Let’s get the details of Windows 11 23H2 Group Policy Settings. You can download a spreadsheet that lists of new policy settings delivered for Windows 11 2023 Update.
Microsoft provides comprehensive documentation on Group Policy Settings for Windows 11 23H2, including the definition and use of each policy. Admins can reference these resources to understand and implement the settings effectively.
The Windows 11 23H2 Administrative template files (.admx and .adml) come with a comprehensive list of Group Policy Settings for both computer and user configurations.
To configure Group Policy Settings, You can use the Group Policy Management Console (GPMC) or the Local Group Policy Editor. The GPMC allows for centralized management, while the Local Group Policy Editor is used for configuring individual machines. You must have the Administrator privilege to make any modification.
Windows 11 offers a comprehensive set of Group Policy Settings, Many Policies are dedicated to enhancing security and compliance. Administrators can enforce password policies, enable BitLocker encryption, configure firewall rules, and control user access to resources to ensure a secure computing environment.
- Control Search Options In Windows 11 Using Policies | 42 Group Policy Settings | 14 Intune Policy Settings
- PIN Complexity Settings In Windows 11 | 19 Group Policy Settings | 18 Intune Policy Settings
Download Windows 11 23H2 Group Policy Settings Reference Spreadsheet
This spreadsheet lists the policy settings for computer and user configurations included in the ADMX files delivered for Windows 11 2023 October Update (Version 23H2).
- To download the Group Policy settings reference spreadsheet for Windows 11 23H2, Click here. You will be redirected to the Download Center details page.
- On the download page that opens, Validate the Windows version details. Click on the Download button. Important! Selecting a language below will dynamically change the complete page content to that language.
Group Policy Settings Reference Spreadsheet for Windows 11 2023 Update (23H2) – Download Group Policy Settings from Official Microsoft Download Center
New Windows 11 23H2 Group Policy Settings List
Windows 11, like its predecessors, offers a wide range of Group Policy Settings that allow administrators to manage and control various aspects of the operating system and user configurations.
These settings are particularly valuable in enterprise environments for enforcing security policies, managing user preferences, and ensuring system stability. Here are some key points about Windows 11 Group Policy Settings:
| Configuration | Group Policy Path | Group Policy Settings Name | Settings Descriptions |
|---|---|---|---|
| User | Windows Components\Account Notifications | Turn off account notifications in Start | This Windows 11 23H2 group policy settings allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile). Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription. |
| Machine | Windows Components\App Privacy | Let Windows apps access presence sensing | This Windows 11 23H2 group policy settings specifies whether Windows apps can access presence sensing.You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. |
| User | Windows Components\Cloud Content | Enable Organizational Messages | Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager.By default this policy is disabled. |
| Machine | Windows Components\Delivery Optimization | Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN | Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default the device is allowed to download from Microsoft Connected Cache when connected via VPN. |
| Machine | Windows Components\Delivery Optimization | VPN Keywords | This Windows 11 23H2 group policy settings allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords separate them with commas. |
| Machine | System\Filesystem | Dev drive filter attach policy | Dev drive is a drive optimized for performance considering developer scenarios and by default no file system filters are attached to it. Filters listed in this setting will be allowed to attach even on a dev drive.A reboot is required for this setting to take effect. |
| Machine | Windows Components\Internet Explorer | Hide Internet Explorer 11 retirement notification | This Windows 11 23H2 group policy settings allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default the Notification bar is displayed in Internet Explorer 11.If you enable this policy setting the Notification bar will not be displayed in Internet Explorer 11. If you disable or do not configure this policy setting the Notification bar will be displayed in Internet Explorer 11. |
| User | Windows Components\Internet Explorer | Hide Internet Explorer 11 retirement notification | This Windows 11 23H2 group policy settings allow you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default the Notification bar is displayed in Internet Explorer 11.If you enable this policy setting the Notification bar will not be displayed in Internet Explorer 11. If you disable or do not configure this policy setting the Notification bar will be displayed in Internet Explorer 11. |
| Machine | Network\Lanman Server | Request traffic compression for all shares | This Windows 11 23H2 group policy settings controls whether the SMB server requests SMB client to use traffic compression for all SMB shares. |
| Machine | Network\Lanman Server | Disable SMB compression | This Windows 11 23H2 group policy settings controls whether the SMB server will disable (completely prevent) traffic compression. |
| Machine | Network\Lanman Workstation | Use SMB compression by default | This policy controls whether the SMB client uses traffic compression by default. If you enable this policy setting the SMB client will attempt to compress traffic by default when SMB compression is enabled. If you disable or do not configure this policy setting the SMB client will not by default attempt to compress traffic. |
| Machine | Network\Lanman Workstation | Disable SMB compression | This policy controls whether the SMB client will disable (completely prevent) traffic compression.If you enable this policy setting the SMB client will never compress data irrespective of other policies (such as the ‘Use SMB compression by default’ policy or per-share property).If you disable or do not configure this policy setting the SMB client may compress traffic (depending on a combination of other policies and conditions). |
| Machine | System\LAPS | Configure password backup directory | Use this setting to configure which directory the local admin account password is backed up to.The allowable settings are:0=Disabled (password will not be backed up)1=Backup the password to Azure Active Directory2=Backup the password to Active DirectoryIf not specified this setting will default to 0 (Disabled). |
| Machine | System\LAPS | Password Settings | Configures password parametersPassword complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special charactersPassword length Minimum: 8 characters Maximum: 64 characters Default: 14 charactersPassword age in days Minimum: 1 day (7 days when backup directory is configured to be Azure AD) Maximum: 365 days Default: 30 daysSee https://go.microsoft.com/fwlink/?linkid=2188435 for more information. |
| Machine | System\LAPS | Name of administrator account to manage | This Windows 11 23H2 group policy settings specifies a custom Administrator account name to manage the password for. |
| Machine | System\LAPS | Do not allow password expiration time longer than required by policy | If this setting is enabled or not configured planned password expiration longer than the password age dictated by the “Password Settings” policy is NOT allowed. When such expiration is detected the password is changed immediately and password expiration is set according to policy. |
| Machine | System\LAPS | Enable password encryption | When you enable this setting the managed password is encrypted before being sent to Active Directory.Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above. |
| Machine | System\LAPS | Configure authorized password decryptors | This Windows 11 23H2 group policy settings Configure to control the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled. If this setting is enabled encrypted passwords will be decryptable by the specified group. |
| Machine | System\LAPS | Configure size of encrypted password history | When you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled. |
| Machine | System\LAPS | Enable password backup for DSRM accounts | When you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled. |
| Machine | System\LAPS | Post-authentication actions | This Windows 11 23H2 group policy settings configures post-authentication actions which will be executed after detecting an authentication by the managed account.Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. |
| Machine | System\Filesystem | Enable dev drive | Dev drive or developer volume is a volume optimized for performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached on the volume. |
| Machine | Windows Components\Search | Configures search on the taskbar | This Windows 11 23H2 group policy settings configures post-authentication actions which will be executed after detecting an authentication by the managed account. Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. |
| Machine | MS Security Guide | Configure RPC packet level privacy setting for incoming connections | This Windows 11 23H2 group policy settings controls whether packet level privacy is enabled for RPC for incoming connections.By default packet level privacy is enabled for RPC for incoming connections.If you enable or do not configure this policy setting packet level privacy is enabled for RPC for incoming connections. |
| Machine | MS Security Guide | Enable Certificate Padding | Enabling this setting will cause the WinVerifyTrust function to perform strict Windows Authenticode signature verification for Portable Executable files (PE files). After you opt in PE files will be considered “unsigned” if Windows identifies content in them that does not conform to the Authenticode specification. This may impact some installers. If you are using an installer that is impacted Microsoft recommends using an installer that only extracts content from validated portions of the signed file. |
| Machine | Windows Components\Human Presence | Force Disable Wake When Battery Saver On | This Windows 11 23H2 group policy settings Determines whether Disable Wake on Approach When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out. |
| Machine | Windows Components\Human Presence | Force Allow Wake When External Display Connected | Determines whether Allow Wake on Approach When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out. |
| Machine | Windows Components\Human Presence | Force Allow Lock When External Display Connected | This Windows 11 23H2 group policy settings Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out. |
| Machine | Windows Components\Human Presence | Force Allow Dim When External Display Connected | This Windows 11 23H2 group policy settings Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user will not be able to change this setting and the checkbox in the UI will be greyed out. |
| Machine | Windows Components\Sync your settings | Do not sync language preferences settings | Prevent the “language preferences” group from syncing to and from this PC. This turns off and disables the “languages preferences” group on the “Windows backup” settings page in PC settings.If you enable this policy setting the “language preferences” group will not be synced.Use the option “Allow users to turn language preferences syncing on” so that syncing is turned off by default but not disabled.If you do not set or disable this setting syncing of the “language preferences” group is on by default and configurable by the user. |
| Machine | Start Menu and Taskbar | Remove Personalized Website Recommendations from the Recommended section in the Start Menu | This Windows 11 23H2 group policy settings Remove Personalized Website Recommendations from the Recommended section in the Start Menu |
| User | Start Menu and Taskbar | Remove Personalized Website Recommendations from the Recommended section in the Start Menu | This Windows 11 23H2 group policy settings Remove Personalized Website Recommendations from the Recommended section in the Start Menu |
| Machine | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | Automatic Data Collection | This Windows 11 23H2 group policy settings determine whether Enhanced Phishing Protection can collect additional information-such as content displayed sounds played and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. |
| User | Windows Components\Windows Copilot | Turn off Windows Copilot | This Windows 11 23H2 group policy settings allows you to turn off Windows Copilot. If you enable this policy setting users will not be able to use Copilot. The Copilot icon will not appear on the taskbar either. If you disable or do not configure this policy setting users will be able to use Copilot when it’s available to them. |
| Machine | Windows Components\Microsoft Defender Antivirus\Scan | Scan packed executables | This Windows 11 23H2 group policy settings allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting packed executables will be scanned. If you disable this setting packed executables will not be scanned. |
| Machine | Windows Components\Windows Update\Manage end user experience | Enable features introduced via servicing that are off by default | Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*.If this policy is configured to “Enabled” then all features available in the latest monthly quality update installed will be on.If this policy is set to “Not Configured” or “Disabled” then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed. *Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS). |
| Machine | Windows Components\Windows Update\Manage updates offered from Windows Update | Enable optional updates | This Windows 11 23H2 group policy settings enables devices to get optional updates (including gradual feature rollouts (CFRs) – learn more by visiting aka.ms/AllowOptionalContent)When the policy is configured • If “Automatically receive optional updates (including CFRs)” is selected the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs). • If “Automatically receive optional updates” is selected the device will only get optional cumulative updates automatically in line with the quality update deferrals. • If “Users can select which optional updates to receive” is selected users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle “Get the latest updates as soon as they’re available” to automatically receive optional updates and gradual feature rollouts. |
| User | Start Menu and Taskbar\Notifications | Turn on multiple expanded toast notifications in action center | This Windows 11 23H2 group policy settings turns on multiple expanded toast notifications in action center. If you enable this policy setting the first three notifications of each application will be expanded by default in action center. If you disable or do not configure this policy setting only the first notification of each application will be expanded by default in action center. Windows 10 only. This will be immediately deprecated for Windows 11. No reboots or service restarts are required for this policy setting to take effect. |
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.