下载 Windows 11 22H2 组策略设置和 ADMX

---

在本文中，我将列出所有新的 Windows 11 22H2 组策略设置并介绍下载这些设置的步骤。 Microsoft 已发布适用于 Windows 11 2022 更新 (22H2) 的组策略设置参考电子表格，你可以在设置中使用这些策略设置。

针对 Windows 11 22H2 发布的 GPO 设置是使用组策略管理控制台 (GPMC) 编辑组策略对象 (GPO) 时用于公开策略设置的文件。该电子表格列出了随 Windows 11 版本 22H2 提供的管理模板文件（.admx 和 .adml）中包含的计算机和用户配置的所有 80 多个 Windows 11 22H2 GPO 设置。

Microsoft 将向符合条件的 Windows 10 和 Windows 11 设备免费提供 Windows 11 22H2 更新。当我说符合资格时，意味着满足 Windows 11 最低要求的设备将获得 Windows 11 22H2 升级。

升级到 Windows 11 22H2 的方法有多种，对于企业来说，可以使用 Configuration Manager 或 Microsoft Intune 升级到版本 22H2。查看有关如何使用配置管理器升级到 Windows 11 版本 22H2 的详细指南。

下载 Windows 11 22H2 组策略设置参考电子表格

让我们看看下载 Windows 11 (22H2) 组策略设置参考电子表格的步骤。此电子表格显示 Windows 11 2022 更新 (22H2) 附带的计算机和用户配置的策略设置，并且是管理模板文件的一部分。您可以在编辑组策略对象时配置这些策略设置。

请按照以下步骤下载适用于 Windows 11 22H2 的组策略设置参考电子表格：

• 在计算机上启动浏览器并浏览到 Windows 11 2022 更新 (22H2) 的组策略设置参考电子表格下载页面。
• 单击下载按钮。在“文件下载”对话框中，单击保存。在另存为对话框中，浏览到计算机上要保存 GPO 电子表格文件的目录。

下载中包含名为 Windows11andWindowsServer2019PolicySettings-22H2.xlsx 的文件。您将需要 Microsoft Excel 打开此文件并查看数据。查看如何下载和安装 Microsoft Office 2021。

使用 Excel 程序访问 Windows 11 22H2 组策略设置参考电子表格。选择管理模板选项卡，在这里我们可以看到新的 Windows 11 22H2 组策略设置列表。

Windows 11 22H2 组策略设置列表

下表列出了 Microsoft 为 Windows 11 22H2 发布的所有新组策略设置。该表还列出了 GPO 名称以及策略路径和策略描述。

Windows 11 22H2 Group Policy Settings NameGPO Policy PathGroup Policy DescriptionHide messages when Windows system requirements are not metSystemThis policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version.If you enable this policy setting, these messages will never appear on desktop or in the Settings app.Hide and disable all items on the desktopDesktopRemoves icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations.Enable App InstallerWindows Components\Desktop App InstallerThis policy controls whether the Windows Package Manager can be used by users. If you enable or do not configure this setting, users will be able to use the Windows Package Manager.Enable App Installer SettingsWindows Components\Desktop App InstallerThis policy controls whether users can change their settings.If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager.If you disable this setting, users will not be able to change settings for the Windows Package Manager.Enable App Installer Experimental FeaturesWindows Components\Desktop App InstallerThis policy controls whether users can enable experimental features in the Windows Package Manager.If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager.Enable App Installer Local Manifest FilesWindows Components\Desktop App InstallerThis policy controls whether users can install packages with local manifest files.If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.Enable App Installer Hash OverrideWindows Components\Desktop App InstallerThis policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.Enable App Installer Default SourceWindows Components\Desktop App InstallerThis policy controls the default source included with the Windows Package Manager.Enable App Installer Microsoft Store SourceWindows Components\Desktop App InstallerThis policy controls the Microsoft Store source included with the Windows Package Manager.Set App Installer Source Auto Update Interval In MinutesWindows Components\Desktop App InstallerThis policy controls the auto-update interval for package-based sources.Enable App Installer Additional SourcesWindows Components\Desktop App InstallerThis policy controls additional sources provided by the enterprise IT administrator.Enable App Installer Allowed SourcesWindows Components\Desktop App InstallerThis policy controls additional sources allowed by the enterprise IT administrator.Enable App Installer ms-appinstaller protocolWindows Components\Desktop App InstallerThis policy controls whether users can install packages from a website that is using the ms-appinstaller protocol.Configure Discovery of Designated Resolvers (DDR) protocolNetwork\DNS ClientSpecifies if the DNS client would use the DDR protocol.Configure NetBIOS settingsNetwork\DNS ClientSpecifies if the DNS client will perform name resolution over NetBIOS.Turn off files from Office.com in Quick access viewWindows Components\File ExplorerTurning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components\Internet Explorer\Security Features\Add-on ManagementThis policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components\Internet Explorer\Security Features\Add-on ManagementThis policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.Enable global window list in Internet Explorer modeWindows Components\Internet ExplorerThis setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.Enable global window list in Internet Explorer modeWindows Components\Internet ExplorerThis setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.Reset zoom to default for HTML dialogs in Internet Explorer modeWindows Components\Internet ExplorerThis policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page.Reset zoom to default for HTML dialogs in Internet Explorer modeWindows Components\Internet ExplorerThis policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.Disable HTML ApplicationWindows Components\Internet ExplorerThis policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. If you enable this policy setting, running the HTML Application (HTA file) will be blocked.If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed.Disable HTML ApplicationWindows Components\Internet ExplorerThis policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. If you enable this policy setting, running the HTML Application (HTA file) will be blocked.If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed.Configure hash algorithms for certificate logonSystem\KDCThis policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.Configure hash algorithms for certificate logonSystem\KerberosThis policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logonSystem\KerberosThis policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.Request traffic compression for all sharesNetwork\Lanman ServerThis policy controls whether the SMB server requests SMB client to use traffic compression for all SMB shares.If you enable this policy setting, the SMB server will by default request the SMB client to compress traffic when SMB compression is enabled.Disable SMB compressionNetwork\Lanman ServerThis policy controls whether the SMB server will disable (completely prevent) traffic compression.Use SMB compression by defaultNetwork\Lanman WorkstationThis policy controls whether the SMB client uses traffic compression by default.If you enable this policy setting, the SMB client will attempt to compress traffic by default when SMB compression is enabled.Disable SMB compressionNetwork\Lanman WorkstationThis policy controls whether the SMB client will disable (completely prevent) traffic compression.Allow Custom SSPs and APs to be loaded into LSASSSystem\Local Security AuthorityThis policy controls the configuration under which LSASS loads custom SSPs and APs.If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded.If you disable this setting, LSA does not load custom SSPs and APs.Configures LSASS to run as a protected processSystem\Local Security AuthorityThis policy controls the configuration under which LSASS is run.If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices.Suppress the display of Edge Deprecation NotificationWindows Components\Microsoft EdgeYou can configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. If enabled, the notification will not show.If disabled or not configured, the notification will show every time Edge is launched.Suppress the display of Edge Deprecation NotificationWindows Components\Microsoft EdgeYou can configure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021. If enabled, the notification will not show.If disabled or not configured, the notification will show every time Edge is launched.Only allow device authentication for the Microsoft Account Sign-In AssistantWindows Components\Microsoft accountThis setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, only allow device authentication, and block user authentication.Enable ESS with Supported PeripheralsWindows Components\Windows Hello for BusinessWhile this policy is enabled on Windows 11 devices, external biometric authentication with Windows Hello will be blocked.Limits print driver installation to AdministratorsPrintersDetermines whether users that aren’t Administrators can install print drivers on this computer.By default, users that aren’t Administrators can’t install print drivers on this computer.If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer.If you disable this setting, the system won’t limit installation of print drivers to this computer.Manage processing of Queue-specific filesPrintersManages how Queue-specific files are processed during printer installation.Manage Print Driver signature validationPrintersThis policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system.Manage Print Driver exclusion listPrintersThis policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system.Configure RPC listener settingsPrintersThis policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use.By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol.Configure RPC connection settingsPrintersThis policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler.Configure RPC over TCP portPrintersThis policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers.Always send job page count information for IPP printersPrintersDetermines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver.Configure Redirection GuardPrintersDetermines whether Redirection Guard is enabled for the print spooler.You can enable this setting to configure the Redirection Guard policy being applied to spooler.If you disable or do not configure this policy setting, Redirection Guard will default to being ‘enabled’.Fully disable Search UIWindows Components\SearchIf you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu’s search box and Search Taskbar button will also be hidden.If you disable or don’t configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown.Allow search highlightsWindows Components\SearchDisabling this setting turns off search highlights in the start menu search box and in search home. Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.Force Instant DimWindows Components\Human PresenceDetermines whether Attention Based Display Dimming is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out.Do not sync accessibility settingsWindows Components\Sync your settingsPrevent the “accessibility” group from syncing to and from this PC. This turns off and disables the “accessibility” group on the “Windows backup” settings page in PC settings.Remove Run menu from Start MenuStart Menu and TaskbarAllows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.Prevent changes to Taskbar and Start Menu SettingsStart Menu and TaskbarThis policy setting allows you to prevent changes to Taskbar and Start Menu Settings.If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box.Remove access to the context menus for the taskbarStart Menu and TaskbarThis policy setting allows you to remove access to the context menus for the taskbar.If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons.If you disable or do not configure this policy setting, the context menus for the taskbar are available.This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.Prevent users from uninstalling applications from StartStart Menu and TaskbarIf you enable this setting, users cannot uninstall apps from Start.If you disable this setting or do not configure it, users can access the uninstall command from StartRemove Recommended section from Start MenuStart Menu and TaskbarThis policy allows you to prevent the Start Menu from displaying a list of recommended applications and files.If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps.Remove Recommended section from Start MenuStart Menu and TaskbarThis policy allows you to prevent the Start Menu from displaying a list of recommended applications and files.If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps.Simplify Quick Settings LayoutStart Menu and TaskbarIf you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app.If you disable or don’t configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked.Disable Editing Quick SettingsStart Menu and TaskbarIf you enable this policy, the user will be unable to modify Quick Settings.If you disable or don’t configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons.Remove Quick SettingsStart Menu and TaskbarThis policy setting removes Quick Settings from the bottom-right area on the taskbar.Remove pinned programs from the TaskbarStart Menu and TaskbarThis policy setting allows you to remove pinned programs from the taskbar.Hide the TaskView buttonStart Menu and TaskbarThis policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled.Hide the TaskView buttonStart Menu and TaskbarThis policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled.Do not allow WebAuthn redirectionWindows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource RedirectionThis policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).Disable Cloud Clipboard integration for server-to-client data transferWindows Components\Remote Desktop Services\Remote Desktop Connection ClientThis policy setting lets you control whether data transferred from the remote session to the client using clipboard redirection is added to the client-side Cloud Clipboard.Service EnabledWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off.Notify MaliciousWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate.Notify Password ReuseWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password.Notify Unsafe AppWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionThis policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc.Device ControlWindows Components\Microsoft Defender Antivirus\FeaturesEnable or Disable Defender Device Control on this machine.Note: You must be enrolled as E3 or E5 in order for Device Control to be enabled.Select Device Control Default Enforcement PolicyWindows Components\Microsoft Defender Antivirus\Device ControlDefault Allow: Choosing this default enforcement, will Allow any operations to occur on the attached devices if no policy rules are found to match.Define Device Control evidence data remote locationWindows Components\Microsoft Defender Antivirus\Device ControlDefine evidence file remote location, where Device Control service will move evidence data captured.Control whether or not exclusions are visible to Local Admins.Windows Components\Microsoft Defender AntivirusThis policy setting controls whether or not exclusions are visible to Local Admins.Select the channel for Microsoft Defender monthly platform updatesWindows Components\Microsoft Defender AntivirusEnable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.Select the channel for Microsoft Defender monthly engine updatesWindows Components\Microsoft Defender AntivirusEnable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.Select the channel for Microsoft Defender daily security intelligence updatesWindows Components\Microsoft Defender AntivirusEnable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.Configure time interval for service health reportsWindows Components\Microsoft Defender Antivirus\ReportingThis policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints.CPU throttling typeWindows Components\Microsoft Defender Antivirus\ScanThis policy setting determines whether the maximum percentage CPU utilization permitted during a scan applies only to scheduled scans, or to both scheduled and custom scans (but not real-time protection).Disable gradual rollout of Microsoft Defender updates.Windows Components\Microsoft Defender Antivirus\MpEngineEnable this policy to disable gradual rollout of Defender updates.Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle.Enable MPR notifications for the systemWindows Components\Windows Logon OptionsThis policy controls the configuration under which winlogon sends MPR notifications in the system.If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured.If you disable this setting, winlogon does not send MPR notifications.

下载适用于 Windows 11 22H2 的 ADMX 模板

除了新的 Windows 11 22H2 GPO 设置之外，适用于 Windows 11 22H2 的 ADMX 模板也可供下载。要安装这些新的 Windows 11 22H2 ADMX 模板，请参阅我的有关如何下载和安装 Windows 11 管理模板的指南。

请按照以下步骤下载适用于 Windows 11 22H2 的管理模板 (.admx)：

• 启动浏览器并浏览到 Windows 11 2022 更新 (22H2) 的管理模板 (.admx) 链接。
• 单击下载按钮。在“文件下载”对话框中，单击“保存”。在“另存为”对话框中，浏览到计算机上要保存 Windows 11 September 2022 Update.msi 文件的管理模板 (.admx) 的目录。