Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Use OneDrive Files On-Demand
Enables Files On-Demand so files appear in File Explorer without being downloaded.
Computer Configuration > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Tape Drives: Deny All Access
Blocks tape drive access.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum Security Log Size
Sets the maximum size of the Security event log. Small logs get overwritten during incidents.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Retention Method for Security Log
Controls what happens when the security log is full. Overwriting destroys forensic evidence.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum Application Log Size
Sets the maximum size of the Application event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CD and DVD: Deny Write Access
Prevents burning to CD/DVD drives.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →All Removable Storage Classes: Deny All Access
Blocks all removable storage devices including USB drives, CDs, and floppies.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Always Prompt for Password Upon Connection
Prevents saved credentials from being used to auto-connect via RDP.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Removable Disks: Deny Write Access
Prevents writing to USB flash drives and removable disks. Stops data exfiltration via USB.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CD and DVD: Deny Read Access
Prevents reading from CD/DVD drives.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Removable Disks: Deny Read Access
Prevents reading from USB flash drives and removable disks.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off AutoPlay
Disables AutoPlay for all drives including USB. Prevents autorun-based malware.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set the Default Behavior for AutoRun
Prevents AutoRun commands from executing when media is inserted.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Remote Server Management Through WinRM
Enables WinRM for remote management. Should be restricted to management subnets via IP filter.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disallow AutoPlay for Non-Volume Devices
Disables AutoPlay for devices like cameras and phones that are not volume devices.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Users to Connect Remotely Using Remote Desktop Services
Master switch for allowing inbound RDP connections.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Network Level Authentication for Remote Connections
Requires NLA before establishing a full RDP session. Reduces exposure of the login screen.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set Time Limit for Active but Idle Sessions
Disconnects idle RDP sessions after the specified time.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Use of Specific Security Layer for Remote Desktop Connections
Enforces TLS for RDP connections. Prevents downgrade attacks.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Point and Print Restrictions
Controls whether users get UAC prompts when installing drivers via Point and Print.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →No Auto-Restart with Logged-On Users
Prevents automatic restart while users are logged in.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Automatic Updates
Controls how Windows Update downloads and installs updates. Value 4 is the standard managed setting.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set Time Limit for Disconnected Sessions
Terminates disconnected RDP sessions after a set period.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum System Log Size
Sets the maximum size of the System event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →