWindows Components\Internet ExplorerThis setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.
Reset zoom to default for HTML dialogs in Internet Explorer modeWindows Components\Internet ExplorerThis policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page.
Reset zoom to default for HTML dialogs in Internet Explorer modeWindows Components\Internet ExplorerThis policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.
Disable HTML ApplicationWindows Components\Internet ExplorerThis policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. If you enable this policy setting, running the HTML Application (HTA file) will be blocked.  If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed.
Disable HTML ApplicationWindows Components\Internet ExplorerThis policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. If you enable this policy setting, running the HTML Application (HTA file) will be blocked.  If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed.
Configure hash algorithms for certificate logonSystem\KDCThis policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
Configure hash algorithms for certificate logonSystem\KerberosThis policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logonSystem\KerberosThis policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.
Request traffic compression for all sharesNetwork\Lanman ServerThis policy controls whether the SMB server requests SMB client to use traffic compression for all SMB shares.  If you enable this policy setting, the SMB server will by default request the SMB client to compress traffic when SMB compression is enabled.
Disable SMB compressionNetwork\Lanman ServerThis policy controls whether the SMB server will disable (completely prevent) traffic compression.
Use SMB compression by defaultNetwork\Lanman WorkstationThis policy controls whether the SMB client uses traffic compression by default.  If you enable this policy setting, the SMB client will attempt to compress traffic by default when SMB compression is enabled.
Disable SMB compressionNetwork\Lanman WorkstationThis policy controls whether the SMB client will disable (completely prevent) traffic compression.
Allow Custom SSPs and APs to be loaded into LSASSSystem\Local Security AuthorityThis policy controls the configuration under which LSASS loads custom SSPs and APs. If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded.  If you disable this setting, LSA does not load custom SSPs and APs.
Configures LSASS to run as a protected processSystem\Local Security AuthorityThis policy controls the configuration under which LSASS is run.  If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices.
Suppress the display of Edge Deprecation NotificationWindows Components\Microsoft EdgeYou can configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. If enabled, the notification will not show.  If disabled or not configured, the notification will show every time Edge is launched.
Suppress the display of Edge Deprecation NotificationWindows Components\Microsoft EdgeYou can configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. If enabled, the notification will not show.  If disabled or not configured, the notification will show every time Edge is launched.
Only allow device authentication for the Microsoft Account Sign-In AssistantWindows Components\Microsoft accountThis setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, only allow device authentication, and block user authentication.
Enable ESS with Supported PeripheralsWindows Components\Windows Hello for BusinessWhile this policy is enabled on Windows 11 devices, external biometric authentication with Windows Hello will be blocked.
Limits print driver installation to AdministratorsPrintersDetermines whether users that aren’t Administrators can install print drivers on this computer.  By default, users that aren’t Administrators can’t install print drivers on this computer.  If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer.  If you disable this setting, the system won’t limit installation of print drivers to this computer.
Manage processing of Queue-specific filesPrintersManages how Queue-specific files are processed during printer installation.
Manage Print Driver signature validationPrintersThis policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system.
Manage Print Driver exclusion listPrintersThis policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system.
Configure RPC listener settingsPrintersThis policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use.  By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol.
Configure RPC connection settingsPrintersThis policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler.
Configure RPC over TCP portPrintersThis policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers.
Always send job page count information for IPP printersPrintersDetermines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver.
Configure Redirection GuardPrintersDetermines whether Redirection Guard is enabled for the print spooler. You can enable this setting to configure the Redirection Guard policy being applied to spooler. If you disable or do not configure this policy setting, Redirection Guard will default to being ‘enabled’.
Fully disable Search UIWindows Components\SearchIf you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu’s search box and Search Taskbar button will also be hidden.  If you disable or don’t configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown.
Allow search highlightsWindows Components\SearchDisabling this setting turns off search highlights in the start menu search box and in search home. Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.
Force Instant DimWindows Components\Human PresenceDetermines whether Attention Based Display Dimming is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out.
Do not sync accessibility settingsWindows Components\Sync your settingsPrevent the “accessibility” group from syncing to and from this PC. This turns off and disables the “accessibility” group on the “Windows backup” settings page in PC settings.
Remove Run menu from Start MenuStart Menu and TaskbarAllows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
Prevent changes to Taskbar and Start Menu SettingsStart Menu and TaskbarThis policy setting allows you to prevent changes to Taskbar and Start Menu Settings. If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box.
Remove access to the context menus for the taskbarStart Menu and TaskbarThis policy setting allows you to remove access to the context menus for the taskbar. If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. If you disable or do not configure this policy setting, the context menus for the taskbar are available.  This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.
Prevent users from uninstalling applications from StartStart Menu and TaskbarIf you enable this setting, users cannot uninstall apps from Start.  If you disable this setting or do not configure it, users can access the uninstall command from Start
Remove Recommended section from Start MenuStart Menu and TaskbarThis policy allows you to prevent the Start Menu from displaying a list of recommended applications and files.  If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps.
Remove Recommended section from Start MenuStart Menu and TaskbarThis policy allows you to prevent the Start Menu from displaying a list of recommended applications and files.  If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps.
Simplify Quick Settings LayoutStart Menu and TaskbarIf you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app.  If you disable or don’t configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked.
Disable Editing Quick SettingsStart Menu and TaskbarIf you enable this policy, the user will be unable to modify Quick Settings.  If you disable or don’t configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons.
Remove Quick SettingsStart Menu and TaskbarThis policy setting removes Quick Settings from the bottom-right area on the taskbar.
Remove pinned programs from the TaskbarStart Menu and TaskbarThis policy setting allows you to remove pinned programs from the taskbar.
Hide the TaskView buttonStart Menu and TaskbarThis policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled.
Hide the TaskView buttonStart Menu and TaskbarThis policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled.
Do not allow WebAuthn redirectionWindows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource RedirectionThis policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
Disable Cloud Clipboard integration for server-to-client data transferWindows Components\Remote Desktop Services\Remote Desktop Connection ClientThis policy setting lets you control whether data transferred from the remote session to the client using clipboard redirection is added to the client-side Cloud Clipboard.
Service EnabledWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off.
Notify MaliciousWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate.
Notify Password ReuseWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password.
Notify Unsafe AppWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc.
Device ControlWindows Components\Microsoft Defender Antivirus\FeaturesEnable or Disable Defender Device Control on this machine.  Note: You must be enrolled as E3 or E5 in order for Device Control to be enabled.
Select Device Control Default Enforcement PolicyWindows Components\Microsoft Defender Antivirus\Device ControlDefault Allow: Choosing this default enforcement, will Allow any operations to occur on the attached devices if no policy rules are found to match.
Define Device Control evidence data remote locationWindows Components\Microsoft Defender Antivirus\Device ControlDefine evidence file remote location, where Device Control service will move evidence data captured.
Control whether or not exclusions are visible to Local Admins.Windows Components\Microsoft Defender AntivirusThis policy setting controls whether or not exclusions are visible to Local Admins.
Select the channel for Microsoft Defender monthly platform updatesWindows Components\Microsoft Defender AntivirusEnable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
Select the channel for Microsoft Defender monthly engine updatesWindows Components\Microsoft Defender AntivirusEnable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
Select the channel for Microsoft Defender daily security intelligence updatesWindows Components\Microsoft Defender AntivirusEnable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
Configure time interval for service health reportsWindows Components\Microsoft Defender Antivirus\ReportingThis policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints.
CPU throttling typeWindows Components\Microsoft Defender Antivirus\ScanThis policy setting determines whether the maximum percentage CPU utilization permitted during a scan applies only to scheduled scans, or to both scheduled and custom scans (but not real-time protection).
Disable gradual rollout of Microsoft Defender updates.Windows Components\Microsoft Defender Antivirus\MpEngineEnable this policy to disable gradual rollout of Defender updates.  Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle.
Enable MPR notifications for the systemWindows Components\Windows Logon OptionsThis policy controls the configuration under which winlogon sends MPR notifications in the system.  If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured.  If you disable this setting, winlogon does not send MPR notifications.

Download ADMX Templates for Windows 11 22H2

Along with new Windows 11 22H2 GPO settings, the ADMX templates for Windows 11 22H2 are also available for download. To install these new Windows 11 22H2 ADMX templates, refer to my guide on how to download and install Administrative Templates for Windows 11.

Follow the below steps to download Administrative Templates (.admx) for Windows 11 22H2:

  • Launch the browser and browse to Administrative Templates (.admx) for Windows 11 2022 Update (22H2) link.
  • Click the Download button. In the File Download dialog box, click Save. In the Save As dialog box, browse to the directory on your computer to which you want to save the Administrative Templates (.admx) for Windows 11 September 2022 Update.msi file.
Download Windows 11 22H2 Group Policy Settings Reference Spreadsheet
Download Windows 11 22H2 Group Policy Settings Reference Spreadsheet

Leave a Reply

Your email address will not be published. Required fields are marked *