Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Set automatic reboot timeout after crash
Automatically reboots after critical failure. Reduces downtime for MSP production systems.
Computer Configuration > Administrative Templates > System > Startup and Recovery
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent access to Windows Recovery Environment
Controls access to WinRE for recovery operations. MSPs typically enable for legitimate troubleshooting.
Computer Configuration > Administrative Templates > System > Windows Recovery Environment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set default disk quota limit
Establishes default 1GB quota per user. Allows MSPs to standardize storage allocation across organizations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Log event when quota limit exceeded
Logs critical events when quota is exceeded. Allows MSPs to track quota violations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Log event when quota threshold exceeded
Logs warning events when approaching quota. Enables MSP monitoring of disk usage patterns.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow administrators to exceed quota limits
Exempts administrators from quota limits. Ensures MSP administrators can perform necessary operations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Let Everyone permissions apply to anonymous users
Controls whether anonymous users inherit Everyone permissions. Keep at 0 to deny anonymous access. Critical for MSPs preventing unauthenticated enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny disk space to users exceeding quota
Prevents writes when user exceeds quota. Strictly enforces storage limits for MSP-managed systems.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Signing: Negotiate signing
Enable LDAP clients to negotiate signing with servers. Setting to 1 enables negotiation, 2 requires it. Provides flexibility for gradual deployment across managed environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: LDAP server signing requirements
Enforce LDAP signing requirements on domain controllers to prevent man-in-the-middle attacks. Setting to 2 requires signing. Critical for MSPs securing client Active Directory environments from credential interception.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP client signing requirements
Configure client-side LDAP signing to negotiate signing with LDAP servers. Setting to 1 requires signing when available. Prevents credential theft in hybrid and cloud scenarios MSPs manage.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable changing desktop wallpaper
Prevents users from changing wallpaper. Setting to 1 enforces locked wallpaper. MSPs use for branding kiosk systems.
User Configuration > Administrative Templates > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce desktop wallpaper
Sets company wallpaper across all managed desktops. Enforces brand consistency and corporate identity in MSP environments.
User Configuration > Policies > Administrative Templates > Desktop > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Disable task deletion
Prevents non-administrators from deleting scheduled tasks. Setting to 1 disables deletion. MSPs use this to prevent tampering with security tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Extended Protection for Authentication: Require channel binding
Enforce Extended Protection for Authentication on LDAP connections. Prevents attackers from stealing LDAP credentials through man-in-the-middle attacks. Critical for MSPs managing sensitive client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP: Maximum concurrent connections
Limits concurrent LDAP connections to domain controllers. Set to 0 for unlimited. MSPs use this to prevent DoS attacks on directory services during client migrations and queries.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP over SSL/TLS requirement
Enables LDAP over SSL/TLS on domain controllers. Standard port 636 encrypts all LDAP traffic. Essential for MSPs securing directory queries over untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to Named Pipes and Shares
Blocks NULL session access to named pipes and shares. Setting to 1 enforces authentication. Critical for MSPs preventing share enumeration attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP: Enable referral chasing
Controls LDAP referral chasing behavior. Setting to 0 disables automatic referral following. MSPs disable this to prevent information disclosure and credential exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: UNC Hardened Access (domain systems)
Restricts anonymous NULL session access to UNC paths. Setting to 1 requires authentication. Essential for MSPs blocking WMIEXEC and similar attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Insecure guest logons
Allows insecure guest authentication to SMB servers. Setting to 0 requires secure authentication. Critical for MSPs preventing credential relay on legacy networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Microsoft network server: Digitally sign communications (always)
Requires SMB signing on all connections. Setting to 1 enforces signing. Essential for MSPs preventing man-in-the-middle attacks on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: SMB Encryption
Enforces SMB encryption. Value 3 requires encryption for all connections. Critical for MSPs protecting sensitive data in transit on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Disable SMBv1
Disables legacy SMBv1 protocol. Setting to 0 completely disables SMBv1. Critical for MSPs eliminating WannaCry/NotPetya attack vectors from client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →