Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Control microphone access in Application Guard
Blocks microphone access from Application Guard. Prevents unauthorized audio recording of sensitive discussions.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent users from changing security zone settings
Locks down security zone configuration preventing user modification. Enforces MSP security policies on client workstations.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable changing proxy settings
Prevents users from modifying proxy configuration. Ensures consistent network traffic routing in MSP environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Connection Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Enterprise Mode site list
Applies enterprise mode to specified sites for legacy application compatibility. Critical for supporting older internal web applications.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable managing certificate stores
Prevents users from managing SSL certificates. Protects certificate infrastructure in secured MSP environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable IPv6
Disables IPv6 protocol if not needed in legacy environments. Reduces protocol overhead and attack surface on IPv4-only networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable mDNS (Multicast DNS)
Disables multicast DNS resolution for simplification and security in managed networks. Reduces protocol complexity.
Computer Configuration > Policies > Administrative Templates > Network > mDNS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP service binding
Determines RFC 1156 compliance for SNMP agent. Enable for standard SNMP monitoring tool compatibility.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable LLMNR protocol
Disables Link-Local Multicast Name Resolution to prevent name spoofing attacks. Important security hardening for MSP clients.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure intranet zone sites
Defines which sites are treated as intranet for security zone purposes. Enables lower security restrictions for trusted internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable script debugging
Disables script debugging functionality to reduce attack surface. Prevents users from inspecting or modifying active scripts.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure permitted SNMP managers
Specifies IP addresses or hostnames of SNMP management systems allowed to query this device. Restricts SNMP access in MSP monitoring environments.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP community strings
Sets SNMP community strings for authentication. MSPs should use strong, rotated community strings for security.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure IPv6 transition technologies
Controls IPv6 transition mechanism behavior. Manages coexistence between IPv4 and IPv6 in mixed-mode networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP > IPv6 Transition
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure WPAD settings
Controls Web Proxy Auto-Discovery protocol. Disable to prevent automatic proxy configuration from DHCP/DNS.
Computer Configuration > Policies > Administrative Templates > Network > Web Proxy Auto-Discovery
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NetBIOS over TCP/IP
Sets NetBIOS mode (enabled, disabled, or DHCP configured). Disable in modern networks; keep for legacy SMB protocols.
Computer Configuration > Policies > Administrative Templates > Network > NetBIOS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP sysContact and sysLocation
Sets system contact and location information for SNMP queries. Helps identify devices in MSP monitoring dashboards.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Control camera access in Application Guard
Blocks camera access from Application Guard. Prevents unauthorized video capture of sensitive information.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Application Guard audit logging
Enables detailed logging of Application Guard activities. Critical for compliance and security investigation in MSP environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Windows Sandbox networking
Enables network access from Sandbox for testing networked applications. Disable for isolated testing scenarios.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Windows Sandbox
Enables isolated sandbox environment for testing untrusted applications. Valuable for MSPs testing patches and software before deployment.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure network isolation for Application Guard
Isolates Application Guard network traffic from host network. Prevents untrusted sites from accessing internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require secure SNMP authentication
Sends authentication failure traps for invalid SNMP access attempts. Enables security monitoring of SNMP access.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow clipboard sharing in Application Guard
Controls clipboard access between Application Guard and host. Limited access reduces data exfiltration risk.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →