New Windows 11 23H2 Group Policy Settings List for Download

Let’s get the details of Windows 11 23H2 Group Policy Settings. You can download a spreadsheet that lists of new policy settings delivered for Windows 11 2023 Update.

Microsoft provides comprehensive documentation on Group Policy Settings for Windows 11 23H2, including the definition and use of each policy. Admins can reference these resources to understand and implement the settings effectively.

The Windows 11 23H2 Administrative template files (.admx and .adml) come with a comprehensive list of Group Policy Settings for both computer and user configurations.

To configure Group Policy Settings, You can use the Group Policy Management Console (GPMC) or the Local Group Policy Editor. The GPMC allows for centralized management, while the Local Group Policy Editor is used for configuring individual machines. You must have the Administrator privilege to make any modification.

Patch My PC

Windows 11 offers a comprehensive set of Group Policy Settings, Many Policies are dedicated to enhancing security and compliance. Administrators can enforce password policies, enable BitLocker encryption, configure firewall rules, and control user access to resources to ensure a secure computing environment.

Download Windows 11 23H2 Group Policy Settings Reference Spreadsheet

This spreadsheet lists the policy settings for computer and user configurations included in the ADMX files delivered for Windows 11 2023 October Update (Version 23H2).

Adaptiva
  • To download the Group Policy settings reference spreadsheet for Windows 11 23H2, Click here. You will be redirected to the Download Center details page.
  • On the download page that opens, Validate the Windows version details. Click on the  Download button. Important! Selecting a language below will dynamically change the complete page content to that language.
Download Windows 11 23H2 Group Policy Settings Reference Spreadsheet Fig.1
Download Windows 11 23H2 Group Policy Settings Reference Spreadsheet Fig.1

Group Policy Settings Reference Spreadsheet for Windows 11 2023 Update (23H2)Download Group Policy Settings from Official Microsoft Download Center

New Windows 11 23H2 Group Policy Settings List

Windows 11, like its predecessors, offers a wide range of Group Policy Settings that allow administrators to manage and control various aspects of the operating system and user configurations.

New Windows 11 23H2 Group Policy Settings List for Download Fig.2
New Windows 11 23H2 Group Policy Settings List for Download Fig.2

These settings are particularly valuable in enterprise environments for enforcing security policies, managing user preferences, and ensuring system stability. Here are some key points about Windows 11 Group Policy Settings:

ConfigurationGroup Policy PathGroup Policy Settings NameSettings Descriptions
UserWindows Components\Account NotificationsTurn off account notifications in StartThis Windows 11 23H2 group policy settings allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile). Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription.       
MachineWindows Components\App PrivacyLet Windows apps access presence sensingThis Windows 11 23H2 group policy settings specifies whether Windows apps can access presence sensing.You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name.  
UserWindows Components\Cloud ContentEnable Organizational MessagesOrganizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager.By default this policy is disabled.
MachineWindows Components\Delivery OptimizationDisallow downloads from Microsoft Connected Cache servers when the device connects via VPNDisallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default the device is allowed to download from Microsoft Connected Cache when connected via VPN.
MachineWindows Components\Delivery OptimizationVPN KeywordsThis Windows 11 23H2 group policy settings allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords separate them with commas.
MachineSystem\FilesystemDev drive filter attach policyDev drive is a drive optimized for performance considering developer scenarios and by default no file system filters are attached to it. Filters listed in this setting will be allowed to attach even on a dev drive.A reboot is required for this setting to take effect.
MachineWindows Components\Internet ExplorerHide Internet Explorer 11 retirement notificationThis Windows 11 23H2 group policy settings allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default the Notification bar is displayed in Internet Explorer 11.If you enable this policy setting the Notification bar will not be displayed in Internet Explorer 11. If you disable or do not configure this policy setting the Notification bar will be displayed in Internet Explorer 11.
UserWindows Components\Internet ExplorerHide Internet Explorer 11 retirement notificationThis Windows 11 23H2 group policy settings allow you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default the Notification bar is displayed in Internet Explorer 11.If you enable this policy setting the Notification bar will not be displayed in Internet Explorer 11. If you disable or do not configure this policy setting the Notification bar will be displayed in Internet Explorer 11.
MachineNetwork\Lanman ServerRequest traffic compression for all sharesThis Windows 11 23H2 group policy settings controls whether the SMB server requests SMB client to use traffic compression for all SMB shares. 
MachineNetwork\Lanman ServerDisable SMB compressionThis Windows 11 23H2 group policy settings controls whether the SMB server will disable (completely prevent) traffic compression.   
MachineNetwork\Lanman WorkstationUse SMB compression by defaultThis policy controls whether the SMB client uses traffic compression by default. If you enable this policy setting the SMB client will attempt to compress traffic by default when SMB compression is enabled. If you disable or do not configure this policy setting the SMB client will not by default attempt to compress traffic.      
MachineNetwork\Lanman WorkstationDisable SMB compressionThis policy controls whether the SMB client will disable (completely prevent) traffic compression.If you enable this policy setting the SMB client will never compress data irrespective of other policies (such as the ‘Use SMB compression by default’ policy or per-share property).If you disable or do not configure this policy setting the SMB client may compress traffic (depending on a combination of other policies and conditions).      
MachineSystem\LAPSConfigure password backup directoryUse this setting to configure which directory the local admin account password is backed up to.The allowable settings are:0=Disabled (password will not be backed up)1=Backup the password to Azure Active Directory2=Backup the password to Active DirectoryIf not specified this setting will default to 0 (Disabled).
MachineSystem\LAPSPassword SettingsConfigures password parametersPassword complexity: which characters are used when generating a new password  Default: Large letters + small letters + numbers + special charactersPassword length  Minimum: 8 characters  Maximum: 64 characters  Default: 14 charactersPassword age in days  Minimum: 1 day (7 days when backup directory is configured to be Azure AD)  Maximum: 365 days  Default: 30 daysSee https://go.microsoft.com/fwlink/?linkid=2188435 for more information.      
MachineSystem\LAPSName of administrator account to manageThis Windows 11 23H2 group policy settings specifies a custom Administrator account name to manage the password for.   
MachineSystem\LAPSDo not allow password expiration time longer than required by policyIf this setting is enabled or not configured planned password expiration longer than the password age dictated by the “Password Settings” policy is NOT allowed. When such expiration is detected the password is changed immediately and password expiration is set according to policy. 
MachineSystem\LAPSEnable password encryptionWhen you enable this setting the managed password is encrypted before being sent to Active Directory.Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.    
MachineSystem\LAPSConfigure authorized password decryptorsThis Windows 11 23H2 group policy settings Configure to control the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled. If this setting is enabled encrypted passwords will be decryptable by the specified group.
MachineSystem\LAPSConfigure size of encrypted password historyWhen you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled.    
MachineSystem\LAPSEnable password backup for DSRM accountsWhen you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled.
MachineSystem\LAPSPost-authentication actionsThis Windows 11 23H2 group policy settings configures post-authentication actions which will be executed after detecting an authentication by the managed account.Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
MachineSystem\FilesystemEnable dev driveDev drive or developer volume is a volume optimized for performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached on the volume.
MachineWindows Components\SearchConfigures search on the taskbarThis Windows 11 23H2 group policy settings configures post-authentication actions which will be executed after detecting an authentication by the managed account. Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
MachineMS Security GuideConfigure RPC packet level privacy setting for incoming connectionsThis Windows 11 23H2 group policy settings controls whether packet level privacy is enabled for RPC for incoming connections.By default packet level privacy is enabled for RPC for incoming connections.If you enable or do not configure this policy setting packet level privacy is enabled for RPC for incoming connections.
MachineMS Security GuideEnable Certificate PaddingEnabling this setting will cause the WinVerifyTrust function to perform strict Windows Authenticode signature verification for Portable Executable files (PE files). After you opt in PE files will be considered “unsigned” if Windows identifies content in them that does not conform to the Authenticode specification. This may impact some installers. If you are using an installer that is impacted Microsoft recommends using an installer that only extracts content from validated portions of the signed file.
MachineWindows Components\Human PresenceForce Disable Wake When Battery Saver OnThis Windows 11 23H2 group policy settings Determines whether Disable Wake on Approach When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out.
MachineWindows Components\Human PresenceForce Allow Wake When External Display ConnectedDetermines whether Allow Wake on Approach When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out.
MachineWindows Components\Human PresenceForce Allow Lock When External Display ConnectedThis Windows 11 23H2 group policy settings Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out.
MachineWindows Components\Human PresenceForce Allow Dim When External Display ConnectedThis Windows 11 23H2 group policy settings Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out.
MachineWindows Components\Sync your settingsDo not sync language preferences settings Prevent the “language preferences” group from syncing to and from this PC. This turns off and disables the “languages preferences” group on the “Windows backup” settings page in PC settings.If you enable this policy setting the “language preferences” group will not be synced.Use the option “Allow users to turn language preferences syncing on” so that syncing is turned off by default but not disabled.If you do not set or disable this setting syncing of the “language preferences” group is on by default and configurable by the user.      
MachineStart Menu and TaskbarRemove Personalized Website Recommendations from the Recommended section in the Start MenuThis Windows 11 23H2 group policy settings Remove Personalized Website Recommendations from the Recommended section in the Start Menu
UserStart Menu and TaskbarRemove Personalized Website Recommendations from the Recommended section in the Start MenuThis Windows 11 23H2 group policy settings Remove Personalized Website Recommendations from the Recommended section in the Start Menu
MachineWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionAutomatic Data CollectionThis Windows 11 23H2 group policy settings determine whether Enhanced Phishing Protection can collect additional information-such as content displayed sounds played and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
UserWindows Components\Windows CopilotTurn off Windows CopilotThis Windows 11 23H2 group policy settings allows you to turn off Windows Copilot. If you enable this policy setting users will not be able to use Copilot. The Copilot icon will not appear on the taskbar either.       
If you disable or do not configure this policy setting users will be able to use Copilot when it’s available to them.      
MachineWindows Components\Microsoft Defender Antivirus\ScanScan packed executablesThis Windows 11 23H2 group policy settings allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.    If you enable or do not configure this setting packed executables will  be scanned.    If you disable this setting packed executables will not be scanned.
MachineWindows Components\Windows Update\Manage end user experienceEnable features introduced via servicing that are off by defaultFeatures introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*.If this policy is configured to “Enabled” then all features available in the latest monthly quality update installed will be on.If this policy is set to “Not Configured” or “Disabled” then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed. *Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS).      
MachineWindows Components\Windows Update\Manage updates offered from Windows UpdateEnable optional updatesThis Windows 11 23H2 group policy settings enables devices to get optional updates (including gradual feature rollouts (CFRs) – learn more by visiting aka.ms/AllowOptionalContent)When the policy is configured
• If “Automatically receive optional updates (including CFRs)” is selected the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
• If “Automatically receive optional updates” is selected the device will only get optional cumulative updates automatically in line with the quality update deferrals.
• If “Users can select which optional updates to receive” is selected users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle “Get the latest updates as soon as they’re available” to automatically receive optional updates and gradual feature rollouts.      
UserStart Menu and Taskbar\NotificationsTurn on multiple expanded toast notifications in action centerThis Windows 11 23H2 group policy settings turns on multiple expanded toast notifications in action center. If you enable this policy setting the first three notifications of each application will be expanded by default in action center.  
If you disable or do not configure this policy setting only the first notification of each application will be expanded by default in action center.         
Windows 10 only. This will be immediately deprecated for Windows 11.          No reboots or service restarts are required for this policy setting to take effect.      
Table 1 – New Windows 11 23H2 Group Policy Settings List

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.