Windows 11 22H2 will get a slew of recent group coverage adjustments
With the most recent model of Windows 11 formally out, IT admins have quite a lot of group coverage choices at their disposal. Here’s a have a look at what they do.
Released formally final week, Windows 11 22H2 affords numerous new options and choices, although many aren’t but out there — Microsoft can be “dribbling” out adjustments all through the approaching 12 months. The much-touted Windows File Explorer tabs, for instance, has not but rolled out, however the gadgets launched do embrace Enhanced Phishing Protection, which is out there to shoppers in addition to companies. (To make the most of the brand new reporting and alerts, you do want a license to the Microsoft 365 safety portal, which is included in a Microsoft 365 E5 license, or a Microsoft 365 enterprise premium license. The latter is a particular license for corporations with fewer than 300 seats.)
Microsoft is being a bit cagey about its plans for pushing out the incremental adjustments within the months forward, although it has mentioned they gained’t be enabled by default on a enterprise or domain-joined laptop. It’s additionally unclear whether or not these incremental tweaks may be managed by registry keys on Windows 11 Home variations.
As Computerworld’s Preston Gralla defined in his Windows 11 22H2 evaluation: “Microsoft says that from now on, Windows will get feature updates like 22H2 once a year, but that in between, individual new features may be released as often as once a month. That will happen in October, when Microsoft will release an update that delivers tabs to File Explorer. The update will be optional and delivered via a phased rollout, and will then be included in the normal monthly security update release in November.”
In addition to tabs in File Explorer, urged actions — the place Windows 11 recommends actions to absorb sure functions — are additionally anticipated in October. And whereas Microsoft has despatched alerts indicating companies will have the ability to management these new enhancements, it hasn’t documented precisely how.
One would assume there’d be some form of group coverage setting to manage these releases, however thus far, the group coverage templates associated to the most recent adjustments supply no clues.
With that background, listed here are the group coverage changes we do see which are new in Windows 11 22H2. Many are self-explanatory, others showcase a number of the working system’s new choices. They’re listed right here in alphabetical order, together with temporary explanations of what they do:
controlpanel.admx
Hide messages when Windows system necessities are usually not met.
(Clearly, many people are utilizing this registry entry to go across the {hardware} mandates in Windows 11. This new setting permits directors to cover the notification that your {hardware} gained’t run Windows 11.)
desktop.admx
Hide and disable all gadgets on the desktop.
This removes icons, shortcuts, and different default and user-defined gadgets from the desktop. While this coverage shouldn’t be new, it does supply new choices.
desktopappinstaller.admx
Enable App Installer.
Enable App Installer Settings.
Enable App Installer Experimental Features.
Enable App Installer Local Manifest Files.
Enable App Installer Hash Override.
Enable App Installer Default Source.
Enable App Installer Microsoft Store Source.
Set App Installer Source Auto Update Interval In Minutes.
Enable App Installer Additional Sources.
Enable App Installer Allowed Sources.
Enable App Installer ms-appinstaller protocol.
These settings management whether or not customers can run the Windows Package Manager.
dnsclient.admx
Configure Discovery of Designated Resolvers (DDR) protocol
Configure NetBIOS settings.
This coverage specifies whether or not the DNS shopper would use the DDR protocol. The Discovery of Designated Resolvers (DDR) protocol permits Windows to maneuver from unencrypted DNS to encrypted DNS when solely the IP tackle of a resolver is thought.
explorer.admx
Turn off recordsdata from Office.com in Quick entry view.
This additionally will stop File Explorer from requesting current cloud file metadata and displaying it within the Quick entry view.
inetres.admx
Turn off Adobe Flash in Internet Explorer and forestall functions from utilizing Internet Explorer know-how to instantiate Flash objects
Turn off Adobe Flash in Internet Explorer and forestall functions from utilizing Internet Explorer know-how to instantiate Flash objects
Enable world window checklist in Internet Explorer mode
Enable world window checklist in Internet Explorer mode
Reset zoom to default for HTML dialogs in Internet Explorer mode
Reset zoom to default for HTML dialogs in Internet Explorer mode
Disable HTML Application
Disable HTML Application
This permits varied browser settings.
kdc.admx
Configure hash algorithms for certificates logon.
This setting controls hash or checksum algorithms utilized by the Kerberos shopper when performing certificates authentication.
kerberos.admx
Configure hash algorithms for certificates logon.
Allow retrieving the Azure AD Kerberos Ticket Granting Ticket throughout logon.
These insurance policies management varied Kerberos settings.
lanmanserver.admx
Request visitors compression for all shares.
Disable SMB compression.
This controls varied SMB compression settings.
lanmanworkstation.admx
Use SMB compression by default.
Disable SMB compression.
This, too, controls varied SMB compression settings.
localsecurityauthority.admx
Allow Custom SSPs and APs to be loaded into LSASS.
Configures LSASS to run as a protected course of.
This is used to manage new settings relating to LSASS safety (Local safety secrets and techniques).
microsoftedge.admx
Suppress the show of Edge Deprecation Notification.
Suppress the show of Edge Deprecation Notification.
This is used to manage Edge notifications.
msapolicy.admx
Only permit machine authentication for the Microsoft Account Sign-In Assistant.
This limits authentication methods.
passport.admx
Enable ESS with Supported Peripherals.
This Enhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) template information and matching operations to trusted {hardware} or specified reminiscence areas.
printing.admx
Limits print driver set up to Administrators.
Manage processing of Queue-specific recordsdata.
Manage Print Driver signature validation.
Manage Print Driver exclusion checklist.
Configure RPC listener settings.
Configure RPC connection settings.
Configure RPC over TCP port.
Always ship job web page rely info for IPP printers.
Configure Redirection Guard.
This permits settings for brand spanking new printer protections.
search.admx
Fully disable Search UI.
Allow search highlights.
This permits settings for search.
sensors.admx
Force Instant Dim.
This permits admins to tweak dim settings.
settingsync.admx
Do not sync accessibility settings.
This limits sync of those settings.
startmenu.admx
Remove Run menu from Start Menu.
Prevent adjustments to Taskbar and Start Menu Settings.
Remove entry to the context menus for the taskbar.
Prevent customers from uninstalling functions from Start.
Remove Recommended part from Start Menu.
Remove Recommended part from Start Menu.
Simplify Quick Settings Layout.
Disable Editing Quick Settings.
Remove Quick Settings.
This permits further changes for Start menus.
taskbar.admx
Remove pinned packages from the Taskbar.
Hide the TaskView button.
Hide the TaskView button.
This permits further changes for the Taskbar.
terminalserver.admx
Do not permit WebAuthn redirection.
Disable Cloud Clipboard integration for server-to-client information switch.
This offers changes for terminal server settings.
webthreatdefense.admx
Service Enabled.
Notify Malicious.
Notify Password Reuse.
Notify Unsafe App.
Device Control.
Select Device Control Default Enforcement Policy.
Define Device Control proof information distant location.
Control whether or not or not exclusions are seen to Local Admins.
Select the channel for Microsoft Defender month-to-month platform updates.
Select the channel for Microsoft Defender month-to-month engine updates.
Select the channel for Microsoft Defender each day safety intelligence updates.
Configure time interval for service well being experiences.
CPU throttling sort.
Disable gradual rollout of Microsoft Defender updates.
These are new changes for Enhanced Phishing Protection.
winlogon.admx
Enable MPR notifications for the system.
This coverage controls the configuration beneath which winlogon sends MPR notifications within the system.
It stays unclear precisely how we will management these new options and whether or not Windows 11 2022 Home customers will have the ability to management these new incremental adjustments. Stay tuned. Windows 11 is clearly nonetheless a piece in progress.