Microsoft recently published the newest version of Windows 11, which is Windows 11 version 2023 (23H2). It included new features and functional improvements and new sets of Group Policies that the individual or a Domain administrator can manage to control how the system behaves.
Along with the new OS version, Microsoft also published its Security Baseline, which is an added layer of security through additional manageable Group Policies. Microsoft also provides detailed guidelines on the new Group Policies, but with the inconsistent updates and changes to the OS, it is hard to keep track.
This is why I have compiled this list of Group Policy settings included in the new Windows 11 23H2, using which you would know what new settings can now be managed via the Group Policy Editor and the Group Policy Management Console.
Added Group Policy settings in Windows 11 23H2
Windows 11 23H2 includes a plethora of new features, including Copilot, Dev Drive, and Local Administrator Password Solution (LAPS). With these features comes their Group Policies for better control and manageability.
Including these, Windows 11 23H2 includes a total of 33 new Group Policies, with the majority of them dedicated to LAPS. Other policies apply to Copilot, Dev Drive, energy management, the Start menu, and the taskbar, and other components of Windows.
You can get detailed information on the Group Policies included in the Windows 11 23H2 Security Baseline, and through the Group Policy settings reference spreadsheet for Windows 11 23H2, but different policies have been listed as new in them.
Here, I have compiled the new Group Policy settings in Windows 11 23H2 with their details, including location, and what each is for.
|Scope||Path||Group Policy Name||Description|
|User||Windows Components\Account Notifications||Turn off account notifications in Start||This group policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile).|
|Machine||Windows Components\App Privacy||Let Windows apps access presence sensing||This group policy specifies whether Windows apps can access presence sensing. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name.|
|User||Windows Components\Cloud Content||Enable Organizational Messages||Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager.|
|Machine||Windows Components\Delivery Optimization||Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN||Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN.|
|Machine||Windows Components\Delivery Optimization||VPN Keywords||This group policy allows you to set one or more keywords used to recognize VPN connections.|
|Machine||System\Filesystem||Dev drive filter attach policy||Dev drive is a drive optimized for performance considering developer scenarios and by default no file system filters are attached to it. Filters listed in this setting will be allowed to attach even on a dev drive.|
|Machine||Windows Components\Internet Explorer||Hide Internet Explorer 11 retirement notification||This group policy allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed.|
|User||Windows Components\Internet Explorer||Hide Internet Explorer 11 retirement notification||This group policy allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed.|
|Machine||Network\Lanman Server||Request traffic compression for all shares||This group policy controls whether the SMB server requests the SMB client to use traffic compression for all SMB shares.|
|Machine||Network\Lanman Server||Disable SMB compression||This group policy controls whether the SMB server will disable (completely prevent) traffic compression.|
|Machine||Network\Lanman Workstation||Use SMB compression by default||This policy controls whether the SMB client uses traffic compression by default. If you enable this policy setting the SMB client will attempt to compress traffic by default when SMB compression is enabled.|
|Machine||Network\Lanman Workstation||Disable SMB compression||This policy controls whether the SMB client will disable (completely prevent) traffic compression.|
|Machine||System\LAPS||Configure password backup directory||Use this setting to configure which directory the local admin account password is backed up to.|
|Machine||System\LAPS||Password Settings||Configures password parameters|
Password age in days
|Machine||System\LAPS||Name of administrator account to manage||This group policy specifies a custom Administrator account name to manage the password for.|
|Machine||System\LAPS||Do not allow password expiration time longer than required by policy||When you enable this setting the managed password is encrypted before being sent to Active Directory. Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.|
|Machine||System\LAPS||Enable password encryption||When you enable this setting the managed password is encrypted before being sent to Active Directory. Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.|
|Machine||System\LAPS||Configure authorized password decryptors||This group policy controls the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled.|
|Machine||System\LAPS||Configure size of encrypted password history||When you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory.|
|Machine||System\LAPS||Enable password backup for DSRM accounts||When you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory.|
|Machine||System\LAPS||Post-authentication actions||Dev drive or developer volume is a volume optimized for the performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached on the volume.|
|Machine||System\Filesystem||Enable dev drive||Dev drive or developer volume is a volume optimized for the performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached to the volume.|
|Machine||Windows Components\Search||Configures search on the taskbar||This group policy configures post-authentication actions which will be executed after detecting an authentication by the managed account.|
|Machine||MS Security Guide||Configure RPC packet level privacy setting for incoming connections||This group policy controls whether packet-level privacy is enabled for RPC for incoming connections.|
|Machine||MS Security Guide||Enable Certificate Padding||Enabling this setting will cause the WinVerifyTrust function to perform strict Windows Authenticode signature verification for Portable Executable files (PE files). After you opt-in PE files will be considered “unsigned” if Windows identifies content in them that does not conform to the Authenticode specification.|
|Machine||Windows Components\Human Presence||Force Disable Wake When Battery Saver On||This group policy determines whether Disable Wake on Approach When Battery Saver On checkbox is forced checked/unchecked by the MDM policy.|
|Machine||Windows Components\Human Presence||Force Allow Wake When External Display Connected||Determines whether Allow Wake on Approach When External Display Connected checkbox is forced checked/unchecked by the MDM policy.|
|Machine||Windows Components\Human Presence||Force Allow Lock When External Display Connected||This Windows group policy determines whether Allow Lock on Leave When Battery Saver On checkbox is forced checked/unchecked by the MDM policy.|
|Machine||Windows Components\Human Presence||Force Allow Dim When External Display Connected||This group policy determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forced checked/unchecked by the MDM policy.|
|Machine||Windows Components\Sync your settings||Do not sync language preferences settings||Prevent the “language preferences” group from syncing to and from this PC. This turns off and disables the “languages preferences” group on the “Windows backup” settings page in PC settings.|
|Machine||Start Menu and Taskbar||Remove Personalized Website Recommendations from the Recommended section in the Start Menu||This group policy removes Personalized Website Recommendations from the Recommended section in the Start Menu|
|User||Start Menu and Taskbar||Remove Personalized Website Recommendations from the Recommended section in the Start Menu||This group policy removes Personalized Website Recommendations from the Recommended section in the Start Menu|
|Machine||Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection||Automatic Data Collection||This group policy determines whether Enhanced Phishing Protection can collect additional information (such as content displayed sounds played and application memory) when your users enter their work or school password into a suspicious website or app.|
|User||Windows Components\Windows Copilot||Turn off Windows Copilot||This Windows 11 23H2 group policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting packed executables will be scanned. If you disable this setting packed executables will not be scanned.|
|Machine||Windows Components\Microsoft Defender Antivirus\Scan||Scan packed executables||This group policy allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.|
|Machine||Windows Components\Windows Update\Manage end user experience||Enable features introduced via servicing that are off by default||Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed. If this policy is configured to “Enabled” then all features available in the latest monthly quality update installed will be on.|
|Machine||Windows Components\Windows Update\Manage updates offered from Windows Update||Enable optional updates||This group policy enables devices to get optional updates (including gradual feature rollouts (CFRs).|
When the policy is configured
• If “Automatically receive optional updates (including CFRs)” is selected the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
• If “Automatically receive optional updates” is selected the device will only get optional cumulative updates automatically in line with the quality update deferrals.
• If “Users can select which optional updates to receive” is selected users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle “Get the latest updates as soon as they’re available” to automatically receive optional updates and gradual feature rollouts.
|User||Start Menu and Taskbar\Notifications||Turn on multiple expanded toast notifications in action center||This group policy turns on multiple expanded toast notifications in the action center. If you enable this policy setting the first three notifications of each application will be expanded by default in the action center.|
This post lists the new Windows 11 23H2 Group Policies that are installed as soon as you install/upgrade to this OS version. You can get additional Group Policies for enhancing security using the Security Baseline.
You can use these Group Policies to better manage what to allow and what to block on your computer. If you are a sysadmin, then you can use the Group Policy Management Console to control the Windows 11 23H2 systems within your domain and enhance the overall security of your network.