diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index e0103243ade4cefb0b9f4675e24e64258b16f6b0..2afddce5feea335188a82603d5de289fd0fcec08 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -222,6 +222,12 @@ admin_user = admin
 # used for signing
 secret_key = {{ vault_grafana_secret_key }}
 
+# current key provider used for envelope encryption, default to static value specified by secret_key
+;encryption_provider = secretKey
+
+# list of configured key providers, space separated (Enterprise only): e.g., awskms.v1 azurekv.v1
+;available_encryption_providers =
+
 # disable gravatar profile images
 ;disable_gravatar = false
 
@@ -243,7 +249,6 @@ cookie_samesite = strict
 # Set to true if you want to enable http strict transport security (HSTS) response header.
 # This is only sent when HTTPS is enabled in this configuration.
 # HSTS tells browsers that the site should only be accessed using HTTPS.
-# The default version will change to true in the next minor release, 6.3.
 strict_transport_security = true
 
 # Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
@@ -507,6 +512,7 @@ role_attribute_strict = true
 ;tls_client_cert =
 ;tls_client_key =
 ;tls_client_ca =
+;use_pkce = false
 {% endif %}
 
 #################################### Basic Auth ##########################
@@ -719,7 +725,7 @@ mode = syslog
 enabled = true
 
 # Comma-separated list of organization IDs for which to disable unified alerting. Only supported if unified alerting is enabled.
-;disabled_orgs = 
+;disabled_orgs =
 
 # Specify the frequency of polling for admin config changes.
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
@@ -940,14 +946,16 @@ enabled = false
 ;disable_sanitize_html = false
 
 [plugins]
-enable_alpha = true
+;enable_alpha = false
 ;app_tls_skip_verify_insecure = false
 # Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded.
 ;allow_loading_unsigned_plugins =
-# Enable or disable installing plugins directly from within Grafana.
+# Enable or disable installing / uninstalling / updating plugins directly from within Grafana.
 ;plugin_admin_enabled = false
 ;plugin_admin_external_manage_enabled = false
 ;plugin_catalog_url = https://grafana.com/grafana/plugins/
+# Enter a comma-separated list of plugin identifiers to hide in the plugin catalog.
+;plugin_catalog_hidden_plugins =
 
 #################################### Grafana Live ##########################################
 [live]
@@ -1013,12 +1021,14 @@ enable_alpha = true
 # Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
 ;rendering_mode =
 
-# When rendering_mode = clustered you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
+# When rendering_mode = clustered, you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
 # and will cluster using browser instances.
 # Mode 'context' will cluster using incognito pages.
 ;rendering_clustering_mode =
-# When rendering_mode = clustered you can define maximum number of browser instances/incognito pages that can execute concurrently..
+# When rendering_mode = clustered, you can define the maximum number of browser instances/incognito pages that can execute concurrently. Default is '5'.
 ;rendering_clustering_max_concurrency =
+# When rendering_mode = clustered, you can specify the duration a rendering request can take before it will time out. Default is `30` seconds.
+;rendering_clustering_timeout =
 
 # Limit the maximum viewport width, height and device scale factor that can be requested.
 ;rendering_viewport_max_width =
@@ -1061,3 +1071,16 @@ enable_alpha = true
 [expressions]
 # Enable or disable the expressions functionality.
 ;enabled = true
+
+[geomap]
+# Set the JSON configuration for the default basemap
+;default_baselayer_config = `{
+;  "type": "xyz",
+;  "config": {
+;    "attribution": "Open street map",
+;    "url": "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
+;  }
+;}`
+
+# Enable or disable loading other base map layers
+;enable_custom_baselayers = true