Microsoft released Windows 10 22H2 just a while ago. This is the only feature update for the Windows 10 operating system this year. As with Microsoft’s every OS, this feature update also applies to all Windows 10 editions.
Alongside the release of this feature update, Microsoft also publishes advanced tools for IT professionals, which include the following:
- Security Baseline
- Administrative Templates
- Windows Assessment and Deployment Kit (ADK)
Moreover, you can also use Windows 10 22H2 Enterprise edition which is targeted at Windows-oriented companies that need to get the most out of their computers.
If you are a sysadmin, you can download all of these add-ons and professional tools for Windows 10 22H2 from this post directly.
Table of Contents
Download Windows 10 22H2 (2022 Update) Security Baseline
A Security Baseline is an additional set of security enhancements that can be added to the original security protocols already in place in Windows. This is especially useful for companies and organizations that prefer to take more control of their virtual security.
If you are a system administrator, installing a Security Baseline on a Windows 10 computer will add additional options to the Group Policy so you can control and push those settings to other devices on the entire network.
The Windows 10 22H2 Security Baseline has been released as a component of Microsoft Security Compliance Toolkit 1.0. Even so, you can download only the security baseline. Here are the steps to do so:
-
Open the Microsoft Security Compliance Toolkit page and click Download.
Download -
Check the box next to “Windows 10 version 22H2 Security Baseline.zip” and click Next.
Select and proceed -
Windows 10 22H2 Security Baseline will now download. Since it is only 1.2 MB, it should be downloaded instantly. Once downloaded, extract the content of the zip file to a folder.
-
Now navigate to the extracted folder and open the Scripts sub-folder. Here you will find 3 PowerShell ISE files.
Right-click “Baseline-LocalInstall” then click Run with PowerShell from the context menu.
Run scripts with PowerShell The scripts will now run automatically. Wait for the PowerShell window to close on its own.
Windows 10 22H2 Security Baseline will be installed successfully.
Let us now see what changes this baseline introduces for Windows 10.
New in Windows 10 22H2 Security Baseline
Improvement to Printers
-
Support for RedirectionGuard is added to the print service.
RedirectionGuard is a security measure that prevents the use of non-administratively created redirection primitives from being followed within a given process. The setting Configure Redirection Guard is now Enabled by default as part of the baseline.
-
Manage processing of queue-specific files is now Enabled.
Manage processing of queue-specific files (also called CopyFilesPolicy) was first introduced as a registry key in response to CVE-2021-36958 in September of 2021. This setting allows standard color profile processing using the inbox mscms.dll executable and nothing else.
The security baseline is to configure this setting to Enabled with the option of “Limit queue-specific files to color profiles.” For Windows 10, version 22H2 this setting is not yet available natively, therefore we have created the setting and added it to the SecGuide.ADMX.
-
Limit print driver installation to Administrators.
This policy was introduced to the security baselines as part of the SecGuide.ADMX before an inbox policy was available. This policy is now contained within the OS, and the MS Security Guide setting is deprecated.
However, since both settings write to the same location, the configured values still appear in both locations. The explanatory text in the MS Security Guide is updated to point users to the new location.
-
Configure RPC packet level privacy setting for incoming connections.
This policy is now added to SecGuide.ADMX as a result of CVE-2021-1678 and is set to Enabled by default as part of the baseline. The work of creating and deploying registry keys is now included in the security baseline until the setting becomes inbox to Windows.
These policies can be found at the following location within the Group Policy editor:
Computer Configuration >> Administrative Templates >> Printers
Credential Theft Protection
Additional Local Security Authority (LSA) protection provides defense by running LSA as a protected process. LSA protection was first introduced in the Windows 8.1 security baseline, as part of the original Pass-the-Hash mitigations. At this time the security baseline will move MS Security Guide\LSA Protection to a value of Enabled.
This policy can be found at the following location within the Group Policy editor:
Computer Configuration >> Administrative Templates >> System >> Local Security Authority
Attack Surface Reduction
A new rule Block abuse of exploited vulnerable signed drivers is now included as part of the operating system baselines as part of the Microsoft Defender Antivirus GPO. This rule applies across both client and server and helps prevent an application from writing a vulnerable signed driver to disk.
This policy can be found at the following location within the Group Policy editor:
Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus
Account Lockout Policies
A new policy Allow Administrator account lockout is added to mitigate brute-force authentication attacks. The recommended values for the policies Account lockout duration and Reset account lockout counter after are adjusted to be consistent with the defaults for out-of-the-box Windows installations.
This policy can be found at the following location within the Group Policy editor:
Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policies
Other Security Enhancements
A mismatch between the security baseline documentation and the accompanying Group Policy for Microsoft Defender Antivirus settings has been corrected with this release.
The documentation stated that Turn on behavior monitoring should be set to Enabled, but the actual GPO remained in a Not Configured state.
This policy can be found at the following location within the Group Policy editor:
Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection
You can read more about these improvements in the Windows 11 22H2 Security Baseline Release Notes.
Download Windows 10 22H2 (2022 Update) Administrative Templates (ADMX)
Administrative Templates give you more control over your computer, or an entire domain of computers if you are a sysadmin connected to an Active Directory. This allows you to gain more control over each device as you apply more policies, making them more secure and less vulnerable to exploits.
The Windows 10 22H2 ADMX is backward and forward-compatible, so it can also be installed on the following operating systems:
- Windows 11 (all versions)
- Windows 10 (all versions)
- Windows 8 & 8.1
- Windows 7
- Windows Server (2019, 2016, 2012 R2, 2012, 2008)
Installing these administrative templates will include more Group Policies for you to configure. Continue below to download and install it.
-
Download the Administrative Templates for Windows 10 v22H2 [Size: 13.1 MB]
-
Execute the downloaded .msi package by double-clicking it.
-
The installation wizard will now open. Click Next.
Proceed with installation -
On the next screen, accept the terms by checking the box and clicking Next.
Accept license agreement -
Now select the installation location (which can be left as default) and click Next.
Define installation location -
On the confirmation screen, click Install.
Begin installation -
Windows 10 22H2 Administrative Templates will now be installed on your device. Click Finish when done.
Close wizard
You have now successfully installed the ADMX Templates. Head over to Microsoft’s download center to get more information about the Windows 10 22H2 Administrative Templates or install it in another language.
New in Windows 10 22H2 Administrative Templates
Several computer and user configuration options have been added to the Group Policy settings with these templates. The table below lists the new policies which will be added upon installing Windows 10 22H2 admx:
| Applicable | Policy Location | Policy Name | Descriptions |
| Machine | MS Security Guide | Configure RPC packet level privacy setting for incoming connections | Controls whether packet level privacy is enabled for RPC for incoming connections. By default, packet-level privacy is enabled for RPC for incoming connections. |
| Machine | MS Security Guide | Manage processing of Queue-specific files | Manages how Queue-specific files are processed during printer installation. At printer installation time a vendor-supplied installation application can specify a set of files of any type to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. |
| Machine | Printers | Configure Redirection Guard | Determines whether Redirection Guard is enabled for the print spooler. |
| Machine | Start Menu and Taskbar | Show or hide “Most used” list from Start menu | Configure the Start menu to show or hide the list of users’ most used apps regardless of user settings. Selecting “Show” will force the “Most used” list to be shown and the user cannot change to hide it using the Settings app. |
| Machine | Windows Components\Internet Explorer | Enable global window list in Internet Explorer mode | Allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. |
| Machine | Windows Components\Internet Explorer | Hide Internet Explorer 11 retirement notification | Allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. |
| Machine | Windows Components\Microsoft Defender Antivirus | Control whether or not exclusions are visible to Local Admins. | Controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible whether or not this setting is enabled. |
| Machine | Windows Components\Search | Allow search highlights | Disabling this setting turns off search highlights in the taskbar search box and in the search home. Enabling or Not Configuring this setting turns on search highlights in the taskbar search box and in the search home. |
| Machine | Windows Components\Tenant Restrictions | Cloud Policy Details | Enables and configures the device-based tenant restrictions feature for Azure Active Directory. |
| User | AutoSubscription | Enable auto-subscription | Controls the list of URLs that the user should be auto-subscribed to |
| User | Start Menu and Taskbar | Show or hide “Most used” list from Start menu | Configure the Start menu to show or hide the list of users’ most used apps regardless of user settings. Selecting “Show” will force the “Most used” list to be shown and the user cannot change to hide it using the Settings app. Selecting “Hide” will force the “Most used” list to be hidden and the user cannot change it to show it using the Settings app. |
| User | Start Menu and Taskbar\Notifications | Turn on multiple expanded toast notifications in action center | Turns on multiple expanded toast notifications in the action center. |
| User | Windows Components\Internet Explorer | Enable global window list in Internet Explorer mode | Allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. |
| User | Windows Components\Internet Explorer | Hide Internet Explorer 11 retirement notification | Allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. |
To read more about all of the group policies and their paths, you can download the references spreadsheet here:
Download Windows 10 22H2 ADMX reference spreadsheet [735 KB]
How to Uninstall Administrative Templates (ADMX)
If you are not comfortable with these templates or are causing issues with your work or computer, you can simply uninstall them using these steps:
-
Open the Programs and Features applet by typing in appwiz.cpl in the Run Command box.
Open Programs and Features applet -
Here, look for the Administrative Templates you want to remove, right-click it, and then click Uninstall.
Uninstall ADMX -
When asked for confirmation, click Yes.
Confirm deletion
The ADMX and all installed Group Policies will now be removed from your computer.
Download Windows 10 22H2 (2022 Update) ADK
Microsoft Windows Assessment and Deployment Kit (ADK) is a collection of tools that you can combine to prepare, assess and launch image-based large-scale Windows deployments. These tools are also used to test the operating system’s quality and performance, as well as the applications running on it.
Windows ADK can be deployed on a broad range of devices, such as desktops, notebooks, Internet of Things (IoT) devices, etc. This toolkit works across platforms that work with devices with and without screens.
The tools currently available in Windows ADK have varied through the years, but currently, they include the following:
- Windows System Image Manager
- Windows Preinstallation Environment (WinPE)
- Deployment Image Servicing and Management tool (DISM)
Click on the respective link below to download either Windows ADK or WinPE for Windows 10 22H2:
Download Windows ADK for Windows 10 version 22H2
Download Windows Preinstallation Environment for Windows 10 version 22H2
How to Install Windows ADK
After downloading, you can continue to install it on your PC using these steps:
Note: You will need to uninstall any previous installation of Windows ADK, if already installed, through the Programs and Features applet.
-
Download Windows ADK for Windows 10 22H2 from the link given above.
-
Run adksetup.exe to start the installation.
-
The Windows ADK installation wizard will now launch. Here, select the first option (Install the Windows Assessment and Deployment Kit – Windows 10 to this computer) and then click Next.
Download ADK -
Now select either Yes or No for Windows kits privacy and click Next.
Set privacy setting -
Accept the license agreement.
Accept license agreement -
Windows ADK has different tools that you can install. Select the tools you want to install from the wizard and click Install.
Install ADK -
Your installation will now begin. When completed, close the wizard.
Close wizard
Closing Words
The administrative tools given in this post will help you professionals keep your and your enterprise’s systems more secure and away from threats.
Each of these components, including the Enterprise edition ISO, plays its role in securing your computer and the environment around you. We hope that you found this article useful and found what you were looking for.
