New Windows 11 23H2 Group Policy Settings

New Windows 11 23H2 Group Policy SettingsNew Windows 11 23H2 Group Policy Settings

Microsoft recently published the newest version of Windows 11, which is Windows 11 version 2023 (23H2). It included new features and functional improvements and new sets of Group Policies that the individual or a Domain administrator can manage to control how the system behaves.

Along with the new OS version, Microsoft also published its Security Baseline, which is an added layer of security through additional manageable Group Policies. Microsoft also provides detailed guidelines on the new Group Policies, but with the inconsistent updates and changes to the OS, it is hard to keep track.

This is why I have compiled this list of Group Policy settings included in the new Windows 11 23H2, using which you would know what new settings can now be managed via the Group Policy Editor and the Group Policy Management Console.

Added Group Policy settings in Windows 11 23H2

Windows 11 23H2 includes a plethora of new features, including Copilot, Dev Drive, and Local Administrator Password Solution (LAPS). With these features comes their Group Policies for better control and manageability.

Including these, Windows 11 23H2 includes a total of 33 new Group Policies, with the majority of them dedicated to LAPS. Other policies apply to Copilot, Dev Drive, energy management, the Start menu, and the taskbar, and other components of Windows.

You can get detailed information on the Group Policies included in the Windows 11 23H2 Security Baseline, and through the Group Policy settings reference spreadsheet for Windows 11 23H2, but different policies have been listed as new in them.

Here, I have compiled the new Group Policy settings in Windows 11 23H2 with their details, including location, and what each is for.

ScopePathGroup Policy NameDescription
UserWindows Components\Account NotificationsTurn off account notifications in StartThis group policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile).
MachineWindows Components\App PrivacyLet Windows apps access presence sensingThis group policy specifies whether Windows apps can access presence sensing. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name.  
UserWindows Components\Cloud ContentEnable Organizational MessagesOrganizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager.
MachineWindows Components\Delivery OptimizationDisallow downloads from Microsoft Connected Cache servers when the device connects via VPNDisallow downloads from Microsoft Connected Cache servers when the device connects via VPN.
MachineWindows Components\Delivery OptimizationVPN KeywordsThis group policy allows you to set one or more keywords used to recognize VPN connections.
MachineSystem\FilesystemDev drive filter attach policyDev drive is a drive optimized for performance considering developer scenarios and by default no file system filters are attached to it. Filters listed in this setting will be allowed to attach even on a dev drive.
MachineWindows Components\Internet ExplorerHide Internet Explorer 11 retirement notificationThis group policy allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed.
UserWindows Components\Internet ExplorerHide Internet Explorer 11 retirement notificationThis group policy allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed.
MachineNetwork\Lanman ServerRequest traffic compression for all sharesThis group policy controls whether the SMB server requests the SMB client to use traffic compression for all SMB shares.
MachineNetwork\Lanman ServerDisable SMB compressionThis group policy controls whether the SMB server will disable (completely prevent) traffic compression.
MachineNetwork\Lanman WorkstationUse SMB compression by defaultThis policy controls whether the SMB client uses traffic compression by default. If you enable this policy setting the SMB client will attempt to compress traffic by default when SMB compression is enabled.
MachineNetwork\Lanman WorkstationDisable SMB compressionThis policy controls whether the SMB client will disable (completely prevent) traffic compression.
MachineSystem\LAPSConfigure password backup directoryUse this setting to configure which directory the local admin account password is backed up to.
MachineSystem\LAPSPassword SettingsConfigures password parameters
Password complexity
Password age in days   
MachineSystem\LAPSName of administrator account to manageThis group policy specifies a custom Administrator account name to manage the password for.   
MachineSystem\LAPSDo not allow password expiration time longer than required by policyWhen you enable this setting the managed password is encrypted before being sent to Active Directory. Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.    
MachineSystem\LAPSEnable password encryptionWhen you enable this setting the managed password is encrypted before being sent to Active Directory. Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.   
MachineSystem\LAPSConfigure authorized password decryptorsThis group policy controls the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled.
MachineSystem\LAPSConfigure size of encrypted password historyWhen you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory.
MachineSystem\LAPSEnable password backup for DSRM accountsWhen you enable this setting the DSRM administrator account password will be managed and backed up to Active Directory.
MachineSystem\LAPSPost-authentication actionsDev drive or developer volume is a volume optimized for the performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached on the volume.
MachineSystem\FilesystemEnable dev driveDev drive or developer volume is a volume optimized for the performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached to the volume.
MachineWindows Components\SearchConfigures search on the taskbar This group policy configures post-authentication actions which will be executed after detecting an authentication by the managed account.
MachineMS Security GuideConfigure RPC packet level privacy setting for incoming connectionsThis group policy controls whether packet-level privacy is enabled for RPC for incoming connections.
MachineMS Security GuideEnable Certificate PaddingEnabling this setting will cause the WinVerifyTrust function to perform strict Windows Authenticode signature verification for Portable Executable files (PE files). After you opt-in PE files will be considered “unsigned” if Windows identifies content in them that does not conform to the Authenticode specification.
MachineWindows Components\Human PresenceForce Disable Wake When Battery Saver OnThis group policy determines whether Disable Wake on Approach When Battery Saver On checkbox is forced checked/unchecked by the MDM policy.
MachineWindows Components\Human PresenceForce Allow Wake When External Display ConnectedDetermines whether Allow Wake on Approach When External Display Connected checkbox is forced checked/unchecked by the MDM policy.
MachineWindows Components\Human PresenceForce Allow Lock When External Display ConnectedThis Windows group policy determines whether Allow Lock on Leave When Battery Saver On checkbox is forced checked/unchecked by the MDM policy.
MachineWindows Components\Human PresenceForce Allow Dim When External Display ConnectedThis group policy determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forced checked/unchecked by the MDM policy.
MachineWindows Components\Sync your settingsDo not sync language preferences settingsPrevent the “language preferences” group from syncing to and from this PC. This turns off and disables the “languages preferences” group on the “Windows backup” settings page in PC settings.
MachineStart Menu and TaskbarRemove Personalized Website Recommendations from the Recommended section in the Start MenuThis group policy removes Personalized Website Recommendations from the Recommended section in the Start Menu
UserStart Menu and TaskbarRemove Personalized Website Recommendations from the Recommended section in the Start MenuThis group policy removes Personalized Website Recommendations from the Recommended section in the Start Menu
MachineWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionAutomatic Data CollectionThis group policy determines whether Enhanced Phishing Protection can collect additional information (such as content displayed sounds played and application memory) when your users enter their work or school password into a suspicious website or app.
UserWindows Components\Windows CopilotTurn off Windows CopilotThis Windows 11 23H2 group policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.    If you enable or do not configure this setting packed executables will  be scanned.    If you disable this setting packed executables will not be scanned.
MachineWindows Components\Microsoft Defender Antivirus\ScanScan packed executablesThis group policy allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.
MachineWindows Components\Windows Update\Manage end user experienceEnable features introduced via servicing that are off by defaultFeatures introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed. If this policy is configured to “Enabled” then all features available in the latest monthly quality update installed will be on.
MachineWindows Components\Windows Update\Manage updates offered from Windows UpdateEnable optional updatesThis group policy enables devices to get optional updates (including gradual feature rollouts (CFRs).
When the policy is configured
• If “Automatically receive optional updates (including CFRs)” is selected the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
• If “Automatically receive optional updates” is selected the device will only get optional cumulative updates automatically in line with the quality update deferrals.
• If “Users can select which optional updates to receive” is selected users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle “Get the latest updates as soon as they’re available” to automatically receive optional updates and gradual feature rollouts.      
UserStart Menu and Taskbar\NotificationsTurn on multiple expanded toast notifications in action centerThis group policy turns on multiple expanded toast notifications in the action center. If you enable this policy setting the first three notifications of each application will be expanded by default in the action center.
New Group Policies in Windows 11 23H2 and their details

Ending words

This post lists the new Windows 11 23H2 Group Policies that are installed as soon as you install/upgrade to this OS version. You can get additional Group Policies for enhancing security using the Security Baseline.

You can use these Group Policies to better manage what to allow and what to block on your computer. If you are a sysadmin, then you can use the Group Policy Management Console to control the Windows 11 23H2 systems within your domain and enhance the overall security of your network.

If you liked this post, Share it on:
Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information