Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Network access: Restrict anonymous enumeration of SAM accounts and shares
Restricts anonymous SAM and share enumeration. Setting to 2 requires authentication for enumeration. Critical for MSPs blocking reconnaissance attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to shares
Blocks anonymous share enumeration and access. Setting to 1 requires authentication. Essential for MSPs protecting file shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure color scheme
Sets system color scheme company-wide. Enforces accessibility standards and visual consistency.
User Configuration > Policies > Administrative Templates > Desktop > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Run dialog access
Disables Run dialog (Win+R). Setting to 1 hides the dialog. Essential for MSPs preventing command execution on locked-down kiosk systems.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Command Prompt
Disables Command Prompt completely. Setting to 2 disables for all users. Critical for MSPs preventing script execution and system administration.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Let Everyone permissions apply to anonymous users
Controls if Everyone group includes anonymous users. Keep at 0 to deny anonymous access. Critical for preventing NULL session resource access.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Named Pipes that can be accessed anonymously
Lists named pipes accessible via NULL sessions. MSPs keep empty to prevent WMI and RPC attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Control Panel access
Restricts Control Panel access to specific applets. Setting to 1 limits available options. MSPs use this to prevent users from changing system settings.
User Configuration > Administrative Templates > Control Panel
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hide notification area icons
Hides system tray notification area. Setting to 1 simplifies taskbar. MSPs use on kiosk systems to reduce user confusion.
User Configuration > Administrative Templates > Start Menu and Taskbar
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Model for local account authentication
Controls guest account remote login. Setting to 1 prevents blank password authentication. Critical for MSPs preventing guest account abuse.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to Named Pipes
Blocks NULL session connections to named pipes. Setting to 1 requires authentication. Critical for MSPs preventing WMIEXEC and admin$ enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Do not allow anonymous enumeration of computer accounts
Prevents anonymous enumeration of computer accounts. Setting to 1 blocks computer discovery. MSPs use this to prevent reconnaissance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Remotely accessible registry paths and sub-paths
Specifies registry subtrees remotely accessible. MSPs restrict to prevent remote registry enumeration attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Shares that can be accessed anonymously
Lists shares accessible via NULL sessions. MSPs keep empty to prevent anonymous data access and discovery.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure DNS client settings
Sets DNS suffix search list for internal domain resolution. Enables seamless access to internal resources.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Remotely accessible registry paths
Specifies registry paths remotely accessible. MSPs restrict to only necessary paths to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Insecure guest logons
Allows insecure guest authentication. Setting to 0 requires secure auth. Critical for MSPs preventing credential relay attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable popup blocker
Enables IE popup blocker to prevent malicious popups. Standard security baseline for MSP-managed client environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SmartScreen for phishing detection
Enables real-time SmartScreen filter for phishing and malware detection. Critical security control for protecting client data and credentials.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Phishing Filter
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Compatibility View for intranet sites
Automatically enables compatibility mode for intranet sites. Required for legacy LOB applications not compatible with modern IE rendering.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict file download security warnings
Controls file download validation and warnings. Prevents users from bypassing security checks on downloaded files.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure security zones for trusted sites
Adds sites to trusted security zone with relaxed restrictions. Essential for MSP support of internal LOB applications requiring specific security context.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure proxy server settings
Sets centralized proxy configuration for internet traffic. Enables MSPs to enforce corporate proxy and content filtering policies.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Application Guard for Edge
Enables Application Guard isolated browsing for Microsoft Edge. Protects against malicious websites by isolating them in containers.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →