- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
Most of the innovations in Windows 11 23H2 complement existing features with new functionalities. One of the few genuine innovations is Dev Drive and the integration of Copilot, which is still pending in the EU. Additionally, the improved LAPS is now shipped with the operating system.
Nine out of approximately 33 new group policy settings in total are dedicated to LAPS, two more to Dev Drive, and one to Copilot. The latter can be deactivated with this setting.
Inconsistent documentation
It is not easy to determine which and how many settings are really new in Windows 11 23H2. This is partly because Microsoft delivers new features continuously, making the reference point for comparison unclear. Furthermore, Microsoft's sloppy documentation complicates this task.
There are currently two documents that should show the new settings. One is the well-known Group Policy Settings Reference, and the other is a spreadsheet in the Security Baseline documentation ("Windows 11 22H2 to 23H2 Delta.xlsx").
The Group Policy Settings Reference assigns many new settings to versions 22H2 V2 and 22H2 V3
Both show different settings as new. For example, Configure the inclusion of app tabs into ALT-TAB already existed in Windows 10 and now appears in version 11 with a delay. However, the baseline documentation does not mention it.
The settings reference assigns options for managing SMB Compression to 22H2, whereas for the baseline document, they are new with 23H2.
The documentation of the Security Baseline lists the settings for SMB
The ADMX templates containing the new settings are not only located on a workstation with Windows 11 23H2 under %systemroot%\PolicyDefinitions but are also available for separate download, as usual. Unlike the operating system, this package includes all available language files.
Overview of the new settings
Most of the new settings in the following list are self-explanatory, while I have supplemented others with annotations. Additionally, I categorize them for better clarity.
Notifications
- Enable Organizational Messages
Administrators can send messages to selected users using selected applications such as Configuration Manager. By default, this option is disabled.
- Turn on multiple expanded toast notifications in action center
By default, Windows 11 only displays the first toast notification from an application in the Action Center. This setting allows you to increase this number to 3.
- Hide Internet Explorer 11 retirement notification
This setting enables the warning about the retirement of Internet Explorer to be hidden in IE. It exists in both the Computer and User Configuration branches.
The two latter settings have been present in Windows 10 since 22H2 and are also available in Windows 11. Consequently, the administrative templates for Windows 11 are likely gradually becoming backward-compatible with Windows 10.
Privacy protection
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer
This setting prevents File Explorer from retrieving metadata for files from the cloud.
- Let Windows apps access presence sensing
Presence detection is used by Windows for security features, for example, to lock the computer when the user leaves their workstation and unlock it again when they return. With this setting, you can allow or deny access to all apps or assign this right selectively.
Grant or deny apps access to presence detection
LAPS
Windows LAPS integrates the previously separately available settings into the operating system and supplements them with options for the new features. For a detailed description, see this article.
- Configure password backup directory
- Name of administrator account to manage
- Enable password encryption
- Configure authorized password decryptors
- Configure size of encrypted password history
- Enable password backup for DSRM accounts
- Post-authentication actions
Windows LAPS can be managed via a total of nine settings
Dev Drive
- Enable dev drive
Dev Drive is a ReFS-based drive optimized for developer workloads. This feature can be enabled or blocked via group policy.
- Dev drive filter attach policy
By default, Dev Drive has no file system filters assigned. This setting allows you to change that.
Copilot
- Turn off Windows Copilot
Security Guide
- Configure RPC packet level privacy setting for incoming connections
This setting previously existed in the SecGuide.admx template, included in the Security Baseline package, and has now been incorporated into the printing.admx.
Energy management
- Force Disable Wake When Battery Saver On
- Force Allow Wake When External Display Connected
- Force Allow Lock When External Display Connected
- Force Allow Dim When External Display Connected
Language settings
- Do not sync language preferences settings
Start menu und taskbar
- Remove Personalized Website Recommendations from the Recommended section in the Start Menu
Windows 11 displays personalized website recommendations and suggestions in the Start menu based on the user's browsing history. This setting prevents this behavior. It exists in both the computer and user branches.
- Turn off account notifications in Start
Windows sends messages to users with a Microsoft or local account to secure their device, provide quota for cloud storage, and manage their Microsoft 365 or Xbox subscription. This setting blocks such notifications.
- Configures search on the taskbar
Options to configure the search box on the taskbar (refer to the detailed description for more info).
Defender
- Automatic Data Collection
This policy determines whether advanced phishing protection can collect additional information, such as displayed content, played sounds, and the application memory when users enter their password for a work or school account on a suspicious website or application.
- Scan packed executables
This setting, already present in Windows 10, can block Defender from scanning self-extracting ZIP and other archive files. By default, these files are examined.
Windows Update
- Enable features introduced via servicing that are off by default
While Microsoft continuously delivers new features, it only activates them on managed devices when shipping a new upgrade. This setting allows you to disable this deferral.
- Enable optional updates
Introduced with the August 2023 update, this policy allows you to determine how optional updates are installed and how users can influence this process.
- Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN
The cache servers belong to Delivery Optimization. Their usage can be blocked when an active VPN connection is discovered.
- VPN Keywords
You can use keywords to help the delivery optimization to identify VPN connections. By default, it evaluates the friendly name and description of the network adapter.
Summary
Windows 11 23H2 introduces approximately 30 new settings for group policies. Some of these settings existed in the past, but they had to be installed separately. This applied to LAPS and a policy from SecGuide.admx. However, Windows LAPS now offers several new features, reflected in the group policies.
A genuinely new feature is the inclusion of Dev Drive in the current group policies. Otherwise, the new policies span across various components and functionalities. Settings for Windows Update are always crucial. The two most significant ones were even available before the launch of 23H2.
Subscribe to 4sysops newsletter!
A substantial influx of new options addresses the user interface, specifically the File Explorer, start menu, and taskbar. This allows users to deactivate undesired additions and functionalities effectively.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
