MicrosoftDFR_21 : they're under Security Settings, not under Administrative Templates, so they aren't represented in any ADMX. They will appear in the UI only on Windows machines that support those new settings. They show up in security template files (e.g., GptTmpl.inf) with lines like these:
[Registry Values]
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorEnhancedAdmin=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\TypeOfAdminApprovalMode=4,2
There's no such thing as "SecEdit.admx." You might be thinking of MS Security Guide (SecGuide.admx/l), which is downloadable with the Security Compliance Toolkit baselines (https://aka.ms/sct), but again, that doesn't cover Security Settings.
AaronMargosis_Tanium,
I can see this in options in GptTmpl.inf
[Registry Values]
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorEnhancedAdmin=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\TypeOfAdminApprovalMode=4,2
just as you mentioned, how can I change these values? I can’t find them in the Group Policy Management Editor. I updated my central store with the 24H2 policy definitions, but the options still don’t appear under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options. I want to disable them.
Copying in the policy definition updates affects only those items under Administrative Templates. To see the updated settings under Security Settings, you need to be running Win11 24H2 or WS2025.
Or you can just delete them from the GptTmpl.inf using Notepad.
AaronMargosis_Tanium
thank you for your answers and help
So I am running DC - Win Server 2019, and some devices have W11 24H2, and some are still old 23H2.
I wanted to update security baseline policies on DC for the new 24H2-> I downloaded the policies, updated GPO Central Store with new ADMX templates, and imported new 24H2 Baseline policies GPOs. Now when comparing our previous 23H2 and 24H2 GPO with policy analyzer, there is this difference, that the options that we are talking about here are enabled.
I want to disable them, but the Policy is not appearing in the Group Policy Management Editor on the Domain Controller.
I tried to simply remove it manually using notepad from GptTmpl.inf, but it keeps coming back when some change to GPO is being made.
After your advice, I checked Local Group Policy from a colleague's 24H2 device, that is getting the templates from GPO Central Store, and it is indeed showing the Policy in his Local Group Policy Editor.
Why I cannot see the option on Domain Controller, where I am setting up the GPO?
You saying I need to upgrade my DC to WS2025, in order to see this setting there? Is this behaviour somewhere described on MS docu ?
As a workaround, maybe I can try to open GPMC from W11 24H2 device, and connect to DC, and change the setting like that? Hmm
