Scribd
Upload
91 views20 pages

Windows 11 22H2 To 23H2 Delta

Uploaded by

Mira Najoli
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
91 views20 pages

Windows 11 22H2 To 23H2 Delta

Uploaded by

Mira Najoli
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 20

AccountNotifications.

admx User
AppPrivacy.admx Machine
CloudContent.admx User
DeliveryOptimization.admx Machine
DeliveryOptimization.admx Machine
filtermanager.admx Machine
inetres.admx Machine
inetres.admx User
LanmanServer.admx Machine
LanmanServer.admx Machine
LanmanWorkstation.admx Machine
LanmanWorkstation.admx Machine
LAPS.admx Machine
LAPS.admx Machine
LAPS.admx Machine
LAPS.admx Machine
LAPS.admx Machine
LAPS.admx Machine
LAPS.admx Machine
LAPS.admx Machine
LAPS.admx Machine
refs.admx Machine
Search.admx Machine
SecGuide.admx Machine
SecGuide.admx Machine
Sensors.admx Machine
Sensors.admx Machine
Sensors.admx Machine
Sensors.admx Machine
SettingSync.admx Machine
StartMenu.admx Machine
StartMenu.admx User
WebThreatDefense.admx Machine
WindowsCopilot.admx User
WindowsDefender.admx Machine
WindowsUpdate.admx Machine
WindowsUpdate.admx Machine
WPN.admx User
Windows Components\Account Notifications
Windows Components\App Privacy
Windows Components\Cloud Content
Windows Components\Delivery Optimization
Windows Components\Delivery Optimization
System\Filesystem
Windows Components\Internet Explorer
Windows Components\Internet Explorer
Network\Lanman Server
Network\Lanman Server
Network\Lanman Workstation
Network\Lanman Workstation
System\LAPS
System\LAPS
System\LAPS
System\LAPS
System\LAPS
System\LAPS
System\LAPS
System\LAPS
System\LAPS
System\Filesystem
Windows Components\Search
MS Security Guide
MS Security Guide
Windows Components\Human Presence
Windows Components\Human Presence
Windows Components\Human Presence
Windows Components\Human Presence
Windows Components\Sync your settings
Start Menu and Taskbar
Start Menu and Taskbar
Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection
Windows Components\Windows Copilot
Windows Components\Microsoft Defender Antivirus\Scan
Windows Components\Windows Update\Manage end user experience
Windows Components\Windows Update\Manage updates offered from Windows Update
Start Menu and Taskbar\Notifications
Turn off account notifications in Start
Let Windows apps access presence sensing
Enable Organizational Messages
Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN
VPN Keywords
Dev drive filter attach policy
Hide Internet Explorer 11 retirement notification
Hide Internet Explorer 11 retirement notification
Request traffic compression for all shares
Disable SMB compression
Use SMB compression by default
Disable SMB compression
Configure password backup directory
Password Settings
Name of administrator account to manage
Do not allow password expiration time longer than required by policy
Enable password encryption
Configure authorized password decryptors
Configure size of encrypted password history
Enable password backup for DSRM accounts
Post-authentication actions
Enable dev drive
Configures search on the taskbar
Configure RPC packet level privacy setting for incoming connections
Enable Certificate Padding
Force Disable Wake When Battery Saver On
Force Allow Wake When External Display Connected
Force Allow Lock When External Display Connected
Force Allow Dim When External Display Connected
Do not sync language preferences settings
Remove Personalized Website Recommendations from the Recommended section in the Start Menu
Remove Personalized Website Recommendations from the Recommended section in the Start Menu
Automatic Data Collection
Turn off Windows Copilot
Scan packed executables
Enable features introduced via servicing that are off by default
Enable optional updates
Turn on multiple expanded toast notifications in action center
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AccountNotifications!DisableAccountNotifications
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessHumanPresence HKLM\Software\Policies\Microsoft\
HKCU\Software\Policies\Microsoft\Windows\CloudContent!EnableOrganizationalMessages
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODisallowCacheServerDownloadsOnVPN
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOVpnKeywords
HKLM\System\CurrentControlSet\Policies!FltmgrDevDriveAttachPolicy
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableIEAppNotificationPolicy
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableIEAppNotificationPolicy
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!EnableCompressedTraffic
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!DisableCompression
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!EnableCompressedTraffic
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!DisableCompression
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!BackupDirectory
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!PasswordComplexity HKLM\SOFTWARE\Microsoft\Wind
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!AdministratorAccountName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!PwdExpirationProtectionEnabled
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!ADPasswordEncryptionEnabled
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!ADPasswordEncryptionPrincipal
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!ADEncryptedPasswordHistorySize
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!ADBackupDSRMPassword
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS!PostAuthenticationResetDelay HKLM\SOFTWARE\Micro
HKLM\System\CurrentControlSet\Policies!FsEnableDevDrive; HKLM\System\CurrentControlSet\Policies!FltmgrDevDriveAllow
HKLM\Software\Policies\Microsoft\Windows\Windows Search!SearchOnTaskbarMode
HKLM\SYSTEM\CurrentControlSet\Control\Print!RpcAuthnLevelPrivacyEnabled
HKLM\Software\Microsoft\Cryptography\Wintrust\Config!EnableCertPaddingCheck HKLM\Software\Wow6432Node\Microso
HKLM\Software\Policies\Microsoft\HumanPresence!ForceDisableWakeWhenBatterySaverOn; HKLM\Software\Policies\Micro
HKLM\Software\Policies\Microsoft\HumanPresence!ForceAllowWakeWhenExternalDisplayConnected; HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\HumanPresence!ForceAllowLockWhenExternalDisplayConnected; HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\HumanPresence!ForceAllowDimWhenExternalDisplayConnected; HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableLanguageSettingSync; HKLM\Software\Policies\Microsoft\W
HKLM\Software\Policies\Microsoft\Windows\Explorer!HideRecommendedPersonalizedSites
HKCU\Software\Policies\Microsoft\Windows\Explorer!HideRecommendedPersonalizedSites
HKLM\Software\Policies\Microsoft\Windows\WTDS\Components!CaptureThreatWindow
HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot!TurnOffWindowsCopilot
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisablePackedExeScanning
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AllowTemporaryEnterpriseFeatureControl
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAllowOptionalContent; HKLM\Software\Policies\Microsoft\
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!EnableExpandedToastNotifications
At least Windows 10 Version 2004
At least Windows Server 2016 Windows 10
At least Windows 11
At least Windows 11 Version 22H2
At least Windows 11 Version 22H2
At least Windows 11 Version 22H2
At least Internet Explorer 11.0 on Windows 10
At least Internet Explorer 11.0 on Windows 10
At least Windows Server 2022 Windows 11
At least Windows Server 2022 Windows 11
At least Windows Server 2022 Windows 11
At least Windows Server 2022 Windows 11
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Microsoft Windows 10 or later
At least Windows 11 Version 22H2
At least Windows 11
At least Windows Server 2016 Windows 10
At least Windows Server 2008 R2 or Windows 7
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
Unknown
At least Windows 11 Version 22H2
At least Windows 11 Version 22H2
At least Windows 11 Version 22H2
Unknown
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows 11 Version 22H2
At least Windows 11 Version 22H2
Windows 10 only with at least Windows 10 Version 2004
This policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in S
This policy setting specifies whether Windows apps can access presence sensing.You can specify either a default setting for all
Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Or
Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default the device is allow
This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords separate th
Dev drive is a drive optimized for performance considering developer scenarios and by default no file system filters are attache
This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is display
This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is display
This policy controls whether the SMB server requests SMB client to use traffic compression for all SMB shares.If you enable th
This policy controls whether the SMB server will disable (completely prevent) traffic compression.If you enable this policy setti
This policy controls whether the SMB client uses traffic compression by default.If you enable this policy setting the SMB client
This policy controls whether the SMB client will disable (completely prevent) traffic compression.If you enable this policy settin
Use this setting to configure which directory the local admin account password is backed up to.The allowable settings are:0=D
Configures password parametersPassword complexity: which characters are used when generating a new password Default: L
This policy setting specifies a custom Administrator account name to manage the password for.If this policy setting is enabled
If this setting is enabled or not configured planned password expiration longer than the password age dictated by the "Passwo
When you enable this setting the managed password is encrypted before being sent to Active Directory.Enabling this setting h
Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords.Configuring this
Use this setting to configure how many previous encrypted passwords will be stored in Active Directory.Configuring this settin
When you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory.E
This policy configures post-authentication actions which will be executed after detecting an authentication by the managed ac
Dev drive or developer volume is a volume optimized for performance of developer scenarios. A developer volume allows an a
This policy setting allows you to configure search on the taskbar.If you enable this policy setting and set it to hide search on ta
This policy setting controls whether packet level privacy is enabled for RPC for incoming connections.By default packet level pr
Enabling this setting will cause the WinVerifyTrust function to perform strict Windows Authenticode signature verification for
Determines whether Disable Wake on Approach When Battery Saver On checkbox is forced checked/unchecked by the MDM
Determines whether Allow Wake on Approach When External Display Connected checkbox is forced checked/unchecked by th
Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced checked/unchecked by the MDM policy.
Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forced checked/unchecked by the MDM po
Prevent the "language preferences" group from syncing to and from this PC. This turns off and disables the "languages pre
Remove Personalized Website Recommendations from the Recommended section in the Start Menu
Remove Personalized Website Recommendations from the Recommended section in the Start Menu
This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displa
This policy setting allows you to turn off Windows Copilot. If you enable this policy setting users will not be able to use
This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning rema
Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Window
This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/Al
This policy setting turns on multiple expanded toast notifications in action center. If you enable this policy setting th
ption. If you enable this policy setting Windows will not send account related notifications for local and MSA users to the user tile in
app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether W
show content booked by Administrators.Enabling this policy will have no impact on existing MDM policy settings governing delivery of con

or do not configure this policy setting the Notification bar will be displayed in Internet Explorer 11.
or do not configure this policy setting the Notification bar will be displayed in Internet Explorer 11.
policy setting the SMB server will not by default request the SMB client to compress traffic. However traffic compression may be requeste
ure this policy setting the SMB server may compress traffic (depending on a combination of other policies and conditions).
press traffic. However traffic compression may be requested by other means. See notes below.Note: This policy is combined with per-shar
re this policy setting the SMB client may compress traffic (depending on a combination of other policies and conditions).
abled).If this setting is configured to 1 and the managed device is not joined to Azure Active Directory the local administrator password wi
: 1 day (7 days when backup directory is configured to be Azure AD) Maximum: 365 days Default: 30 daysSee https://go.microsoft.com/f
r account.DO NOT enable this policy setting to manage the built-in administrator account. The built-in administrator account is auto-detec
ed password expiration time may be longer than required by "Password Settings" policy.See https://go.microsoft.com/fwlink/?linkid=2188
.If this setting is enabled and the domain functional level is at or above Windows Server 2016 the managed account password is encrypted
or not configured encrypted passwords will be decryptable by the Domain Admins group.This setting must be configured with either a SID
number of older passwords will be stored in Active Directory.If this setting is disabled or not configured zero older passwords will be store
ministrator account on the domain controller will be backed up to Active Directory.If this setting is disabled or not configured the password
reater than zero the specified post-authentication actions will be executed upon expiry of the grace period.If this setting is disabled or not
unt as regular volumes.If this setting is not configured the default policy is to enable developer volumes while allowing antivirus filter to att
fault. Users cannot change it in Settings.If you enable this policy setting and set it to search icon and label the search icon and label will be

tion. This may impact some installers. If you are using an installer that is impacted Microsoft recommends using an installer that only extra

sers to turn language preferences syncing on" so that syncing is turned off by default but not disabled.If you do not set or disable this setti

es and helps SmartScreen determine whether the website or app is malicious.If you enable this policy setting Enhanced Phishing Protectio

” or “Disabled” then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that include
cally in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).• If
application will be expanded by default in action center. Windows 10 only. This will be immediately deprecated for Windows 11.
d MSA users to the user tile in Start. If you disable or do not configure this policy setting Windows will send account related notifica
nization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.If you choose the "Force
ttings governing delivery of content from Microsoft on Windows experiences.

compression may be requested by other means. See notes below.Note: If this policy is disabled traffic compression may be requested by s
nd conditions).
icy is combined with per-share and per-file handle properties through which traffic compression may be requested. As well the SMB serve
conditions).
cal administrator password will not be managed.If this setting is configured to 2 and the managed device is not joined to Active Directory t
ee https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
nistrator account is auto-detected by well-known SID and does not depend on the account name.See https://go.microsoft.com/fwlink/?lin
soft.com/fwlink/?linkid=2188435 for more information.
account password is encrypted.If this setting is enabled and the domain functional level is less than Windows Server 2016 the managed ac
be configured with either a SID in string format ("S-1-5-21-2127521184-1604012920-1887927527-35197") or the name of a group or user
older passwords will be stored in Active Directory.This setting has a minimum allowed value of 0 passwords.This setting has a maximum a
r not configured the password for the DSRM administrator account on the domain controller will not be backed up to Active Directory.See
f this setting is disabled or not configured the specified post-authentication actions will be executed after a default 24 hour grace period.If
e allowing antivirus filter to attach on a deveveloper volume. Further if not configured a local administrator can choose to not have antivi
e search icon and label will be displayed on the taskbar by default. Users cannot change it in Settings.If you enable this policy setting and s

sing an installer that only extracts content from validated portions of the signed file.Reference: https://msrc.microsoft.com/update-guide/

do not set or disable this setting syncing of the "language preferences" group is on by default and configurable by the user.

g Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when y

he feature update that includes these features is installed. *Windows update managed devices are those that have their Windows update
ual feature rollouts (CFRs).• If "Automatically receive optional updates" is selected the device will only get optional cumulative updates au
precated for Windows 11. No reboots or service restarts are required for this policy setting to take effect.
send account related notifications for local and MSA users to the user tile in Start. No reboots or service restarts are required for th
evice.If you choose the "Force Allow" option Windows apps are allowed to access presence sensing and employees in your organization ca

ression may be requested by server-side per-share properties or by the SMB Client. If this is undesired and one wishes to completely disab

uested. As well the SMB server must support and enable compression. For example should this policy be disabled (or not configured) the

not joined to Active Directory the local administrator password will not be managed.If this setting is disabled or not configured the local ad

/go.microsoft.com/fwlink/?linkid=2188435 for more information.

s Server 2016 the managed account password is not backed up to the directory.If this setting is disabled the managed account password is
r the name of a group or user in "domain\(group or user)" format. The specified user or group must be resolvable by the managed device o
.This setting has a maximum allowed value of 12 passwords.See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
ked up to Active Directory.See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
default 24 hour grace period.If this setting is equal to zero no post-authentication actions will be executed.Actions: specifies the actions to
can choose to not have antivirus filter attached to a developer volume.A reboot is required for this setting to take effect.
enable this policy setting and set it to search box the search box will be displayed on the taskbar by default. Users cannot change it in Setti

.microsoft.com/update-guide/vulnerability/CVE-2013-3900

able by the user.

picious website or app when your users enter their work or school password into that website or app.If you disable this policy setting Enha

at have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windo
ptional cumulative updates automatically in line with the quality update deferrals.• If "Users can select which optional updates to receive
ice restarts are required for this policy setting to take effect.
ployees in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access presence se

ne wishes to completely disable compression configure the accompanying 'Disable SMB compression' policy instead.Note: Traffic compres

abled (or not configured) the SMB client may still perform compression if an SMB server share has compression requested. If this is undes

or not configured the local administrator password is not managed.See https://go.microsoft.com/fwlink/?linkid=2188435 for more inform

managed account password is not encrypted.This setting will default to enabled if not configured.See https://go.microsoft.com/fwlink/?li
vable by the managed device otherwise passwords will not be backed up.See https://go.microsoft.com/fwlink/?linkid=2188435 for more i
88435 for more information.

ctions: specifies the actions to take upon expiry of the grace period.Reset password: upon expiry of the grace period the managed accoun
o take effect.
Users cannot change it in Settings.If you disable or do not configure this policy setting search on taskbar will be configured according to th

disable this policy setting Enhanced Phishing Protection will not collect additional content for security analysis when your users enter thei

ss or on-premises with Windows Server Update Services (WSUS).


ch optional updates to receive" is selected users can select which optional updates to get by visiting Settings > Windows Update > Advance
allowed to access presence sensing and employees in your organization cannot change it.If you disable or do not configure this policy setti

instead.Note: Traffic compression can only be used when both the SMB client and SMB server support and enable traffic compression.

sion requested. If this is undesired and one wishes to completely disable compression configure the accompanying 'Disable SMB compress

nkid=2188435 for more information.

//go.microsoft.com/fwlink/?linkid=2188435 for more information.


nk/?linkid=2188435 for more information.

e period the managed account password will be reset.Reset the password and logoff the managed account: upon expiry of the grace perio

be configured according to the defaults for your Windows edition. Users will be able to change search on taskbar in Settings.

sis when your users enter their work or school password into a suspicious site or app.If this policy is not set Enhanced Phishing Protection

> Windows Update > Advanced options > Optional updates. Users can also enable the toggle "Get the latest updates as soon as they're av
o not configure this policy setting employees in your organization can decide whether Windows apps can access presence sensing by using

enable traffic compression.

anying 'Disable SMB compression' policy instead.

upon expiry of the grace period the managed account password will be reset and any interactive logon sessions using the managed accou

skbar in Settings.

Enhanced Phishing Protection automatic data collection will honor the end user’s settings.

updates as soon as they're available" to automatically receive optional updates and gradual feature rollouts.
ess presence sensing by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device emplo

ons using the managed account will terminated.(NOTE: after any interactive logon sessions are terminated there may still be other authen
ct is applied on a device employees must restart the app or device for the policy changes to be applied to the app.

there may still be other authenticated sessions in use by the managed account. The only robust way to ensure that the previous password
e app.

re that the previous password is longer in use is to reboot the device.)Reset the password and reboot: upon expiry of the grace period the
expiry of the grace period the managed account password will be reset and the managed device will be immediately rebooted.If this setti
mediately rebooted.If this setting is disabled or not configured post-authentication actions will default to "Reset the password and logoff th
set the password and logoff the managed account".Note: the DSRM account on domain controllers cannot be configured for post-authenti
be configured for post-authentication actions. This policy has no effect on domain controllers and will be ignored even if configured for a D
ored even if configured for a DC.See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

You might also like