- SystoLOCK in review: Logging in to Active Directory with multi-factor authentication without passwords - Tue, Dec 5 2023
- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
Windows 11 introduces several new settings for group policies. They give admins more control over device installations by users, allow them to configure DNS over HTTPS (DoH) or enable them to choose different update sources by update type. Some of the settings are also available for Windows 10 21H2.
If you believe the current Group Policy Settings Reference Spreadsheet, then Windows 11 brings a whopping 111 new settings. However, most of them are only the result of the notoriously poor documentation.
For example, all settings for Windows Update are considered new just because Microsoft has reordered them in a new folder structure. In addition, there are those whose names have changed, such as from Allow Telemetry to Allow Diagnostic Data. They also count as new.
If you take a look at the documentation of the security baseline, it shows a clearer picture. The Excel spreadsheete shows 61 new settings. If you remove the duplicates between the computer and the user scopes, then 56 remain.
DoH and device installation
Among those that remain are only two settings that actually apply to new features. The first is Configure DNS over HTTPS (DoH) name resolution, with which you can deactivate, force, or simply allow DNS over HTTPS. This option is missing in Windows 10, but the template for Windows 11 specifies Vista as the minimum OS version supported.
The second major innovation is about device installation. There, thanks to the option Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria, you now get finer control over which devices users are allowed to install.
Different sources depending on the type of update
21H2 brings an interesting new option for Windows Update. Specify source service for specific classes of Windows Updates now allows you to obtain different types of updates (quality, feature update, driver, or other) from WSUS or Windows Update, respectively.
Before configuring this setting, you should disable Do not allow update deferral policies to cause scans against Windows Update.
If you use the templates for Windows 11, you can find this setting in the new Legacy Guidelines folder.
New policies for printing
In the aftermath of the vulnerabilities known as "PrintNightmare", Microsoft has introduced some restrictions on printers.
Limit print driver installation to Administrators can be used to reactivate Point and Print for standard users after the August update. It is not part of the normal administrative templates, but shipped with the security baseline's SecGuide.admx.
The option of restricting printing to certain devices is also new. With Enable Device Control Printing Restrictions, only printers in the corporate network or approved USB printers are allowed.
This setting is supplemented by a setting called List of approved USB-connected print devices. There, you enter the VID or PID of the allowed USB printers.
Microsoft Defender has eight new settings. Among them is the possibility of excluding certain IP addresses from scans. Turn on script scanning has even made it into the current security baseline as a recommendation.
These two options are also missing from the Windows 10 templates. Since Windows 8 or Windows 10 1709 are mentioned as minimum requirements, they should be applicable there as well.
Windows Sandbox configuration
There are many new Group Policies for the Sandbox. They can be used to control whether audio and video input, network, printers, or a virtual GPU should be available in the VM. Another option determines whether one can exchange data with the sandbox via the clipboard.
As mentioned, these settings are missing in the Windows 10 21H2 templates; the information about the supported versions of Windows isn't provided either. Therefore, these options should only take effect from Windows 11 onwards.
Four new settings help to control Microsoft's data collection. For example, with Limit dump collection, you can restrict memory dumps to kernel mini-dumps and user-mode dumps.
Another setting limits the collection of diagnostic logs. Two additional options are used to regulate interaction with the OneSettings service (logging and downloads).
Disable GUI features
Some of the new settings you can use to remove unnecessary or annoying features from the desktop should be of interest in professional environments. This applies, for example, to animations on the lock screen (Turn off spotlight collection on desktop and Prevent lock screen background motion).
The option to disable widgets also falls into this category. It is missing from the Windows 10 templates and should only apply to the new widgets in Windows 11. However, according to the GPO editor, it should also support the previous OS.
Hiding the "most frequently used" list from the Start menu should also be welcome in many cases.
Windows 10 / 11 21H2 includes a whole new set of group policies. Only two of them control new features; the rest extend the central administration of existing components.
The setting for determining the source for certain update types is appealing. Microsoft Defender and Printing are given more security-related options.
The excitement over these new options is once again marred by Microsoft's sloppy documentation and lack of attention in the last version of Windows 10. At this point, admins will have to install the ADMX templates for Windows 11 and see which of the new settings also works for Windows 10.