Administrative Templates give you more control over your computer, or an entire domain of computers if you are a sysadmin connected to an Active Directory. This allows you to gain more control over each device as you apply more policies, making them more secure and less vulnerable to exploits. The Windows 11 22H2 ADMX are backward compatible, so they can also be installed on the following operating systems:

Windows 11 21H2Windows 10 (all versions)Windows 8 & 8.1Windows 7Windows Server (all versions)

Installing these administrative templates will include more Group Policies for you to configure. Continue below to download it.

Download and Install Administrative Templates for Windows 11 v22H2

There is no need to uninstall any previous version(s) of ADMX files already installed. Simply downloading and installing the new ADMX file will work. Follow the guide below to download and install Administrative templates for Windows 11 22H2: You have now successfully installed the ADMX Templates. Head over to Microsoft’s download center to get more information about the Windows 11 22H2 Administrative Templates or install it in another language. You may also download Microsoft Security Compliance Toolkit that gives security administrators the ability to apply Group Policy Objects via a Domain Controller throughout an enterprise network.

New in Windows 11 22H2 Administrative Templates

A plethora of computer and user configuration options have been added to the Group Policy settings with these templates. The table below lists the new policies which will be added upon installing Windows 11 22H2 admx:ApplicablePolicy PathPolicy NameDescriptionMachineDesktopHide and disable all items on the desktopRemoves icon shortcuts and other default and user-defined items from the desktop including Briefcase Recycle Bin Computer and Network Locations.MachineMS Security GuideConfigure RPC packet level privacy setting for incoming connectionsThis policy setting controls whether packet level privacy is enabled for RPC for incoming connections.MachineNetwork\DNS ClientConfigure Discovery of Designated Resolvers (DDR) protocolSpecifies if the DNS client would use the DDR protocol.MachineNetwork\DNS ClientConfigure NetBIOS settingsSpecifies if the DNS client will perform name resolution over NetBIOS. By default, the DNS client will disable NetBIOS name resolution on public networks for security reasons.MachinePrintersAlways send job page count information for IPP printersDetermines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver.MachinePrintersConfigure Redirection GuardDetermines whether Redirection Guard is enabled for the print spooler.MachinePrintersConfigure RPC connection settingsControls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler.MachinePrintersConfigure RPC listener settingsControls which protocols incoming RPC connections to the print spooler are allowed to use.MachinePrintersConfigure RPC over TCP portControls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers.MachinePrintersLimits print driver installation to AdministratorsDetermines whether users that aren’t Administrators can install print drivers on this computer.MachinePrintersManage Print Driver exclusion listControls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system.MachinePrintersManage Print Driver signature validationControls the print driver signature validation mechanism. Controls the type of digital signature that is required for a print driver to be considered valid and installed on the system.MachinePrintersManage processing of Queue-specific filesManages how Queue-specific files are processed during printer installation.MachineSecurity Settings\Account Policies\Account Lockout PolicyAllow Administrator account lockoutDetermines whether the built-in Administrator account is subject to the account lockout policy.MachineStart Menu and TaskbarDisable Editing Quick SettingsIf you enable this policy the user will be unable to modify Quick Settings.MachineStart Menu and TaskbarHide the TaskView buttonAllows you to hide the TaskView button.MachineStart Menu and TaskbarPrevent changes to Taskbar and Start Menu SettingsAllows you to prevent changes to Taskbar and Start Menu Settings.MachineStart Menu and TaskbarPrevent users from uninstalling applications from StartIf you enable this setting users cannot uninstall apps from Start.MachineStart Menu and TaskbarRemove access to the context menus for the taskbarAllows you to remove access to the context menus for the taskbar.MachineStart Menu and TaskbarRemove pinned programs from the TaskbarAllows you to remove pinned programs from the taskbar.MachineStart Menu and TaskbarRemove Recommended section from Start MenuAllows you to prevent the Start Menu from displaying a list of recommended applications and files.MachineStart Menu and TaskbarRemove Run menu from Start MenuAllows you to remove the Run command from the Start menu Internet Explorer and Task Manager.MachineStart Menu and TaskbarSimplify Quick Settings LayoutIf you enable this policy Quick Settings will be reduced to only having the WiFi Bluetooth Accessibility and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app.MachineSystemHide messages when Windows system requirements are not metControls which messages are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version.MachineSystem\KDCConfigure hash algorithms for certificate logonControls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.MachineSystem\KerberosConfigure hash algorithms for certificate logonControls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.MachineSystem\Local Security AuthorityAllow Custom SSPs and APs to be loaded into LSASSControls the configuration under which LSASS loads custom SSPs and APs.MachineSystem\Local Security AuthorityConfigures LSASS to run as a protected processControls the configuration under which LSASS is run.MachineWindows Components\Desktop App InstallerEnable App InstallerControls whether the Windows Package Manager can be used by users.MachineWindows Components\Desktop App InstallerEnable App Installer Additional SourcesControls additional sources provided by the enterprise IT administrator.MachineWindows Components\Desktop App InstallerEnable App Installer Allowed SourcesControls additional sources allowed by the enterprise IT administrator.MachineWindows Components\Desktop App InstallerEnable App Installer Default SourceControls the default source included with the Windows Package Manager.MachineWindows Components\Desktop App InstallerEnable App Installer Experimental FeaturesControls whether users can enable experimental features in the Windows Package Manager.MachineWindows Components\Desktop App InstallerEnable App Installer Hash OverrideControls whether or not the Windows Package Manager can be configured to enable the ability to override the SHA256 security validation in settings.MachineWindows Components\Desktop App InstallerEnable App Installer Local Manifest FilesControls whether users can install packages with local manifest files.MachineWindows Components\Desktop App InstallerEnable App Installer Microsoft Store SourceControls the Microsoft Store source included with the Windows Package Manager.MachineWindows Components\Desktop App InstallerEnable App Installer ms-appinstaller protocolControls whether users can install packages from a website that is using the ms-appinstaller protocol.MachineWindows Components\Desktop App InstallerEnable App Installer SettingsControls whether users can change their settings.MachineWindows Components\Desktop App InstallerSet App Installer Source Auto Update Interval In MinutesControls the auto-update interval for package-based sources.MachineWindows Components\File ExplorerTurn off files from Office.com in the Quick Access viewTurning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick Access view.MachineWindows Components\Human PresenceForce Instant DimDetermines whether Attention Based Display Dimming is forced on/off by the MDM policy.MachineWindows Components\Internet ExplorerDisable HTML ApplicationSpecifies if running the HTML Application (HTA file) is blocked or allowed.MachineWindows Components\Internet ExplorerEnable global window list in Internet Explorer modeAllows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.MachineWindows Components\Internet ExplorerReset zoom to default for HTML dialogs in Internet Explorer modeLets admins reset the zoom to default for HTML dialogs in Internet Explorer mode.MachineWindows Components\Internet Explorer\Security Features\Add-on ManagementTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsTurns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.MachineWindows Components\Microsoft accountOnly allow device authentication for the Microsoft Account Sign-In AssistantDetermines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc).MachineWindows Components\Microsoft Defender AntivirusControl whether or not exclusions are visible to Local Admins.Controls whether or not exclusions are visible to Local Admins.MachineWindows Components\Microsoft Defender AntivirusSelect the channel for Microsoft Defender daily security intelligence updatesEnable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.MachineWindows Components\Microsoft Defender AntivirusSelect the channel for Microsoft Defender monthly engine updatesEnable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.​MachineWindows Components\Microsoft Defender AntivirusSelect the channel for Microsoft Defender monthly platform updatesEnable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.​MachineWindows Components\Microsoft Defender Antivirus\Device ControlDefine Device Control evidence data remote locationDefines evidence file remote location where Device Control service will move evidence data captured.MachineWindows Components\Microsoft Defender Antivirus\Device ControlSelect Device Control Default Enforcement PolicyDefault Allow: Choosing this default enforcement will allow any operations to occur on the attached devices if no policy rules are found to match.MachineWindows Components\Microsoft Defender Antivirus\FeaturesDevice ControlEnable or Disable Defender Device Control on this machine.MachineWindows Components\Microsoft Defender Antivirus\MpEngineDisable gradual rollout of Microsoft Defender updates.Enable this policy to disable the gradual rollout of Defender updates.MachineWindows Components\Microsoft Defender Antivirus\ReportingConfigure time interval for service health reportsConfigures the time interval (in minutes) for the service health reports to be sent from endpoints.MachineWindows Components\Microsoft Defender Antivirus\ScanCPU throttling typeDetermines whether the maximum percentage of CPU utilization permitted during a scan applies only to scheduled scans or to both scheduled and custom scans.MachineWindows Components\Microsoft EdgeSuppress the display of Edge Deprecation NotificationConfigure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021.MachineWindows Components\Remote Desktop Services\Remote Desktop Connection ClientDisable Cloud Clipboard integration for server-to-client data transferLets you control whether data transferred from the remote session to the client using clipboard redirection is added to the client-side Cloud Clipboard.MachineWindows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource RedirectionDo not allow WebAuthn redirectionLets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device.MachineWindows Components\SearchAllow search highlightsDisabling this setting turns off search highlights in the start menu search box and in search home.MachineWindows Components\SearchFully disable Search UIIf you enable this policy the Search UI will be disabled along with all its entry points such as keyboard shortcuts touchpad gestures and type-to-search in the Start menu.MachineWindows Components\Sync your settingsDo not sync accessibility settingsPrevent the “accessibility” group from syncing to and from this PC.MachineWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionNotify MaliciousDetermines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they enter their work or school credentials into a flagged website or portal.MachineWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionNotify Password ReuseDetermines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password.MachineWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionNotify Unsafe AppDetermines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school credentials in an unsafe app.MachineWindows Components\Windows Defender SmartScreen\Enhanced Phishing ProtectionService EnabledDetermines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off.MachineWindows Components\Windows Hello for BusinessEnable ESS with Supported PeripheralsEnhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions meaning the rest of the operating system cannot access or tamper with them.UserStart Menu and TaskbarHide the TaskView buttonAllows you to hide the TaskView button. If you enable this policy setting the TaskView button will be hidden and the Settings toggle will be disabled.UserStart Menu and TaskbarRemove Quick SettingsRemoves Quick Settings from the bottom right area on the taskbar.UserStart Menu and TaskbarRemove Recommended section from Start MenuAllows you to prevent the Start Menu from displaying a list of recommended applications and files.UserWindows Components\Internet ExplorerDisable HTML ApplicationSpecifies if running the HTML Application (HTA file) is blocked or allowed.UserWindows Components\Internet ExplorerEnable global window list in Internet Explorer modeAllows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.UserWindows Components\Internet ExplorerReset zoom to default for HTML dialogs in Internet Explorer modeLets admins reset the zoom to default for HTML dialogs in Internet Explorer mode.UserWindows Components\Internet Explorer\Security Features\Add-on ManagementTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsTurns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.UserWindows Components\Microsoft EdgeSuppress the display of Edge Deprecation NotificationConfigure Microsoft Edge to suppress the display of the notification that informs users that support of this version of Microsoft Edge ended on March 9th, 2021.Policies added after installing Windows 11 22H2 ADMX To read more about all of the group policies and their paths, you can download the references spreadsheet here: Download Windows 11 22H2 ADMX reference spreadsheet [754 KB]

How to Uninstall Administrative Templates (ADMX)

If you are not comfortable with these templates or are causing issues with your work or computer, you can simply uninstall them using these steps: The ADMX and all installed Group Policies will now be removed from your computer.

Closing Thoughts

As mentioned earlier, each operating system version from Microsoft comes with its own set of Administrative Templates that are fabricated according to the features and needs of that particular version. Therefore, we recommend that you install the ADMX specifically designed for the OS version. Moreover, these templates only make your system more secure if configured correctly. Only installing them won’t make much of a difference. This is why we suggest that you take a hard look at the table provided above and understand what each of these new policies is for, and configure them accordingly. Also see:

Download and Install Administrative Templates (ADMX) For Windows 11 21H2 & 22H2Download and Install Administrative (ADMX) Templates for Windows 10 November 2021 (21H2) UpdateWindows 10 22H2 Add-Ons For IT ProsDownload And Install Administrative (Admx) Templates for Windows 10 Version 2004Download Windows 11 22H2 (2022 Update) Security Baseline