Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Configure CRL timeout settings
Sets timeout in seconds for CRL retrieval attempts. Balances validation accuracy with network performance.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent changing lock screen image
Prevents users from modifying lock screen. Ensures security messages and company information remain visible.
Computer Configuration > Policies > Administrative Templates > Windows Components > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure printing behavior in Application Guard
Disables printing from Application Guard to prevent document leakage. Balances usability with security requirements.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow file downloads in Application Guard
Controls file download permissions in Application Guard. Disable downloads to prevent malicious file execution on host.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Sandbox audio support
Disables audio input in sandbox environment. Prevents audio recording and reduces complexity in test environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Application Guard graphics virtualization
Enables GPU virtualization in Application Guard for improved performance. Requires compatible graphics hardware.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Sandbox video capture
Disables video input in sandbox to prevent camera access in isolated test environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable CRL checking for certificate validation
Checks Certificate Revocation Lists to validate revoked certificates. Critical for preventing compromised certificate usage.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable certificate auto-renewal
Automatically renews certificates before expiration. Prevents certificate expiration outages in production environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable certificate auto-enrollment
Automatically enrolls computers for certificates from enterprise PKI. Simplifies certificate lifecycle management in MSP environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure certificate path validation
Enables full validation of certificate chains. Ensures certificate trust chain integrity for all SSL connections.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure default File Explorer folder view
Sets default folder view to Details for all users. Provides consistent and detailed file information display.
User Configuration > Policies > Administrative Templates > Windows Components > File Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure trusted root CA distribution
Distributes trusted root certificates to managed computers. Essential for SSL/TLS verification of internal and partner services.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure OCSP settings for certificate validation
Enables Online Certificate Status Protocol for real-time revocation checking. More efficient than CRL for high-volume environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable weak SSL/TLS protocols
Disables SSL 2.0, SSL 3.0, and TLS 1.0 to enforce modern TLS versions. Essential security hardening for modern environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce certificate pinning for specific domains
Pins specific certificates to domains to prevent MITM attacks. Protects users from certificate hijacking attacks.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require strong certificate key length
Sets minimum RSA key length for certificate validation. Modern default of 2048 bits prevents weak certificate acceptance.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Cryptography Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure OCSP responder URL
Specifies custom OCSP responder for certificate status checking. Enables private PKI environments with dedicated OCSP infrastructure.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure certificate signature algorithms
Restricts accepted certificate signature algorithms to modern standards. Prevents downgrade attacks to weak algorithms.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Cryptography Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow user certificate installation
Prevents user installation of untrusted certificates. Enforces centralized certificate management in MSP-controlled environments.
User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent users from changing wallpaper
Locks wallpaper to prevent user modifications. Maintains corporate branding and desktop consistency.
User Configuration > Policies > Administrative Templates > Desktop > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent theme changes
Locks theme selection preventing user modifications. Enforces consistent visual appearance across organization.
User Configuration > Policies > Administrative Templates > Desktop > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable desktop cleanup
Disables desktop cleanup wizard to prevent accidental file removal. Protects user files on shared or kiosk devices.
User Configuration > Policies > Administrative Templates > Desktop > Desktop Cleanup Wizard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce lock screen image
Sets company lock screen image on all devices. Displays corporate messaging and security information at logon screen.
Computer Configuration > Policies > Administrative Templates > Windows Components > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →