Officially released last week, Windows 11 22H2 offers a number of new features and options, though many are not yet available: Microsoft will be "dribbling" the changes over the next year. The much-loved Windows File Explorer tabs, for example, haven't been rolled out yet, but the released items include enhanced phishing protection, which is available to both consumers and businesses. (To take advantage of the new reports and alerts, you need a Microsoft 365 Security Portal license, which is included in a Microsoft 365 E5 license, or a Microsoft 365 Business Premium license. The latter is a specific license for companies with less out of 300 places.)
Microsoft is a bit wary of its plans to roll out the incremental changes in the coming months, though it said they won't be enabled by default on a domain-joined or work computer. It's also unclear if these incremental changes can be controlled via registry keys in Windows 11 Home builds.
As Computerworld's Preston Gralla explained in his review of Windows 11 22H2: "Microsoft says that starting now, Windows will receive feature updates like 22H2 once a year, but in the meantime, individual new features may be released up to once a year." per month. This will happen in October, when Microsoft releases an update that will bring tabs to File Explorer. The update will be optional and delivered via rollout, and then included in the regular monthly Security Update release in November .
In addition to tabs in File Explorer, suggested actions, where Windows 11 recommends actions to take in certain apps, are also expected in October. And while Microsoft has signaled that companies will be able to control these new enhancements, it hasn't documented exactly how.
You'd think there would be some kind of Group Policy setting to control these versions, but so far the Group Policy templates linked to the latest changes offer no clues.
In that context, here are the Group Policy settings we see that are new to Windows 11 22H2. Many are self explanatory, others introduce some of the new OS options. They are listed here in alphabetical order, along with brief explanations of what they do:
controlpanel.admx
Hide messages when Windows system requirements are not met.
(Obviously, many of us use this registry entry to bypass hardware commands in Windows 11. This new setting allows administrators to hide the notification that their hardware won't run Windows 11.)
desktop.admx
Hide and disable all desktop items.
This removes icons, shortcuts, and other default and user-defined items from the desktop. Although this policy is not new, it offers new options.
desktop app installer.admx
Activate the app installer.
Enable the app install settings.
Enable the experimental features of the app installer.
Enable the local manifest files of the app installer.
Enable application installer hash replacement.
Enable the default font for the app installer.
Enable the Microsoft Store source of the app installer.
Set the automatic update interval of the application installation source in minutes.
Enable additional fonts for the app installer.
Enable the allowed sources of the app installer.
Enable the ms-appinstaller application installer protocol.
This setting controls whether users can run Windows Package Manager.
dnsclient.admx
Configure Named Resolution Discovery (DDR) Protocol
Configure the NetBIOS settings.
This policy specifies whether the DNS client will use the DDR protocol. The Discovery of Designated Resolvers (DDR) protocol allows Windows to switch from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known.
explorer.admx
Disable Office.com files in Quick Access view.
This will also prevent File Explorer from requesting recent cloud file metadata and displaying it in the quick access view.
inetres.admx
Disable Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
Disable Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
Enable global window list in Internet Explorer mode
Enable global window list in Internet Explorer mode
Reset default zoom for HTML dialogs in Internet Explorer mode
Reset default zoom for HTML dialogs in Internet Explorer mode
Disable HTML app
Disable HTML app
This enables various browser settings.
kdc.admx
Configure hash algorithms for certificate login.
This setting controls the hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
kerberos.admx
Configure hash algorithms for certificate login.
Allow retrieval of Azure AD Kerberos ticket-granting tickets at login.
These policies control various Kerberos settings.
lanmanserver.admx
Request traffic compression for all shares.
Disable SMB compression.
This controls various SMB compression settings.
lanmanworkstation.admx
Use SMB compression by default.
Disable SMB compression.
This also controls various SMB compression settings.
local security authority.admx
Allow custom access points and SSPs to be uploaded to LSASS.
Configure LSASS to run as a protected process.
This is used to control new settings regarding LSASS (Local Security Secrets) protection.
microsoftedge.admx
Remove the display of the deprecation notification from Edge.
Remove the display of the deprecation notification from Edge.
This is used to control notifications from Edge.
msapolicy.admx
Only allow device authentication for the Microsoft account sign-in assistant.
This limits the authentication techniques.
passport.admx
Enable ESS with compatible devices.
This enhanced login security isolates Windows Hello biometric template data (face and fingerprint) and matching operations to trusted hardware or specific memory regions.
print.admx
Restricts printer driver installation to administrators.
Manage the processing of specific files in the queue.
Manage print driver signature validation.
Manage the exclusion list of printer drivers.
Configure the RPC listener settings.
Configure the RPC connection settings.
Configure RPC on the TCP port.
Always send job page count information to IPP printers.
Configure redirect protection.
This allows you to configure the new printer protections.
search.admx
Completely disable the search UI.
Allow search highlights.
This enables the search parameters.
sensors.admx
Force instant darkening.
This allows administrators to change brightness settings.
parameter sync.admx
Don't sync accessibility settings.
This limits the synchronization of these parameters.
startmenu.admx
Removes the Run menu from the Start menu.
Prevent changes to taskbar and Start menu settings.
Remove access to taskbar context menus.
Prevent users from uninstalling apps from Start.
Remove the Recommended section from the Start menu.
Remove the Recommended section from the Start menu.
Simplify quick setup design.
Disable quick settings editing.
Remove quick settings.
This allows additional settings for Start menus.
taskbar.admx
Remove pinned programs from the taskbar.
Hide the TaskView button.
Hide the TaskView button.
This allows additional settings for the taskbar.
terminalserver.admx
Do not allow WebAuthn redirection.
Disable Cloud Clipboard integration for server-to-client data transfer.
This provides settings for the terminal server configuration.
webthreatdefense.admx
Service activated.
Report Malware.
Notify password reuse.
Report insecure app.
Device control.
Select Default Device Control Application Policy.
Set remote location of Device Control evidence data.
Control whether or not exclusions are visible to local administrators.
Select the channel for monthly Microsoft Defender platform updates.
Select the channel for monthly Microsoft Defender Engine updates.
Select the channel for daily Microsoft Defender security information updates.
Configure the time interval for service status reports.
CPU throttling type.
Disable the deployment of Microsoft Defender updates.
These are new settings for improved phishing protection.
winlogon.admx
Enable MPR notifications for the system.
This policy controls the settings under which winlogon sends MPR notifications to the system.
It's unclear exactly how we'll be able to control these new features and whether Windows 11 2022 Home users will be able to control these new incremental changes. Stay tuned. Clearly, Windows 11 is still a work in progress.
Copyright © 2022 IDG Communications, Inc.