Let’s see the details of the New Group Policy Settings in Windows Server 2022. Group Policy administrative templates offer great possibilities for system and end-user experience customizations.
In the security baseline package for Windows Server 2022, Three new settings have been added for Windows Server 2022, an AppLocker update for Microsoft Edge, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions.
You can find the latest server operating system build numbers from the following table. This can be useful to segregate different build versions of server 2022 devices, More List of Windows Server 2022 Build Numbers.
Windows Server Version | Windows Server Build Number | Extended Support End | Date of Availability |
Windows Server 2022 – 21H2 | 10.0.200348.169 | 14th Oct 2031 | 18th Aug 2021 |
In enterprise environments with Windows 10, Enterprise or Education edition settings can be managed via Group Policy. However, new administrative templates in the form of .admx files are required. You can check to download Windows 10 Administrative Templates for All Versions.
- What’s New Group Policy Settings Available in Different Versions of Windows 10
- List of New Group Policy Settings in Windows 10 21H1
- List of Windows 11 Group Policy Settings
Download Group Policy Settings in Windows Server 2022 – Reference Spreadsheet
The Administrative Templates (ADMX) and Group Policy Settings Reference for Windows Server 2022 are now available in the Microsoft Download Center –
To download the reference spreadsheet Group Policy Settings in Windows Server 2022, Browse to Download Group Policy Settings Reference Spreadsheet for Windows Server 2022
You’ll be redirected to the Download Center details page. Click the Download button.
This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with Windows Server 2022 (Aug 21 release). You can configure these policy settings when you edit Group Policy Objects.
Windows Server 2022 Group Policy Settings
The Group Policy Settings in Windows Server 2022 for Computer (Machine) and User configurations are included in the Administrative template for Windows Server 2022, version 21H2 (August 2021 Update).
The following Group Policy Settings in Windows Server 2022 were added
Location | Policy Path | Policy Setting Name | Descriptions |
Machine | Control Panel\Regional and Language Options | Restrict Language Pack and Language Feature Installation | This policy setting restrict all users from installing language packs and language features on demand packages. |
Machine | MS Security Guide | Limits print driver installation to Administrators | Determines whether users that aren’t Administrator can install print drivers on this computer.By default users that aren’t Administrators can’t install print drivers on this computer. |
Machine | Network\DNS Client | Configure DNS over HTTPS (DoH) name resolution | Specifies if the DNS client will perform name resolution over DNS over HTTPS (DoH). By default the DNS client will do classic DNS name resolution (over UDP or TCP). This setting can enhance the DNS client to use DoH protocol to resolve domain names. |
Machine | Printers | Enable Device Control Printing Restrictions | Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default there are no restrictions to printing based on connection type or printer Make/Model. |
Machine | Printers | List of Approved USB-connected print devices | This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing by enabling the “Enable Device Control Printing Restrictions” setting. |
Machine | Start Menu and Taskbar | Show or hide “Most used” list from Start menu | If you enable this policy setting you can configure Start menu to show or hide the list of user’s most used apps regardless of user settings. |
Machine | Start Menu and Taskbar\Notifications | Enables group policy for the WNS FQDN | This policy sets a special WNS FQDN for specific environments. |
Machine | System\Filesystem\NTFS | Enable NTFS non-paged pool usage | By default NTFS allocates memory from both pageable and non-pageable memory as needed. The benefit of enabling this feature is a reduction in page-faults and stack usage at the cost of additional memory consumption.A reboot is required for this setting to take effect |
Machine | System\Filesystem\NTFS | NTFS default tier | For NTFS tiered volumes this controls the tier that new allocations go to by default.Client systems default to the Performance tier.Server systems default to the Capacity tier. |
Machine | System\Filesystem\NTFS | NTFS parallel flush threshold | When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are currently open. This setting gives control over the open file threshold used to trigger parallel flush. |
Machine | System\Filesystem\NTFS | NTFS parallel flush worker threads | When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are currently open. This setting gives control over how many threads will be used. |
Machine | System\Kerberos | Allow retrieving the cloud kerberos ticket during the logon | This policy setting allows retrieving the cloud kerberos ticket during the logon. |
Machine | System\Net Logon\DC Locator DNS Records | Use lowercase DNS host names when registering domain controller SRV records | This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. |
Machine | System\Security Account Manager | Configure validation of ROCA-vulnerable WHfB keys during authentication | This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the “Return of Coppersmith’s attack” (ROCA) vulnerability. |
Machine | System\Storage Sense | Allow Storage Sense | Storage Sense can automatically clean some of the user’s files to free up disk space. |
Machine | System\Storage Sense | Allow Storage Sense Temporary Files cleanup | When Storage Sense runs it can delete the user’s temporary files that are not in use. |
Machine | System\Storage Sense | Configure Storage Sense cadence | Storage Sense can automatically clean some of the user’s files to free up disk space. |
Machine | System\Storage Sense | Configure Storage Sense Cloud Content dehydration threshold | When Storage Sense runs it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. |
Machine | System\Storage Sense | Configure Storage Sense Recycle Bin cleanup threshold | When Storage Sense runs it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. |
Machine | System\Storage Sense | Configure Storage Storage Downloads cleanup threshold | When Storage Sense runs it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. |
Machine | Windows Components\App Package Deployment | Archive infrequently used apps | This policy setting controls whether the system can archive infrequently used apps. |
Machine | Windows Components\App Privacy | Let Windows apps access user movements while running in the background | This policy setting specifies whether Windows apps can access the movement of the user’s head hands motion controllers and other tracked objects while the apps are running in the background. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. |
Machine | Windows Components\App Privacy | Let Windows apps activate with voice | This policy setting specifies whether Windows apps can be activated by voice. If you choose the “User is in control” option employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana. |
Machine | Windows Components\App Privacy | Let Windows apps activate with voice while the system is locked | This policy setting specifies whether Windows apps can be activated by voice while the system is locked. |
Machine | Windows Components\App Privacy | Let Windows apps take screenshots of various windows or displays | This policy setting specifies whether Windows apps can take screenshots of various windows or displays. |
Machine | Windows Components\App Privacy | Let Windows apps turn off the screenshot border | This policy setting specifies whether Windows apps can turn off the screenshot border. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. |
Machine | Windows Components\Data Collection and Preview Builds | Disable OneSettings Downloads | This policy setting controls whether Windows can download configuration settings from the OneSettings service. |
Machine | Windows Components\Data Collection and Preview Builds | Enable OneSettings Auditing | This policy setting controls whether Windows records attempts to download configuration settings from the OneSettings service to the EventLog. |
Machine | Windows Components\Data Collection and Preview Builds | Limit Diagnostic Log Collection | This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. |
Machine | Windows Components\Data Collection and Preview Builds | Limit Dump Collection | This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. Dumps are only sent when the device has been configured to send optional diagnostic data. |
Machine | Windows Components\Internet Explorer | Allow “Save Target As” in Internet Explorer mode | This policy setting allows admins to enable “Save Target As” context menu in Internet Explorer mode. |
Machine | Windows Components\Internet Explorer | Disable Internet Explorer 11 as a standalone browser | This policy lets you restrict launching of Internet Explorer as a standalone browser. |
Machine | Windows Components\Internet Explorer | Enable extended hot keys in Internet Explorer mode | This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as “Ctrl+S” to have “Save as” functionality. |
Machine | Windows Components\Microsoft Defender Antivirus | Define the directory path to copy support log files | This policy setting allows you to configure the directory path where the support log files would be copied to. The value of this setting should be a valid directory path. |
Machine | Windows Components\Microsoft Defender Antivirus\Exclusions | Ip Address Exclusions | Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses. |
Machine | Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection | This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. | Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit mode on Windows Server. Enabled: If Enabled administrators can control whether Network Protection is allowed to be configured into block or audit mode on Windows Server. Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNetworkProtection. |
Machine | Windows Components\Microsoft Defender Antivirus\Network Inspection System | This setting controls datagram processing for network protection. | Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit mode on Windows Server. Enabled: If Enabled administrators can control whether Network Protection is allowed to be configured into block or audit mode on Windows Server. Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNetworkProtection. |
Machine | Windows Components\Microsoft Defender Antivirus\Real-time Protection | Turn on script scanning | This policy setting allows you to configure script scanning. |
Machine | Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates | Allows Microsoft Defender Antivirus to update and communicate over a metered connection. | Disabled (Default): Updates and communications are not allowed over metered connections. Enabled: Allow managed devices to update through metered connections. Data charges may apply. |
Machine | Windows Components\Windows Hello for Business | Use cloud trust for on-premises authentication | |
Machine | Windows Components\Windows Sandbox | Allow audio input in Windows Sandbox | This policy setting enables or disables audio input to the Sandbox. |
Machine | Windows Components\Windows Sandbox | Allow clipboard sharing with Windows Sandbox | This policy setting enables or disables clipboard sharing with the sandbox. |
Machine | Windows Components\Windows Sandbox | Allow networking in Windows Sandbox | This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. |
Machine | Windows Components\Windows Sandbox | Allow printer sharing with Windows Sandbox | This policy setting enables or disables printer sharing from the host into the Sandbox. |
Machine | Windows Components\Windows Sandbox | Allow vGPU sharing for Windows Sandbox | This policy setting is to enable or disable the virtualized GPU. |
Machine | Windows Components\Windows Sandbox | Allow video input in Windows Sandbox | This policy setting enables or disables video input to the Sandbox. If you enable this policy setting video input is enabled in Windows Sandbox. |
Machine | Windows Components\Windows Update\Windows Update for Business | Disable safeguards for Feature Updates | Enable this setting when Feature Updates should be deployed to devices without blocking on any safeguard holds. Safeguard holds are known compatibility issues that block the upgrade from being deployed to affected devices until the issue is resolved. |
User | AutoSubscription | Enable auto-subscription | Controls the list of URLs that the user should be auto-subscribed to |
User | Control Panel\Printers | Enable Device Control Printing Restrictions | Determines whether Device Control Printing Restrictions are enforced for printing on this computer. |
User | Control Panel\Printers | List of Approved USB-connected print devices | This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing by enabling the “Enable Device Control Printing Restrictions” setting. |
User | Control Panel\Regional and Language Options | Restrict Language Pack and Language Feature Installation | This policy setting restrict the user from installing language packs and language features on demand. This policy does not restrict switching the Windows language if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user. |
User | Start Menu and Taskbar | Remove the Meet Now icon | This policy setting allows you to remove the Meet Now icon from the system control area. |
User | Start Menu and Taskbar | Show or hide “Most used” list from Start menu | If you enable this policy setting you can configure Start menu to show or hide the list of user’s most used apps regardless of user settings.Selecting “Show” will force the “Most used” list to be shown and user cannot change to hide it using the Settings app.Selecting “Hide” will force the “Most used” list to be hidden and user cannot change to show it using the Settings app. Selecting “Not Configured” or if you disable or do not configure this policy setting all will allow users to turn on or off the display of “Most used” list using the Settings app. This is default behavior. |
User | Windows Components\IME | Configure Korean IME version | This policy setting controls the version of Microsoft IME. |
User | Windows Components\Internet Explorer | Allow “Save Target As” in Internet Explorer mode | This policy setting allows admins to enable “Save Target As” context menu in Internet Explorer mode. |
User | Windows Components\Internet Explorer | Disable Internet Explorer 11 as a standalone browser | This policy lets you restrict launching of Internet Explorer as a standalone browser. |
User | Windows Components\Internet Explorer | Enable extended hot keys in Internet Explorer mode | This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as “Ctrl+S” to have “Save as” functionality |
User | Windows Components\Windows Hello for Business | Use cloud trust for on-premises authentication | – |