- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
If you filter the settings in the Group Policy Settings Reference Spreadsheet using the column "New in Windows 11," the table shows that the innovations are concentrated on a few ADMX files.
Of these, 11 settings are for the package manager winget, which was already configurable via group policies in the past. While the required administrative template had to be downloaded separately from GitHub, it is now part of the operating system.
Settings for printing
Another section contains the settings for printing. These are Microsoft's response to several vulnerabilities that became known as "PrintNightmare." An initial workaround was to restrict the installation of printer drivers to admins.
The corresponding setting was not yet included in Windows 11 21H2, so SecGuide.admx from the security baseline was required. With Windows 11 2022, it is now included in Printing.admx, as it has already been with Windows 10 21H2.
Overall, the current Windows release offers the following settings for printing:
- Configure RPC connection
- Configure RPC listener
- Configure RPC packet-level privacy setting for incoming connections
- Configure RPC over TCP port
- Configure Redirection Guard
- Always send job page count information for IPP printers; this policy applies to Internet printing
- Limits print driver installation to administrators
- Manage processing of queue-specific files
- Manage printer driver signature validation
- Manage printer driver exclusion list
A description of most of these settings can be found in my article on the Windows 11 2022 security baseline.
Start menu and Taskbar
An entire group of settings gives admins more control over how far users are allowed to configure these UI components. To accomplish this, the following options were added, most of which are self-explanatory.
Note that the settings in the following list are, contrary to what you might expect, only found in the Computer Configuration branch (unless explicitly noted otherwise).
- Remove Run menu from Start menu
- Prevent changes to Taskbar and Start menu settings
- Remove access to the context menus for the Taskbar
- Prevent users from uninstalling applications from Start
- Remove Recommended section from Start menu; this setting is available both for User and Machine
- Simplify Quick Settings layout
- Disable editing Quick Settings
- Remove Quick Settings: This setting is available only in the User Configuration branch.
- Remove pinned programs from the Taskbar.
- Hide the TaskView button. This setting is available for both User and Machine. It refers to the icon used to switch between virtual desktops and applications.
For additional customization of the user interface, Microsoft introduced the following settings:
- Hide and disable all items on the desktop: This is a radical measure that would probably not be acceptable to most users. It is meant to prevent data files and programs from being placed on the desktop.
- Fully disable Search UI: Although the quality of the integrated Windows search is often annoying, you're unlikely to block it completely unless you have an alternative.
- Allow search highlights: This can be used to prevent Bing news from being displayed.
One of the new features in Windows 11 2022 is SmartScreen's advanced phishing protection. It can be configured using the following four settings:
- Notify Malicious
- Notify Password Reuse
- Notify Unsafe App
- Service Enabled
You can find explanations for these settings in my post about the Security Baseline for Windows 11 2022.
The antimalware program integrated into Windows gets new settings for several purposes. Two of them relate to blocking unwanted peripherals in conjunction with the Defender for Endpoint cloud service:
- Select Device Control Default Enforcement Policy: You can now specify whether all devices should be allowed or blocked by default
- Define Device Control evidence data remote location
For unknown reasons, another new setting for enabling device control is not found in the same folder as other related settings, but is instead found under Features:
- Device Control: Use this setting to activate device control. This requires an M365 E3 or E5 subscription.
Until now, admins could control the download of security intelligence via group policies by specifying multiple sources and their priority.
With Windows 11 comes the option of selecting a channel for obtaining virus signatures and other updates separately for daily and monthly updates. These settings are not found in the Security Intelligence Updates container, as you would expect, but in the root directory of Defender Antivirus:
- Select the channel for Microsoft Defender daily security intelligence updates
- Select the channel for Microsoft Defender monthly platform updates
- Select the channel for Microsoft Defender monthly engine updates
The following channels are available for platform and engine updates:
Beta Channel: Devices set to this channel will be the first to receive new updates. For use in (manual) test environments and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for validation environments.
Current Channel (Staged): Suggested to apply to a small, representative part of your production population (ca. 10 percent).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to the majority of PCs in the production population.
Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
With the following setting, you can override the channel assignment of the above settings:
- Disable gradual rollout of Microsoft Defender updates
Unlike the other three settings, this one is located in the MpEngine container.
Another setting allows you to make sure that the maximum CPU usage you have defined for scans also applies to scans started by a user (and not just to scheduled scans):
- CPU throttling type
After discontinuing Internet Explorer as a standalone application, Microsoft has now added a setting that allows you to disable the browser for standalone HTML applications (HTA) as well. Its name is
- Disable HTML Application
and exists for both computer and user configurations. With the following policy, you can allow Internet Explorer and Edge to share the application state in IE mode:
- Enable global window list in Internet Explorer mode
Organizations still using the original Edge browser can now suppress the display of the outdated browser warning message (user and machine):
- Suppress the display of Edge Deprecation Notification
Other new settings include DNS over HTTPS, securing the LSASS authentication process, or the gradual deactivation of NetBIOS. I also covered them in the Windows 11 2022 Security Baseline article.
There are also new options (both client- and server-side) to use SMB compression by default or to disable SMB compression completely, as well as two for the terminal services.
While Windows 11 2022 brings relatively few new features overall, it does provide admins with numerous new group policies. Some of these are based on previously separate templates and have now been included in the OS.
On top of that, you get a significant number of new options that primarily increase the security of the system. These concern printing, SmartScreen, or Defender Antivirus.
Subscribe to 4sysops newsletter!
Many environments will welcome the new options to limit the user's freedom when customizing the Start menu and the taskbar.