Microsoft has released the Administrative Templates, also known as ADMX, for Windows 11 21H2 and Windows 11 22H2 (2022 Update). Although this release is not directed toward version 22H2, it can still be applied.
As with every new version of Windows, Windows 11 comes with its own set of administrative templates. If you have already upgraded to Windows 11, you can download and install these templates on your PC using the guide given below.
Administrative Templates give you more control over your computer, or an entire domain of computers if you are a sysadmin connected to an Active Directory. This allows you to gain more control over each device as you apply more policies.
These templates are compatible with the following operating systems:
- Windows 11,10, 8, 8.1, and 7.
- Windows Server 2022, 2019, 2016, 2012, 2012 R2, 2008 R2.
Table of Contents
What’s New in Administrative Templates for Windows 11
ADMX Templates are available for download in the following languages:
- cs-CZ Czech – Czech Republic
- da-DK Danish – Denmark
- de-DE German – Germany
- el-GR Greek – Greece
- en-US English – United States
- es-ES Spanish – Spain
- fi-FL Finnish – Finland
- fr-FR French – France
- hu-HU Hungarian – Hungary
- it-IT Italian – Italy
- ja-JP Japanese – Japan
- ko-KR Korean – Korea
- nb-NO Norwegian (Bokmål) – Norway
- nl-NL Dutch – The Netherlands
- pl-PL Polish – Poland
- pt-BR Portuguese – Brazil
- pt-PT Portuguese – Portugal
- ru-RU Russian – Russia
- sv-SE Swedish – Sweden
- tr-TR Turkish – Turkey
- zh-CN Chinese – China
- zh-TW Chinese – Taiwan
However, the News and Interests template is currently only available in the English language. Microsoft says that they will republish the templates once more languages are supported for the said template.
The following Group Policy settings are added to the OS with these ADMX templates:
| Location | Policy Path | Policy Setting Name |
| Machine | Control Panel\Personalization | Prevent lock screen background motion |
| Machine | Control Panel\Regional and Language Options | Restrict Language Pack and Language Feature Installation |
| Machine | MS Security Guide | Limits print driver installation to Administrators |
| Machine | Network\DNS Client | Configure DNS over HTTPS (DoH) name resolution |
| Machine | Printers | Enable Device Control Printing Restrictions |
| Machine | Printers | List of Approved USB-connected print devices |
| Machine | Start Menu and Taskbar | Show or hide the “Most used” list from the Start menu |
| Machine | Start Menu and Taskbar\Notifications | Enables group policy for the WNS FQDN |
| Machine | System\Device Installation\Device Installation Restrictions | Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria |
| Machine | System\Filesystem\NTFS | Enable NTFS non-paged pool usage |
| Machine | System\Filesystem\NTFS | NTFS default tier |
| Machine | System\Filesystem\NTFS | NTFS parallel flush threshold |
| Machine | System\Filesystem\NTFS | NTFS parallel flush worker threads |
| Machine | System\Kerberos | Allow retrieving the cloud Kerberos ticket during the logon |
| Machine | System\Net Logon\DC Locator DNS Records | Use lowercase DNS hostnames when registering domain controller SRV records |
| Machine | System\Security Account Manager | Configure validation of ROCA-vulnerable WHfB keys during authentication |
| Machine | Windows Components\App Package Deployment | Archive infrequently used apps |
| Machine | Windows Components\App Package Deployment | Not allow sideloaded apps to auto-update in the background |
| Machine | Windows Components\App Package Deployment | Not allow sideloaded apps to auto-update in the background on a metered network |
| Machine | Windows Components\App Privacy | Allow Windows apps to take screenshots of various windows or displays |
| Machine | Windows Components\App Privacy | Allow Windows apps to turn off the screenshot border |
| Machine | Windows Components\Chat | Configure the Chat icon on the taskbar |
| Machine | Windows Components\Cloud Content | Turn off cloud consumer account state content |
| Machine | Windows Components\Data Collection and Preview Builds | Disable OneSettings Downloads |
| Machine | Windows Components\Data Collection and Preview Builds | Enable OneSettings Audit |
| Machine | Windows Components\Data Collection and Preview Builds | Limit Diagnostic Log Collection |
| Machine | Windows Components\Data Collection and Preview Builds | Limit Dump Collection |
| Machine | Windows Components\Human Presence | Force Instant Lock |
| Machine | Windows Components\Human Presence | Force Instant Wake |
| Machine | Windows Components\Human Presence | Lock Timeout |
| Machine | Windows Components\Internet Explorer | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. |
| Machine | Windows Components\Microsoft Defender Antivirus | Configure scheduled task times randomization window |
| Machine | Windows Components\Microsoft Defender Antivirus | Define the directory path to copy support log files |
| Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Define device control policy groups |
| Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Define device control policy rules |
| Machine | Windows Components\Microsoft Defender Antivirus\Exclusions | IP Address Exclusions |
| Machine | Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection | This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. |
| Machine | Windows Components\Microsoft Defender Antivirus\Network Inspection System | This setting controls datagram processing for network protection. |
| Machine | Windows Components\Microsoft Defender Antivirus\Real-time Protection | Turn on script scanning |
| Machine | Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates | Allows Microsoft Defender Antivirus to update and communicate over a metered connection. |
| Machine | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection | Allow UI Automation redirection |
| Machine | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection | Do not allow location redirection |
| Machine | Windows Components\Tenant Restrictions | Cloud Policy Details |
| Machine | Windows Components\Widgets | Allow widgets |
| Machine | Windows Components\Windows Hello for Business | Use cloud trust for on-premises authentication |
| Machine | Windows Components\Windows Sandbox | Allow audio input in Windows Sandbox |
| Machine | Windows Components\Windows Sandbox | Allow clipboard sharing with Windows Sandbox |
| Machine | Windows Components\Windows Sandbox | Allow networking in Windows Sandbox |
| Machine | Windows Components\Windows Sandbox | Allow printer sharing with Windows Sandbox |
| Machine | Windows Components\Windows Sandbox | Allow vGPU sharing for Windows Sandbox |
| Machine | Windows Components\Windows Sandbox | Allow video input in Windows Sandbox |
| Machine | Windows Components\Windows Update\Manage updates offered by Windows Server Update Service. | Specify source services for specific classes of Windows Updates |
| User | AutoSubscription | Enable auto-subscription |
| User | Control Panel\Printers | Enable Device Control Printing Restrictions |
| User | Control Panel\Printers | List of Approved USB-connected print devices |
| User | Control Panel\Regional and Language Options | Restrict Language Pack and Language Feature Installation |
| User | Start Menu and Taskbar | Show or hide the “Most used” list from the Start menu |
| User | Windows Components\Cloud Content | Turn off Spotlight collection on Desktop |
| User | Windows Components\IME | Configure Korean IME version |
| User | Windows Components\Internet Explorer | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. |
You can download the complete Group Policy reference from here, or read about the new features here.
Download Administrative Templates for Windows 11 v21H2 & v22H2
There is no need to uninstall any previous version(s) of ADMX files already installed. Simply downloading and installing the new ADMX file will work.
Follow the guide below to download and install Administrative templates for Windows 11:
-
Download the Administrative Templates for Windows 11 v21H2 [Size: 13.2 MB].
You may also download Microsoft Security Compliance Toolkit that gives security administrators the ability to apply Group Policy Objects via a Domain Controller throughout an enterprise network.
-
Run the downloaded .msi package by double-clicking it.
-
The installation wizard will now open. Click Next.
Proceed -
On the next screen, accept the terms by checking the box and click Next.
Agree to terms -
Now select the installation location (which can be left as default) and click Next.
Define installation location -
On the confirmation screen, click Install.
Begin installation -
Windows 11 Administrative Templates will now be installed on your device. Click Finish when done.
Close wizard
You have now successfully installed the ADMX Templates. Head over to Microsoft’s download center to get more information about the Windows 11 Administrative Templates.
Closing words
This is the first version of the Administrative Templates designed for Windows 11. However, it is backward-compatible with Windows 7 as well. That said, Windows 11 version 22H2 has just been released recently and we anticipate a dedicated ADMX package soon.
If you are a regular Windows consumer, installing these ADMX Templates would do you no harm. Rather, if you know what you are doing, this will only assist you to make your device more secure.
