Windows 10 22H2 Add-Ons For IT Pros

The IT professionals can benefit from Windows 10 22H2 Administrative Templates, Security Baseline, and ADK, all of which can be downloaded from this post.

Windows 10 22H2 IT Professionals

Microsoft released Windows 10 22H2 just a while ago. This is the only feature update for the Windows 10 operating system this year. As with Microsoft’s every OS, this feature update also applies to all Windows 10 editions.

Alongside the release of this feature update, Microsoft also publishes advanced tools for IT professionals, which include the following:

Moreover, you can also use Windows 10 22H2 Enterprise edition which is targeted at Windows-oriented companies that need to get the most out of their computers.

If you are a sysadmin, you can download all of these add-ons and professional tools for Windows 10 22H2 from this post directly.

Download Windows 10 22H2 (2022 Update) Security Baseline

A Security Baseline is an additional set of security enhancements that can be added to the original security protocols already in place in Windows. This is especially useful for companies and organizations that prefer to take more control of their virtual security.

If you are a system administrator, installing a Security Baseline on a Windows 10 computer will add additional options to the Group Policy so you can control and push those settings to other devices on the entire network.

The Windows 10 22H2 Security Baseline has been released as a component of Microsoft Security Compliance Toolkit 1.0. Even so, you can download only the security baseline. Here are the steps to do so:

  1. Open the Microsoft Security Compliance Toolkit page and click Download.

    Download
    Download
  2. Check the box next to “Windows 10 version 22H2 Security Baseline.zip” and click Next.

    Select and proceed
    Select and proceed
  3. Windows 10 22H2 Security Baseline will now download. Since it is only 1.2 MB, it should be downloaded instantly. Once downloaded, extract the content of the zip file to a folder.

  4. Now navigate to the extracted folder and open the Scripts sub-folder. Here you will find 3 PowerShell ISE files.

    Right-click “Baseline-LocalInstall” then click Run with PowerShell from the context menu.

    Run scripts with PowerShell
    Run scripts with PowerShell

    The scripts will now run automatically. Wait for the PowerShell window to close on its own.

Windows 10 22H2 Security Baseline will be installed successfully.

Let us now see what changes this baseline introduces for Windows 10.

New in Windows 10 22H2 Security Baseline

Improvement to Printers

  • Support for RedirectionGuard is added to the print service.

    RedirectionGuard is a security measure that prevents the use of non-administratively created redirection primitives from being followed within a given process. The setting Configure Redirection Guard is now Enabled by default as part of the baseline.

  • Manage processing of queue-specific files is now Enabled.

    Manage processing of queue-specific files (also called CopyFilesPolicy) was first introduced as a registry key in response to CVE-2021-36958 in September of 2021. This setting allows standard color profile processing using the inbox mscms.dll executable and nothing else.

    The security baseline is to configure this setting to Enabled with the option of “Limit queue-specific files to color profiles.” For Windows 10, version 22H2 this setting is not yet available natively, therefore we have created the setting and added it to the SecGuide.ADMX.

  • Limit print driver installation to Administrators.

    This policy was introduced to the security baselines as part of the SecGuide.ADMX before an inbox policy was available. This policy is now contained within the OS, and the MS Security Guide setting is deprecated.

    However, since both settings write to the same location, the configured values still appear in both locations. The explanatory text in the MS Security Guide is updated to point users to the new location.

  • Configure RPC packet level privacy setting for incoming connections.

    This policy is now added to SecGuide.ADMX as a result of CVE-2021-1678 and is set to Enabled by default as part of the baseline. The work of creating and deploying registry keys is now included in the security baseline until the setting becomes inbox to Windows.

These policies can be found at the following location within the Group Policy editor:

Computer Configuration >> Administrative Templates >> Printers

Credential Theft Protection

Additional Local Security Authority (LSA) protection provides defense by running LSA as a protected process. LSA protection was first introduced in the Windows 8.1 security baseline, as part of the original Pass-the-Hash mitigations. At this time the security baseline will move MS Security Guide\LSA Protection to a value of Enabled.

This policy can be found at the following location within the Group Policy editor:

Computer Configuration >> Administrative Templates >> System >> Local Security Authority

Attack Surface Reduction

A new rule Block abuse of exploited vulnerable signed drivers is now included as part of the operating system baselines as part of the Microsoft Defender Antivirus GPO. This rule applies across both client and server and helps prevent an application from writing a vulnerable signed driver to disk.

This policy can be found at the following location within the Group Policy editor:

Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus

Account Lockout Policies

A new policy Allow Administrator account lockout is added to mitigate brute-force authentication attacks. The recommended values for the policies Account lockout duration and Reset account lockout counter after are adjusted to be consistent with the defaults for out-of-the-box Windows installations.

This policy can be found at the following location within the Group Policy editor:

Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policies

Other Security Enhancements

A mismatch between the security baseline documentation and the accompanying Group Policy for Microsoft Defender Antivirus settings has been corrected with this release.

The documentation stated that Turn on behavior monitoring should be set to Enabled, but the actual GPO remained in a Not Configured state.

This policy can be found at the following location within the Group Policy editor:

Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection

You can read more about these improvements in the Windows 11 22H2 Security Baseline Release Notes.

Download Windows 10 22H2 (2022 Update) Administrative Templates (ADMX)

Administrative Templates give you more control over your computer, or an entire domain of computers if you are a sysadmin connected to an Active Directory. This allows you to gain more control over each device as you apply more policies, making them more secure and less vulnerable to exploits.

The Windows 10 22H2 ADMX is backward and forward-compatible, so it can also be installed on the following operating systems:

Installing these administrative templates will include more Group Policies for you to configure. Continue below to download and install it.

  1. Download the Administrative Templates for Windows 10 v22H2 [Size: 13.1 MB]

  2. Execute the downloaded .msi package by double-clicking it.

  3. The installation wizard will now open. Click Next.

    Proceed with installation
    Proceed with installation
  4. On the next screen, accept the terms by checking the box and clicking Next.

    Accept license agreement
    Accept license agreement
  5. Now select the installation location (which can be left as default) and click Next.

    Define installation location
    Define installation location
  6. On the confirmation screen, click Install.

    Begin installation 1
    Begin installation
  7. Windows 10 22H2 Administrative Templates will now be installed on your device. Click Finish when done.

    Close wizard 1
    Close wizard

You have now successfully installed the ADMX Templates. Head over to Microsoft’s download center to get more information about the Windows 10 22H2 Administrative Templates or install it in another language.

New in Windows 10 22H2 Administrative Templates

Several computer and user configuration options have been added to the Group Policy settings with these templates. The table below lists the new policies which will be added upon installing Windows 10 22H2 admx:

ApplicablePolicy LocationPolicy NameDescriptions
MachineMS Security GuideConfigure RPC packet level privacy setting for incoming connectionsControls whether packet level privacy is enabled for RPC for incoming connections. By default, packet-level privacy is enabled for RPC for incoming connections.
MachineMS Security GuideManage processing of Queue-specific filesManages how Queue-specific files are processed during printer installation. At printer installation time a vendor-supplied installation application can specify a set of files of any type to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.     
MachinePrintersConfigure Redirection GuardDetermines whether Redirection Guard is enabled for the print spooler.    
MachineStart Menu and TaskbarShow or hide “Most used” list from Start menuConfigure the Start menu to show or hide the list of users’ most used apps regardless of user settings. Selecting “Show” will force the “Most used” list to be shown and the user cannot change to hide it using the Settings app.
MachineWindows Components\Internet ExplorerEnable global window list in Internet Explorer modeAllows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.
MachineWindows Components\Internet ExplorerHide Internet Explorer 11 retirement notificationAllows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11.
MachineWindows Components\Microsoft Defender AntivirusControl whether or not exclusions are visible to Local Admins.Controls whether or not exclusions are visible to Local Admins.  For end users (that are not Local Admins) exclusions are not visible whether or not this setting is enabled.   
MachineWindows Components\SearchAllow search highlightsDisabling this setting turns off search highlights in the taskbar search box and in the search home. Enabling or Not Configuring this setting turns on search highlights in the taskbar search box and in the search home.
MachineWindows Components\Tenant RestrictionsCloud Policy DetailsEnables and configures the device-based tenant restrictions feature for Azure Active Directory.
UserAutoSubscriptionEnable auto-subscriptionControls the list of URLs that the user should be auto-subscribed to
UserStart Menu and TaskbarShow or hide “Most used” list from Start menuConfigure the Start menu to show or hide the list of users’ most used apps regardless of user settings. Selecting “Show” will force the “Most used” list to be shown and the user cannot change to hide it using the Settings app. Selecting “Hide” will force the “Most used” list to be hidden and the user cannot change it to show it using the Settings app.
UserStart Menu and Taskbar\NotificationsTurn on multiple expanded toast notifications in action centerTurns on multiple expanded toast notifications in the action center.
UserWindows Components\Internet ExplorerEnable global window list in Internet Explorer modeAllows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.
UserWindows Components\Internet ExplorerHide Internet Explorer 11 retirement notificationAllows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11.
Policies added after installing Windows 10 22H2 ADMX

To read more about all of the group policies and their paths, you can download the references spreadsheet here:

Download Windows 10 22H2 ADMX reference spreadsheet [735 KB]

How to Uninstall Administrative Templates (ADMX)

If you are not comfortable with these templates or are causing issues with your work or computer, you can simply uninstall them using these steps:

  1. Open the Programs and Features applet by typing in appwiz.cpl in the Run Command box.

    appwiz
    Open Programs and Features applet
  2. Here, look for the Administrative Templates you want to remove, right-click it, and then click Uninstall.

    Uninstall 1
    Uninstall ADMX
  3. When asked for confirmation, click Yes.

    Confirm deletion
    Confirm deletion

The ADMX and all installed Group Policies will now be removed from your computer.

Download Windows 10 22H2 (2022 Update) ADK

Microsoft Windows Assessment and Deployment Kit (ADK) is a collection of tools that you can combine to prepare, assess and launch image-based large-scale Windows deployments. These tools are also used to test the operating system’s quality and performance, as well as the applications running on it.

Windows ADK can be deployed on a broad range of devices, such as desktops, notebooks, Internet of Things (IoT) devices, etc. This toolkit works across platforms that work with devices with and without screens.

The tools currently available in Windows ADK have varied through the years, but currently, they include the following:

  • Windows System Image Manager
  • Windows Preinstallation Environment (WinPE)
  • Deployment Image Servicing and Management tool (DISM)

Click on the respective link below to download either Windows ADK or WinPE for Windows 10 22H2:

Download Windows ADK for Windows 10 version 22H2

Download Windows Preinstallation Environment for Windows 10 version 22H2

How to Install Windows ADK

After downloading, you can continue to install it on your PC using these steps:

Note: You will need to uninstall any previous installation of Windows ADK, if already installed, through the Programs and Features applet.

  1. Download Windows ADK for Windows 10 22H2 from the link given above.

  2. Run adksetup.exe to start the installation.

  3. The Windows ADK installation wizard will now launch. Here, select the first option (Install the Windows Assessment and Deployment Kit – Windows 10 to this computer) and then click Next.

    Download ADK 1
    Download ADK
  4. Now select either Yes or No for Windows kits privacy and click Next.

    Set privacy setting
    Set privacy setting
  5. Accept the license agreement.

    Accept license agreement2
    Accept license agreement
  6. Windows ADK has different tools that you can install. Select the tools you want to install from the wizard and click Install.

    Install ADK
    Install ADK
  7. Your installation will now begin. When completed, close the wizard.

    Close wizard 2 1
    Close wizard

Closing Words

The administrative tools given in this post will help you professionals keep your and your enterprise’s systems more secure and away from threats.

Each of these components, including the Enterprise edition ISO, plays its role in securing your computer and the environment around you. We hope that you found this article useful and found what you were looking for.

Also see:

Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Leave a Reply

You have to agree to the comment policy.