List of New Group Policy Settings in Windows Server 2022

Let’s see the details of the New Group Policy Settings in Windows Server 2022. Group Policy administrative templates offer great possibilities for system and end-user experience customizations.

In the security baseline package for Windows Server 2022, Three new settings have been added for Windows Server 2022, an AppLocker update for Microsoft Edge, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions.

You can find the latest server operating system build numbers from the following table. This can be useful to segregate different build versions of server 2022 devices, More List of Windows Server 2022 Build Numbers.

Windows Server
Version 
Windows Server
Build Number
Extended Support EndDate of
Availability
Windows Server 2022 – 21H210.0.200348.16914th Oct 203118th Aug 2021
New Group Policy Settings in Windows Server 2022

In enterprise environments with Windows 10, Enterprise or Education edition settings can be managed via Group Policy. However, new administrative templates in the form of .admx files are required. You can check to download Windows 10 Administrative Templates for All Versions.

Patch My PC

Download Group Policy Settings in Windows Server 2022 – Reference Spreadsheet

The Administrative Templates (ADMX) and Group Policy Settings Reference for Windows Server 2022 are now available in the Microsoft Download Center –

To download the reference spreadsheet Group Policy Settings in Windows Server 2022, Browse to Download Group Policy Settings Reference Spreadsheet for Windows Server 2022

You’ll be redirected to the Download Center details page. Click the Download button.

This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with Windows Server 2022 (Aug 21 release). You can configure these policy settings when you edit Group Policy Objects.

Download Group Policy Settings - New Group Policy Settings for Windows Server 2022
Download Group Policy Settings – New Group Policy Settings for Windows Server 2022

Windows Server 2022 Group Policy Settings

The Group Policy Settings in Windows Server 2022 for Computer (Machine) and User configurations are included in the Administrative template for Windows Server 2022, version 21H2 (August 2021 Update).

The following Group Policy Settings in Windows Server 2022 were added

Location Policy PathPolicy Setting Name Descriptions
MachineControl Panel\Regional and Language OptionsRestrict Language Pack and Language Feature InstallationThis policy setting restrict all users from installing language packs and language features on demand packages.
MachineMS Security GuideLimits print driver installation to AdministratorsDetermines whether users that aren’t Administrator can install print drivers on this computer.By default users that aren’t Administrators can’t install print drivers on this computer.      
MachineNetwork\DNS ClientConfigure DNS over HTTPS (DoH) name resolutionSpecifies if the DNS client will perform name resolution over DNS over HTTPS (DoH). By default the DNS client will do classic DNS name resolution (over UDP or TCP). This setting can enhance the DNS client to use DoH protocol to resolve domain names.
MachinePrintersEnable Device Control Printing RestrictionsDetermines whether Device Control Printing Restrictions are enforced for printing on this computer. By default there are no restrictions to printing based on connection type or printer Make/Model.     
MachinePrintersList of Approved USB-connected print devicesThis setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing by enabling the “Enable Device Control Printing Restrictions” setting.  
MachineStart Menu and TaskbarShow or hide “Most used” list from Start menuIf you enable this policy setting you can configure Start menu to show or hide the list of user’s most used apps regardless of user settings.
MachineStart Menu and Taskbar\NotificationsEnables group policy for the WNS FQDNThis policy sets a special WNS FQDN for specific environments.
MachineSystem\Filesystem\NTFSEnable NTFS non-paged pool usageBy default NTFS allocates memory from both pageable and non-pageable memory as needed. The benefit of enabling this feature is a reduction in page-faults and stack usage at the cost of additional memory consumption.A reboot is required for this setting to take effect
MachineSystem\Filesystem\NTFSNTFS default tierFor NTFS tiered volumes this controls the tier that new allocations go to by default.Client systems default to the Performance tier.Server systems default to the Capacity tier.
MachineSystem\Filesystem\NTFSNTFS parallel flush thresholdWhen flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are currently open.  This setting gives control over the open file threshold used to trigger parallel flush.
MachineSystem\Filesystem\NTFSNTFS parallel flush worker threadsWhen flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are currently open. This setting gives control over how many threads will be used.
MachineSystem\KerberosAllow retrieving the cloud kerberos ticket during the logonThis policy setting allows retrieving the cloud kerberos ticket during the logon.
MachineSystem\Net Logon\DC Locator DNS RecordsUse lowercase DNS host names when registering domain controller SRV recordsThis policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records.  
MachineSystem\Security Account ManagerConfigure validation of ROCA-vulnerable WHfB keys during authenticationThis policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the “Return of Coppersmith’s attack” (ROCA) vulnerability.
MachineSystem\Storage SenseAllow Storage SenseStorage Sense can automatically clean some of the user’s files to free up disk space.    
MachineSystem\Storage SenseAllow Storage Sense Temporary Files cleanupWhen Storage Sense runs it can delete the user’s temporary files that are not in use.  
MachineSystem\Storage SenseConfigure Storage Sense cadenceStorage Sense can automatically clean some of the user’s files to free up disk space.
MachineSystem\Storage SenseConfigure Storage Sense Cloud Content dehydration thresholdWhen Storage Sense runs it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days.
MachineSystem\Storage SenseConfigure Storage Sense Recycle Bin cleanup thresholdWhen Storage Sense runs it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days.  
MachineSystem\Storage SenseConfigure Storage Storage Downloads cleanup thresholdWhen Storage Sense runs it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days.
MachineWindows Components\App Package DeploymentArchive infrequently used appsThis policy setting controls whether the system can archive infrequently used apps.
MachineWindows Components\App PrivacyLet Windows apps access user movements while running in the backgroundThis policy setting specifies whether Windows apps can access the movement of the user’s head hands motion controllers and other tracked objects while the apps are running in the background. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name.
MachineWindows Components\App PrivacyLet Windows apps activate with voiceThis policy setting specifies whether Windows apps can be activated by voice. If you choose the “User is in control” option employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana.      
MachineWindows Components\App PrivacyLet Windows apps activate with voice while the system is lockedThis policy setting specifies whether Windows apps can be activated by voice while the system is locked.     
MachineWindows Components\App PrivacyLet Windows apps take screenshots of various windows or displaysThis policy setting specifies whether Windows apps can take screenshots of various windows or displays.
MachineWindows Components\App PrivacyLet Windows apps turn off the screenshot borderThis policy setting specifies whether Windows apps can turn off the screenshot border. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name.
MachineWindows Components\Data Collection and Preview BuildsDisable OneSettings DownloadsThis policy setting controls whether Windows can download configuration settings from the OneSettings service.
MachineWindows Components\Data Collection and Preview BuildsEnable OneSettings AuditingThis policy setting controls whether Windows records attempts to download configuration settings from the OneSettings service to the EventLog.   
MachineWindows Components\Data Collection and Preview BuildsLimit Diagnostic Log CollectionThis policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data.     
MachineWindows Components\Data Collection and Preview BuildsLimit Dump CollectionThis policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. Dumps are only sent when the device has been configured to send optional diagnostic data.
MachineWindows Components\Internet ExplorerAllow “Save Target As” in Internet Explorer modeThis policy setting allows admins to enable “Save Target As” context menu in Internet Explorer mode.
MachineWindows Components\Internet ExplorerDisable Internet Explorer 11 as a standalone browserThis policy lets you restrict launching of Internet Explorer as a standalone browser.
MachineWindows Components\Internet ExplorerEnable extended hot keys in Internet Explorer modeThis policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as “Ctrl+S” to have “Save as” functionality.
MachineWindows Components\Microsoft Defender AntivirusDefine the directory path to copy support log filesThis policy setting allows you to configure the directory path where the support log files would be copied to. The value of this setting should be a valid directory path. 
MachineWindows Components\Microsoft Defender Antivirus\ExclusionsIp Address ExclusionsAllows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
MachineWindows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network ProtectionThis settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.Disabled (Default):     If Not Configured or Disabled network protection is not allowed to be configured into block or audit mode on Windows Server.    Enabled:     If Enabled administrators can control whether Network Protection is allowed to be configured into block or audit mode on Windows Server.    Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNetworkProtection.
MachineWindows Components\Microsoft Defender Antivirus\Network Inspection SystemThis setting controls datagram processing for network protection.Disabled (Default):     If Not Configured or Disabled network protection is not allowed to be configured into block or audit mode on Windows Server.    Enabled:     If Enabled administrators can control whether Network Protection is allowed to be configured into block or audit mode on Windows Server.    Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNetworkProtection.
MachineWindows Components\Microsoft Defender Antivirus\Real-time ProtectionTurn on script scanningThis policy setting allows you to configure script scanning. 
MachineWindows Components\Microsoft Defender Antivirus\Security Intelligence UpdatesAllows Microsoft Defender Antivirus to update and communicate over a metered connection. Disabled (Default):     Updates and communications are not allowed over metered connections.    Enabled:     Allow managed devices to update through metered connections. Data charges may apply.
MachineWindows Components\Windows Hello for BusinessUse cloud trust for on-premises authentication
MachineWindows Components\Windows SandboxAllow audio input in Windows SandboxThis policy setting enables or disables audio input to the Sandbox. 
MachineWindows Components\Windows SandboxAllow clipboard sharing with Windows SandboxThis policy setting enables or disables clipboard sharing with the sandbox.
MachineWindows Components\Windows SandboxAllow networking in Windows SandboxThis policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
MachineWindows Components\Windows SandboxAllow printer sharing with Windows SandboxThis policy setting enables or disables printer sharing from the host into the Sandbox.
MachineWindows Components\Windows SandboxAllow vGPU sharing for Windows SandboxThis policy setting is to enable or disable the virtualized GPU.
MachineWindows Components\Windows SandboxAllow video input in Windows SandboxThis policy setting enables or disables video input to the Sandbox. If you enable this policy setting video input is enabled in Windows Sandbox. 
MachineWindows Components\Windows Update\Windows Update for BusinessDisable safeguards for Feature UpdatesEnable this setting when Feature Updates should be deployed to devices without blocking on any safeguard holds. Safeguard holds are known compatibility issues that block the upgrade from being deployed to affected devices until the issue is resolved.
UserAutoSubscriptionEnable auto-subscriptionControls the list of URLs that the user should be auto-subscribed to
UserControl Panel\PrintersEnable Device Control Printing RestrictionsDetermines whether Device Control Printing Restrictions are enforced for printing on this computer.   
UserControl Panel\PrintersList of Approved USB-connected print devices This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing by enabling the “Enable Device Control Printing Restrictions” setting.            
UserControl Panel\Regional and Language OptionsRestrict Language Pack and Language Feature InstallationThis policy setting restrict the user from installing language packs and language features on demand. This policy does not restrict switching the Windows language if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.    
UserStart Menu and TaskbarRemove the Meet Now iconThis policy setting allows you to remove the Meet Now icon from the system control area.
UserStart Menu and TaskbarShow or hide “Most used” list from Start menuIf you enable this policy setting you can configure Start menu to show or hide the list of user’s most used apps regardless of user settings.Selecting “Show” will force the “Most used” list to be shown and user cannot change to hide it using the Settings app.Selecting “Hide” will force the “Most used” list to be hidden and user cannot change to show it using the Settings app. Selecting “Not Configured” or if you disable or do not configure this policy setting all will allow users to turn on or off the display of “Most used” list using the Settings app. This is default behavior.
UserWindows Components\IMEConfigure Korean IME versionThis policy setting controls the version of Microsoft IME.
UserWindows Components\Internet ExplorerAllow “Save Target As” in Internet Explorer modeThis policy setting allows admins to enable “Save Target As” context menu in Internet Explorer mode.
UserWindows Components\Internet ExplorerDisable Internet Explorer 11 as a standalone browserThis policy lets you restrict launching of Internet Explorer as a standalone browser.
UserWindows Components\Internet ExplorerEnable extended hot keys in Internet Explorer modeThis policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as “Ctrl+S” to have “Save as” functionality
UserWindows Components\Windows Hello for BusinessUse cloud trust for on-premises authentication
List of Windows Server 2022 Group Policy Settings | Windows Server 2022 Group Policy

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.