The first feature update for Windows 11 was just released, which is Windows 11 22H2, also known as Windows 11 2022 Update. As with every new version of Windows, this version also comes with its own set of administrative templates.
Administrative Templates give you more control over your computer, or an entire domain of computers if you are a sysadmin connected to an Active Directory. This allows you to gain more control over each device as you apply more policies, making them more secure and less vulnerable to exploits.
The Windows 11 22H2 ADMX are backward compatible, so they can also be installed on the following operating systems:
- Windows 11 21H2
- Windows 10 (all versions)
- Windows 8 & 8.1
- Windows 7
- Windows Server (all versions)
Installing these administrative templates will include more Group Policies for you to configure. Continue below to download it.
Table of contents
Download and Install Administrative Templates for Windows 11 v22H2
There is no need to uninstall any previous version(s) of ADMX files already installed. Simply downloading and installing the new ADMX file will work.
Follow the guide below to download and install Administrative templates for Windows 11 22H2:
-
Download the Administrative Templates for Windows 11 v22H2 [Size: 13.5 MB].
You may also download Microsoft Security Compliance Toolkit that gives security administrators the ability to apply Group Policy Objects via a Domain Controller throughout an enterprise network.
-
Execute the downloaded .msi package by double-clicking it.
-
The installation wizard will now open. Click Next.
Proceed -
On the next screen, accept the terms by checking the box and clicking Next.
Agree to terms -
Now select the installation location (which can be left as default) and click Next.
Define installation location -
On the confirmation screen, click Install.
Begin installation -
Windows 11 22H2 Administrative Templates will now be installed on your device. Click Finish when done.
Close wizard
You have now successfully installed the ADMX Templates. Head over to Microsoft’s download center to get more information about the Windows 11 22H2 Administrative Templates or install it in another language.
New in Windows 11 22H2 Administrative Templates
A plethora of computer and user configuration options have been added to the Group Policy settings with these templates. The table below lists the new policies which will be added upon installing Windows 11 22H2 admx:
| Applicable | Policy Path | Policy Name | Description |
| Machine | Desktop | Hide and disable all items on the desktop | Removes icon shortcuts and other default and user-defined items from the desktop including Briefcase Recycle Bin Computer and Network Locations. |
| Machine | MS Security Guide | Configure RPC packet level privacy setting for incoming connections | This policy setting controls whether packet level privacy is enabled for RPC for incoming connections. |
| Machine | Network\DNS Client | Configure Discovery of Designated Resolvers (DDR) protocol | Specifies if the DNS client would use the DDR protocol. |
| Machine | Network\DNS Client | Configure NetBIOS settings | Specifies if the DNS client will perform name resolution over NetBIOS. By default, the DNS client will disable NetBIOS name resolution on public networks for security reasons. |
| Machine | Printers | Always send job page count information for IPP printers | Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver. |
| Machine | Printers | Configure Redirection Guard | Determines whether Redirection Guard is enabled for the print spooler. |
| Machine | Printers | Configure RPC connection settings | Controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler. |
| Machine | Printers | Configure RPC listener settings | Controls which protocols incoming RPC connections to the print spooler are allowed to use. |
| Machine | Printers | Configure RPC over TCP port | Controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. |
| Machine | Printers | Limits print driver installation to Administrators | Determines whether users that aren’t Administrators can install print drivers on this computer. |
| Machine | Printers | Manage Print Driver exclusion list | Controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system. |
| Machine | Printers | Manage Print Driver signature validation | Controls the print driver signature validation mechanism. Controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. |
| Machine | Printers | Manage processing of Queue-specific files | Manages how Queue-specific files are processed during printer installation. |
| Machine | Security Settings\Account Policies\Account Lockout Policy | Allow Administrator account lockout | Determines whether the built-in Administrator account is subject to the account lockout policy. |
| Machine | Start Menu and Taskbar | Disable Editing Quick Settings | If you enable this policy the user will be unable to modify Quick Settings. |
| Machine | Start Menu and Taskbar | Hide the TaskView button | Allows you to hide the TaskView button. |
| Machine | Start Menu and Taskbar | Prevent changes to Taskbar and Start Menu Settings | Allows you to prevent changes to Taskbar and Start Menu Settings. |
| Machine | Start Menu and Taskbar | Prevent users from uninstalling applications from Start | If you enable this setting users cannot uninstall apps from Start. |
| Machine | Start Menu and Taskbar | Remove access to the context menus for the taskbar | Allows you to remove access to the context menus for the taskbar. |
| Machine | Start Menu and Taskbar | Remove pinned programs from the Taskbar | Allows you to remove pinned programs from the taskbar. |
| Machine | Start Menu and Taskbar | Remove Recommended section from Start Menu | Allows you to prevent the Start Menu from displaying a list of recommended applications and files. |
| Machine | Start Menu and Taskbar | Remove Run menu from Start Menu | Allows you to remove the Run command from the Start menu Internet Explorer and Task Manager. |
| Machine | Start Menu and Taskbar | Simplify Quick Settings Layout | If you enable this policy Quick Settings will be reduced to only having the WiFi Bluetooth Accessibility and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. |
| Machine | System | Hide messages when Windows system requirements are not met | Controls which messages are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version. |
| Machine | System\KDC | Configure hash algorithms for certificate logon | Controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. |
| Machine | System\Kerberos | Configure hash algorithms for certificate logon | Controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. |
| Machine | System\Local Security Authority | Allow Custom SSPs and APs to be loaded into LSASS | Controls the configuration under which LSASS loads custom SSPs and APs. |
| Machine | System\Local Security Authority | Configures LSASS to run as a protected process | Controls the configuration under which LSASS is run. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer | Controls whether the Windows Package Manager can be used by users. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Additional Sources | Controls additional sources provided by the enterprise IT administrator. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Allowed Sources | Controls additional sources allowed by the enterprise IT administrator. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Default Source | Controls the default source included with the Windows Package Manager. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Experimental Features | Controls whether users can enable experimental features in the Windows Package Manager. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Hash Override | Controls whether or not the Windows Package Manager can be configured to enable the ability to override the SHA256 security validation in settings. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Local Manifest Files | Controls whether users can install packages with local manifest files. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Microsoft Store Source | Controls the Microsoft Store source included with the Windows Package Manager. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer ms-appinstaller protocol | Controls whether users can install packages from a website that is using the ms-appinstaller protocol. |
| Machine | Windows Components\Desktop App Installer | Enable App Installer Settings | Controls whether users can change their settings. |
| Machine | Windows Components\Desktop App Installer | Set App Installer Source Auto Update Interval In Minutes | Controls the auto-update interval for package-based sources. |
| Machine | Windows Components\File Explorer | Turn off files from Office.com in the Quick Access view | Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick Access view. |
| Machine | Windows Components\Human Presence | Force Instant Dim | Determines whether Attention Based Display Dimming is forced on/off by the MDM policy. |
| Machine | Windows Components\Internet Explorer | Disable HTML Application | Specifies if running the HTML Application (HTA file) is blocked or allowed. |
| Machine | Windows Components\Internet Explorer | Enable global window list in Internet Explorer mode | Allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. |
| Machine | Windows Components\Internet Explorer | Reset zoom to default for HTML dialogs in Internet Explorer mode | Lets admins reset the zoom to default for HTML dialogs in Internet Explorer mode. |
| Machine | Windows Components\Internet Explorer\Security Features\Add-on Management | Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects | Turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. |
| Machine | Windows Components\Microsoft account | Only allow device authentication for the Microsoft Account Sign-In Assistant | Determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). |
| Machine | Windows Components\Microsoft Defender Antivirus | Control whether or not exclusions are visible to Local Admins. | Controls whether or not exclusions are visible to Local Admins. |
| Machine | Windows Components\Microsoft Defender Antivirus | Select the channel for Microsoft Defender daily security intelligence updates | Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. |
| Machine | Windows Components\Microsoft Defender Antivirus | Select the channel for Microsoft Defender monthly engine updates | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. |
| Machine | Windows Components\Microsoft Defender Antivirus | Select the channel for Microsoft Defender monthly platform updates | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. |
| Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Define Device Control evidence data remote location | Defines evidence file remote location where Device Control service will move evidence data captured. |
| Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Select Device Control Default Enforcement Policy | Default Allow: Choosing this default enforcement will allow any operations to occur on the attached devices if no policy rules are found to match. |
| Machine | Windows Components\Microsoft Defender Antivirus\Features | Device Control | Enable or Disable Defender Device Control on this machine. |
| Machine | Windows Components\Microsoft Defender Antivirus\MpEngine | Disable gradual rollout of Microsoft Defender updates. | Enable this policy to disable the gradual rollout of Defender updates. |
| Machine | Windows Components\Microsoft Defender Antivirus\Reporting | Configure time interval for service health reports | Configures the time interval (in minutes) for the service health reports to be sent from endpoints. |
| Machine | Windows Components\Microsoft Defender Antivirus\Scan | CPU throttling type | Determines whether the maximum percentage of CPU utilization permitted during a scan applies only to scheduled scans or to both scheduled and custom scans. |
| Machine | Windows Components\Microsoft Edge | Suppress the display of Edge Deprecation Notification | Configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. |
| Machine | Windows Components\Remote Desktop Services\Remote Desktop Connection Client | Disable Cloud Clipboard integration for server-to-client data transfer | Lets you control whether data transferred from the remote session to the client using clipboard redirection is added to the client-side Cloud Clipboard. |
| Machine | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection | Do not allow WebAuthn redirection | Lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. |
| Machine | Windows Components\Search | Allow search highlights | Disabling this setting turns off search highlights in the start menu search box and in search home. |
| Machine | Windows Components\Search | Fully disable Search UI | If you enable this policy the Search UI will be disabled along with all its entry points such as keyboard shortcuts touchpad gestures and type-to-search in the Start menu. |
| Machine | Windows Components\Sync your settings | Do not sync accessibility settings | Prevent the “accessibility” group from syncing to and from this PC. |
| Machine | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | Notify Malicious | Determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they enter their work or school credentials into a flagged website or portal. |
| Machine | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | Notify Password Reuse | Determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password. |
| Machine | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | Notify Unsafe App | Determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school credentials in an unsafe app. |
| Machine | Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection | Service Enabled | Determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. |
| Machine | Windows Components\Windows Hello for Business | Enable ESS with Supported Peripherals | Enhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions meaning the rest of the operating system cannot access or tamper with them. |
| User | Start Menu and Taskbar | Hide the TaskView button | Allows you to hide the TaskView button. If you enable this policy setting the TaskView button will be hidden and the Settings toggle will be disabled. |
| User | Start Menu and Taskbar | Remove Quick Settings | Removes Quick Settings from the bottom right area on the taskbar. |
| User | Start Menu and Taskbar | Remove Recommended section from Start Menu | Allows you to prevent the Start Menu from displaying a list of recommended applications and files. |
| User | Windows Components\Internet Explorer | Disable HTML Application | Specifies if running the HTML Application (HTA file) is blocked or allowed. |
| User | Windows Components\Internet Explorer | Enable global window list in Internet Explorer mode | Allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. |
| User | Windows Components\Internet Explorer | Reset zoom to default for HTML dialogs in Internet Explorer mode | Lets admins reset the zoom to default for HTML dialogs in Internet Explorer mode. |
| User | Windows Components\Internet Explorer\Security Features\Add-on Management | Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects | Turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. |
| User | Windows Components\Microsoft Edge | Suppress the display of Edge Deprecation Notification | Configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. |
To read more about all of the group policies and their paths, you can download the references spreadsheet here:
Download Windows 11 22H2 ADMX reference spreadsheet [754 KB]
How to Uninstall Administrative Templates (ADMX)
If you are not comfortable with these templates or are causing issues with your work or computer, you can simply uninstall them using these steps:
-
Open the Programs and Features applet by typing in appwiz.cpl in the Run Command box.
Open Programs and Features applet -
Here, look for the Administrative Templates you want to remove, right-click it, and then click Uninstall.
Uninstall ADMX -
When asked for a confirmation, click Yes.
Confirm action
The ADMX and all installed Group Policies will now be removed from your computer.
Closing Thoughts
As mentioned earlier, each operating system version from Microsoft comes with its own set of Administrative Templates that are fabricated according to the features and needs of that particular version. Therefore, we recommend that you install the ADMX specifically designed for the OS version.
Moreover, these templates only make your system more secure if configured correctly. Only installing them won’t make much of a difference. This is why we suggest that you take a hard look at the table provided above and understand what each of these new policies is for, and configure them accordingly.
