So, Windows 10 22H2 is finally out. And it includes…well…um…just what exactly?
First, remember that this fall brings two 22H2 releases: One for Windows 11, one for Windows 10. While Windows 11 22H2 has a lot of changes (such as File Tab explorer, which just rolled out), Windows 10 22H2 is, in the words of Microsoft, a much more “scoped” release “focused on quality improvements to the overall Windows experience in existing feature areas such as quality, productivity, and security.”
I went in search of what’s included in the latest feature release for Windows 10, starting with a look into changes such as group policy.
There are only a handful of new group policies in Windows 10 22H2, ranging from adjustments in the browser to protections for printing and remote desktop sessions to local administrator lockout settings.
Here are the details:
- admx — Disable HTML Application Machine Windows Components\Internet Explorer
This setting specifies whether running the HTML Application (HTA file) is blocked or allowed. If you enable this policy, running the HTML Application (HTA file) will be blocked. If you disable or do not configure it, running the HTML Application (HTA file) is allowed.
- admx — Disable HTML Application User Windows Components\Internet Explorer
This setting specifies whether running the HTML Application (HTA file) is blocked or allowed. If you enable this policy, running the HTML Application (HTA file) will be blocked. If you disable or do not configure it, running the HTML Application (HTA file) is allowed.
- admx — Configure Redirection Guard Machine Printers
This determines whether Redirection Guard is enabled for the print spooler. You can enable this setting to configure the Redirection Guard policy so it’s applied to spooler. If you disable or do not configure it, Redirection Guard will default to being enabled. If you enable this setting you can select the following options: 1. Enabled: Redirection Guard will prevent any file redirections from being followed; 2. Disabled: Redirection Guard will not be enabled and file redirections may be used within the spooler process; 3. Audit: Redirection Guard will log events as though it were enabled, but will not actually prevent file redirections from being used within the spooler.
- admx — Do not allow WebAuthn redirection Machine Windows components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
This policy lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). By default, Remote Desktop allows redirection of WebAuthn requests. If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session. If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session.
- admx — Control whether or not exclusions are visible to Local Admins. Machine Windows Components\Microsoft Defender Antivirus
This setting controls whether exclusions are visible to Local Admins. For end users (who are not Local Admins) exclusions are not visible, whether or not this setting is enabled. Disabled (Default): If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App or via PowerShell. Enabled: If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Note: Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in Get-MpPreference.
Even the new recommended settings for Windows 10 22H2 Security baseline are not unique to Windows 10 22H2. One of the recommended settings includes changes to the administrator account. As noted in the baseline, “a new policy Allow Administrator account lockout, located under Security Settings\Account Policies\Account Lockout Policy is added to mitigate brute-force authentication attacks.” Note: any version of Windows that has the October security updates installed will have this change. (Microsoft has even added this setting to Windows releases going back to Windows 7 through their extended security release program.)
The main thing the 22H2 release brings is an extension to the life cycle for Windows 10. Windows 10 22H2 Home and Pro editions will receive 18 months of servicing, while Enterprise and Education editions will get 30 months.
Currently 22H2 is available for Windows 10 seekers, those that go to Windows update and click on “check for updates.” If you’re on Windows 10 20H2 or newer, it will be a fast update. But if you’re running an earlier version of Windows 10, it will take longer — if that’s the case, here’s what I recommend.
First, check to see whether your video card drivers and firmware are up to date. Whether you use Windows 10 or 11, these releases go smoother with updated drivers and software. Next, use the Windows 10 ISO download page to leapfrog your way to 22H2 once it’s deemed fully supported for all computers. Check the “Update now” link for what you need.
If you want to control when the 22H2 release gets installed on your system, there are several tools to help. You can use InControl from GRC to select the exact feature release you want. Alternatively, you can use the registry keys I’ve posted here to select the exact version of Windows 10 to install.
If you’ve deployed these registry keys, keep in mind that the IT settings for Windows Software Update Services and Intune will override your deferrals. Conversely, if you as the IT admin don’t choose to approve Windows 10 22H2 enablement package in your patching tool, your systems won’t be offered the update.
Bottom line: Windows 10 22H2 has few changes and should be a minor feature upgrade that causes few issues. I will probably be approving it for release sooner rather than later.