Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Allow Basic Authentication (WinRM Client)
Prevents the WinRM client from using Basic authentication.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Unencrypted Traffic (WinRM Service)
Prevents WinRM from sending or receiving unencrypted traffic.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Basic Authentication (WinRM Service)
Basic auth sends credentials in base64 (essentially plaintext). Should be disabled.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Drive Redirection
Prevents local drives from being mapped in RDP sessions. Reduces data exfiltration risk.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disallow Digest Authentication
Digest authentication sends credentials in a format that can be cracked offline.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove Access to Use All Windows Update Features
Prevents users from accessing Windows Update directly. Forces use of WSUS.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Print Spooler to Accept Client Connections
Disabling this mitigates PrintNightmare (CVE-2021-1675) by preventing remote access to the spooler.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limits Print Driver Installation to Administrators
Prevents non-admins from installing printer drivers. Mitigates PrintNightmare.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Specify Intranet Microsoft Update Service Location
Points clients to an internal WSUS server instead of Windows Update.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Redirection Guard
Protects against printer driver redirection attacks.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn On Recommended Updates via Automatic Updates
Includes recommended (non-critical) updates in automatic update downloads.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off App Notifications on the Lock Screen
Prevents toast notifications from appearing on the lock screen.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Specify Deadline for Automatic Updates and Restarts
Sets a deadline after which updates are automatically installed and the device restarts.
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on Module Logging
Logs PowerShell module activity. Generates event 4103. Required for PowerShell auditing.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Changing Screen Saver
Prevents users from changing screen saver settings.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Web Search
Prevents Windows Search from sending queries to the web.
Computer Configuration > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on Script Execution
Controls the PowerShell execution policy. RemoteSigned requires remote scripts to be signed.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on PowerShell Transcription
Records all PowerShell input and output to a transcript file.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Picture Password Sign-In
Disables picture password authentication on domain systems.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Screen Saver
Enables the screen saver. Required for screen saver timeout policies to apply.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: Restrict Clients Allowed to Make Remote Calls to SAM
Restricts remote SAM enumeration to Administrators only. Prevents tools like BloodHound from enumerating accounts remotely.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on PowerShell Script Block Logging
Logs the full content of all PowerShell script blocks. Generates event 4104. Critical for threat detection.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Windows PowerShell 2.0
PowerShell 2.0 does not support logging or AMSI. Attackers use it to bypass PS5 security controls. Disable via Windows Features.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum System Log Size
Sets the maximum size of the System event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →