Most of the innovations in Windows 11 23H2 complement existing features with new functionalities. One of the few genuine innovations is Dev Drive and the integration of Copilot, which is still pending in the EU. Additionally, the improved LAPS is now shipped with the operating system.
Nine out of approximately 33 new group policy settings in total are dedicated to LAPS, two more to Dev Drive, and one to Copilot. The latter can be deactivated with this setting.
Inconsistent documentation
Figuring out the new settings in Windows 11 23H2 can be a bit challenging. This is largely due to Microsoft’s continual roll-out of new features, creating a murky reference point for comparison. Adding to the confusion is Microsoft’s less than clear documentation.
So far, there are two reference documents that should provide information on the new settings. One is a familiar resource known as Group Policy Settings Reference. The other reference is an Excel spreadsheet found in the Security Baseline documentation, titled “Windows 11 22H2 to 23H2 Delta.xlsx”.
Both of these references cite different settings as new. For instance, the setting Configure the inclusion of app tabs into ALT-TAB has been present since Windows 10 and is just now appearing in version 11, albeit delayed. However, this setting is not documented in the baseline documentation.
The options for managing SMB Compression are assigned to 22H2 in the settings reference, whereas these are new with 23H2 in the baseline document.
The ADMX templates, which contain the new settings, are not only found on a workstation with Windows 11 23H2 under %systemroot%PolicyDefinitions, but are also available for separate download, as usual. Significantly, this package covers all available language files in contrast to the operating system.
Overview of the new settings
Most of the new settings in the following list are self-explanatory, while I have supplemented others with annotations. Additionally, I categorize them for better clarity.
Notifications
- Enable Organizational Messages
Administrators can send messages to selected users using selected applications such as Configuration Manager. By default, this option is disabled.
- Turn on multiple expanded toast notifications in action center
By default, Windows 11 only displays the first toast notification from an application in the Action Center. This setting allows you to increase this number to 3.
- Hide Internet Explorer 11 retirement notification
This setting enables the warning about the retirement of Internet Explorer to be hidden in IE. It exists in both the Computer and User Configuration branches.
The former pair of options have been utilized in Windows 10 starting from version 22H2 and are equally functional in Windows 11. Hence, it’s probable that the administrative templates for Windows 11 are slowly becoming backward-compatible with Windows 10.
Protecting User Privacy
- Deactivate account-based insights and recent, favorite, and recommended files in File Explorer
This configuration stops File Explorer from pulling metadata for files from the cloud.
- Let Windows apps access presence sensing
Presence detection is used by Windows for security features, for example, to lock the computer when the user leaves their workstation and unlock it again when they return. With this setting, you can allow or deny access to all apps or assign this right selectively.
Grant or deny apps access to presence detection
LAPS
Windows LAPS incorporates prior discrete settings into the operating system, enhancing them with capabilities for the new features. A comprehensive explanation can be found in this article.
- Set up password backup directory
- Specify administrator account for management
- Turn on password encryption
- Decide authorized password decipherers
- Determine encrypted password history size
- Facilitate password backup for DSRM accounts
- Post-authentication measures
Dev Drive
Dev Drive is a ReFS-based drive optimized for developer workloads. This feature can be enabled or blocked via group policy.
By default, Dev Drive has no file system filters assigned. This setting allows you to change that.
Copilot
Security Guide
This setting previously existed in the SecGuide.admx template, included in the Security Baseline package, and has now been incorporated into the printing.admx.
Energy management
- Force Disable Wake When Battery Saver On
- Force Allow Wake When External Display Connected
- Force Allow Lock When External Display Connected
- Force Allow Dim When External Display Connected
Language settings
- Do not sync language preferences settings
Start menu und taskbar
- Remove Personalized Website Recommendations from the Recommended section in the Start Menu
Windows 11 displays personalized website recommendations and suggestions in the Start menu based on the user’s browsing history. This setting prevents this behavior. It exists in both the computer and user branches.
- Turn off account notifications in Start
Windows sends messages to users with a Microsoft or local account to secure their device, provide quota for cloud storage, and manage their Microsoft 365 or Xbox subscription. This setting blocks such notifications.
- Configures search on the taskbar
Options to configure the search box on the taskbar (refer to the detailed description for more info).
Defender
- Automatic Data Collection
This policy determines whether advanced phishing protection can collect additional information, such as displayed content, played sounds, and the application memory when users enter their password for a work or school account on a suspicious website or application.
- Scan packed executables
This setting, already present in Windows 10, can block Defender from scanning self-extracting ZIP and other archive files. By default, these files are examined.
Windows Update
- Enable features introduced via servicing that are off by default
While Microsoft continuously delivers new features, it only activates them on managed devices when shipping a new upgrade. This setting allows you to disable this deferral.
- Enable optional updates
Introduced with the August 2023 update, this policy allows you to determine how optional updates are installed and how users can influence this process.
- Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN
The cache servers belong to Delivery Optimization. Their usage can be blocked when an active VPN connection is discovered.
- VPN Keywords
You can use keywords to aid in delivery optimization’s identification of VPN connections. The friendly name and description of the network adapter are evaluated by default.
Summary
Windows 11 23H2 introduces close to 30 fresh group policy settings. While some of these settings existed previously, they had to be installed individually. This was applicable to LAPS and a policy from SecGuide.admx. Now, Windows LAPS presents an array of new features as mirrors in the group policies.