With the latest version of Windows 11 officially out, IT admins have a variety of group policy options at their disposal. Here's a look at what they do. Released officially last week, Windows 11 22H2 offers a number of new features and options, though many aren’t yet available — Microsoft will be “dribbling” out changes throughout the coming year. The much-touted Windows File Explorer tabs, for example, has not yet rolled out, but the items released do include Enhanced Phishing Protection, which is available to consumers as well as businesses. (To take advantage of the new reporting and alerts, you do need a license to the Microsoft 365 security portal, which is included in a Microsoft 365 E5 license, or a Microsoft 365 business premium license. The latter is a specific license for companies with fewer than 300 seats.) Microsoft is being a bit cagey about its plans for pushing out the incremental changes in the months ahead, though it has said they won’t be enabled by default on a business or domain-joined computer. It’s also unclear whether these incremental tweaks can be controlled through registry keys on Windows 11 Home versions. As Computerworld’s Preston Gralla explained in his Windows 11 22H2 review: “Microsoft says that from now on, Windows will get feature updates like 22H2 once a year, but that in between, individual new features may be released as often as once a month. That will happen in October, when Microsoft will release an update that delivers tabs to File Explorer. The update will be optional and delivered via a phased rollout, and will then be included in the normal monthly security update release in November.” In addition to tabs in File Explorer, suggested actions — where Windows 11 recommends actions to take in certain applications — are also expected in October. And while Microsoft has sent signals indicating businesses will be able to control these new enhancements, it hasn’t documented exactly how. One would think there’d be some sort of group policy setting to control these releases, but so far, the group policy templates related to the latest changes offer no clues. With that background, here are the group policy adjustments we do see that are new in Windows 11 22H2. Many are self-explanatory, others showcase some of the operating system’s new options. They’re listed here in alphabetical order, along with brief explanations of what they do: controlpanel.admx Hide messages when Windows system requirements are not met. (Clearly, many of us are using this registry entry to go around the hardware mandates in Windows 11. This new setting allows administrators to hide the notification that your hardware won’t run Windows 11.) desktop.admx Hide and disable all items on the desktop. This removes icons, shortcuts, and other default and user-defined items from the desktop. While this policy is not new, it does offer new options. desktopappinstaller.admx Enable App Installer. Enable App Installer Settings. Enable App Installer Experimental Features. Enable App Installer Local Manifest Files. Enable App Installer Hash Override. Enable App Installer Default Source. Enable App Installer Microsoft Store Source. Set App Installer Source Auto Update Interval In Minutes. Enable App Installer Additional Sources. Enable App Installer Allowed Sources. Enable App Installer ms-appinstaller protocol. These settings control whether users can run the Windows Package Manager. dnsclient.admx Configure Discovery of Designated Resolvers (DDR) protocol Configure NetBIOS settings. This policy specifies whether the DNS client would use the DDR protocol. The Discovery of Designated Resolvers (DDR) protocol allows Windows to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. explorer.admx Turn off files from Office.com in Quick access view. This also will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view. inetres.admx Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects Enable global window list in Internet Explorer mode Enable global window list in Internet Explorer mode Reset zoom to default for HTML dialogs in Internet Explorer mode Reset zoom to default for HTML dialogs in Internet Explorer mode Disable HTML Application Disable HTML Application This enables various browser settings. kdc.admx Configure hash algorithms for certificate logon. This setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. kerberos.admx Configure hash algorithms for certificate logon. Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon. These policies control various Kerberos settings. lanmanserver.admx Request traffic compression for all shares. Disable SMB compression. This controls various SMB compression settings. lanmanworkstation.admx Use SMB compression by default. Disable SMB compression. This, too, controls various SMB compression settings. localsecurityauthority.admx Allow Custom SSPs and APs to be loaded into LSASS. Configures LSASS to run as a protected process. This is used to control new settings regarding LSASS protection (Local security secrets). microsoftedge.admx Suppress the display of Edge Deprecation Notification. Suppress the display of Edge Deprecation Notification. This is used to control Edge notifications. msapolicy.admx Only allow device authentication for the Microsoft Account Sign-In Assistant. This limits authentication techniques. passport.admx Enable ESS with Supported Peripherals. This Enhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions. printing.admx Limits print driver installation to Administrators. Manage processing of Queue-specific files. Manage Print Driver signature validation. Manage Print Driver exclusion list. Configure RPC listener settings. Configure RPC connection settings. Configure RPC over TCP port. Always send job page count information for IPP printers. Configure Redirection Guard. This allows settings for new printer protections. search.admx Fully disable Search UI. Allow search highlights. This allows settings for search. sensors.admx Force Instant Dim. This allows admins to tweak dim settings. settingsync.admx Do not sync accessibility settings. This limits sync of these settings. startmenu.admx Remove Run menu from Start Menu. Prevent changes to Taskbar and Start Menu Settings. Remove access to the context menus for the taskbar. Prevent users from uninstalling applications from Start. Remove Recommended section from Start Menu. Remove Recommended section from Start Menu. Simplify Quick Settings Layout. Disable Editing Quick Settings. Remove Quick Settings. This allows additional adjustments for Start menus. taskbar.admx Remove pinned programs from the Taskbar. Hide the TaskView button. Hide the TaskView button. This allows additional adjustments for the Taskbar. terminalserver.admx Do not allow WebAuthn redirection. Disable Cloud Clipboard integration for server-to-client data transfer. This provides adjustments for terminal server settings. webthreatdefense.admx Service Enabled. Notify Malicious. Notify Password Reuse. Notify Unsafe App. Device Control. Select Device Control Default Enforcement Policy. Define Device Control evidence data remote location. Control whether or not exclusions are visible to Local Admins. Select the channel for Microsoft Defender monthly platform updates. Select the channel for Microsoft Defender monthly engine updates. Select the channel for Microsoft Defender daily security intelligence updates. Configure time interval for service health reports. CPU throttling type. Disable gradual rollout of Microsoft Defender updates. These are new adjustments for Enhanced Phishing Protection. winlogon.admx Enable MPR notifications for the system. This policy controls the configuration under which winlogon sends MPR notifications in the system. It remains unclear exactly how we will be able to control these new features and whether Windows 11 2022 Home users will be able to control these new incremental changes. Stay tuned. Windows 11 is clearly still a work in progress. Related content opinion For tech users, change is good It’s increasingly important to avoid platform lock-in, whether you’re a dedicated Windows user, an Apple fan, or prefer Android —because with technology, change is a constant. By Susan Bradley Jul 17, 2023 5 mins Small and Medium Business Technology Industry Apple opinion Of cut cables and the sad state of tech support One of life’s lessons is that tech support never seems to improve, no matter whether it’s a phone company that cut your fiber cable or Microsoft rolling out, then reversing, changes in Windows 11. Something’s got to give. By Susan Bradley Jul 05, 2023 5 mins Technology Industry IT Management opinion With one June Patch Tuesday update, Microsoft falls short This month's updates for Windows include one fix that requires extra steps to deploy. But you’ll need to do some sleuthing to get the full story. By Susan Bradley Jun 20, 2023 5 mins Small and Medium Business Microsoft Windows opinion The good and bad about Windows 11 The latest version of Windows has seen a slow uptake since it arrived in 2021, but it’s not a bad operating system. By Susan Bradley Jun 12, 2023 5 mins Small and Medium Business Microsoft Windows 11 Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe