Windows 11 23H2 introduces a range of new Group Policy settings. These target new features like Dev Drive and extend the management options for existing components. The corresponding ADMX templates are already available for download, as is the setting reference spreadsheet.

Most of the innovations in Windows 11 23H2 complement existing features with new functionalities. One of the few genuine innovations is Dev Drive and the integration of Copilot, which is still pending in the EU. Additionally, the improved LAPS is now shipped with the operating system.

Nine out of approximately 33 new group policy settings in total are dedicated to LAPS, two more to Dev Drive, and one to Copilot. The latter can be deactivated with this setting.

Inconsistent documentation

It is not easy to determine which and how many settings are really new in Windows 11 23H2. This is partly because Microsoft delivers new features continuously, making the reference point for comparison unclear. Furthermore, Microsoft's sloppy documentation complicates this task.

There are currently two documents that should show the new settings. One is the well-known Group Policy Settings Reference, and the other is a spreadsheet in the Security Baseline documentation ("Windows 11 22H2 to 23H2 Delta.xlsx").

The Group Policy Settings Reference assigns many new settings to versions 22H2 V2 and 22H2 V3

The Group Policy Settings Reference assigns many new settings to versions 22H2 V2 and 22H2 V3

Both show different settings as new. For example, Configure the inclusion of app tabs into ALT-TAB already existed in Windows 10 and now appears in version 11 with a delay. However, the baseline documentation does not mention it.

The settings reference assigns options for managing SMB Compression to 22H2, whereas for the baseline document, they are new with 23H2.

The documentation of the Security Baseline lists the settings for SMB

The documentation of the Security Baseline lists the settings for SMB

The ADMX templates containing the new settings are not only located on a workstation with Windows 11 23H2 under %systemroot%\PolicyDefinitions but are also available for separate download, as usual. Unlike the operating system, this package includes all available language files.

Overview of the new settings

Most of the new settings in the following list are self-explanatory, while I have supplemented others with annotations. Additionally, I categorize them for better clarity.


  • Enable Organizational Messages

Administrators can send messages to selected users using selected applications such as Configuration Manager. By default, this option is disabled.

  • Turn on multiple expanded toast notifications in action center

By default, Windows 11 only displays the first toast notification from an application in the Action Center. This setting allows you to increase this number to 3.

  • Hide Internet Explorer 11 retirement notification

This setting enables the warning about the retirement of Internet Explorer to be hidden in IE. It exists in both the Computer and User Configuration branches.

The two latter settings have been present in Windows 10 since 22H2 and are also available in Windows 11. Consequently, the administrative templates for Windows 11 are likely gradually becoming backward-compatible with Windows 10.

Privacy protection

  • Turn off account-based insights, recent, favorite, and recommended files in File Explorer

This setting prevents File Explorer from retrieving metadata for files from the cloud.

  • Let Windows apps access presence sensing

Presence detection is used by Windows for security features, for example, to lock the computer when the user leaves their workstation and unlock it again when they return. With this setting, you can allow or deny access to all apps or assign this right selectively.

Grant or deny apps access to presence detection

Grant or deny apps access to presence detection


Windows LAPS integrates the previously separately available settings into the operating system and supplements them with options for the new features. For a detailed description, see this article.

  • Configure password backup directory
  • Name of administrator account to manage
  • Enable password encryption
  • Configure authorized password decryptors
  • Configure size of encrypted password history
  • Enable password backup for DSRM accounts
  • Post-authentication actions
Windows LAPS can be managed via a total of nine settings

Windows LAPS can be managed via a total of nine settings

Dev Drive

  • Enable dev drive

Dev Drive is a ReFS-based drive optimized for developer workloads. This feature can be enabled or blocked via group policy.

  • Dev drive filter attach policy

By default, Dev Drive has no file system filters assigned. This setting allows you to change that.


  • Turn off Windows Copilot

Security Guide

  • Configure RPC packet level privacy setting for incoming connections

This setting previously existed in the SecGuide.admx template, included in the Security Baseline package, and has now been incorporated into the printing.admx.

Energy management

  • Force Disable Wake When Battery Saver On
  • Force Allow Wake When External Display Connected
  • Force Allow Lock When External Display Connected
  • Force Allow Dim When External Display Connected

Language settings

  • Do not sync language preferences settings

Start menu und taskbar

  • Remove Personalized Website Recommendations from the Recommended section in the Start Menu

Windows 11 displays personalized website recommendations and suggestions in the Start menu based on the user's browsing history. This setting prevents this behavior. It exists in both the computer and user branches.

  • Turn off account notifications in Start

Windows sends messages to users with a Microsoft or local account to secure their device, provide quota for cloud storage, and manage their Microsoft 365 or Xbox subscription. This setting blocks such notifications.

  • Configures search on the taskbar

Options to configure the search box on the taskbar (refer to the detailed description for more info).


  • Automatic Data Collection

This policy determines whether advanced phishing protection can collect additional information, such as displayed content, played sounds, and the application memory when users enter their password for a work or school account on a suspicious website or application.

  • Scan packed executables

This setting, already present in Windows 10, can block Defender from scanning self-extracting ZIP and other archive files. By default, these files are examined.

Windows Update

  • Enable features introduced via servicing that are off by default

While Microsoft continuously delivers new features, it only activates them on managed devices when shipping a new upgrade. This setting allows you to disable this deferral.

  • Enable optional updates

Introduced with the August 2023 update, this policy allows you to determine how optional updates are installed and how users can influence this process.

  • Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN

The cache servers belong to Delivery Optimization. Their usage can be blocked when an active VPN connection is discovered.

  • VPN Keywords

You can use keywords to help the delivery optimization to identify VPN connections. By default, it evaluates the friendly name and description of the network adapter.


Windows 11 23H2 introduces approximately 30 new settings for group policies. Some of these settings existed in the past, but they had to be installed separately. This applied to LAPS and a policy from SecGuide.admx. However, Windows LAPS now offers several new features, reflected in the group policies.

A genuinely new feature is the inclusion of Dev Drive in the current group policies. Otherwise, the new policies span across various components and functionalities. Settings for Windows Update are always crucial. The two most significant ones were even available before the launch of 23H2.

Subscribe to 4sysops newsletter!

A substantial influx of new options addresses the user interface, specifically the File Explorer, start menu, and taskbar. This allows users to deactivate undesired additions and functionalities effectively.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account