Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Turn Off Windows Startup Sound
Disables the Windows startup sound.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Microsoft Network Server: Digitally Sign Communications (Always)
Requires SMB signing on server side. Prevents SMB relay attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Search and Cortana to Use Location
Prevents Cortana and Search from using location data.
Computer Configuration > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Cortana
Enables or disables Cortana. Disabling reduces cloud data transmission.
Computer Configuration > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Process the Legacy Run List
Prevents programs in the HKCU Run key from launching at logon.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Force Specific Screen Saver
Forces a specific screen saver. Use blank for performance.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Password Protect the Screen Saver
Requires password to unlock from screen saver.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Screen Saver Timeout
Time in seconds before the screen saver activates.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure LSA Protection
Runs LSA as a protected process (PPL). Prevents credential dumping tools like Mimikatz from accessing LSASS memory.
Computer Configuration > Administrative Templates > System > Local Security Authority
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Smart Multi-Homed Name Resolution
Disables parallel DNS queries to multiple interfaces. Prevents DNS leakage.
Computer Configuration > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WDigest Authentication
WDigest stores credentials in plaintext in memory. Must be disabled to prevent Mimikatz cleartext credential harvesting.
Computer Configuration > Administrative Templates > MS Security Guide
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit Installation and Configuration of Network Bridge
Prevents users from creating network bridges that could bypass security controls.
Computer Configuration > Administrative Templates > Network > Network Connections
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NetBIOS Settings
Disabling NetBIOS prevents NetBIOS name poisoning attacks. Set via DHCP option 001 or registry.
Computer Configuration > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Windows Hello for Business PIN
Controls Windows Hello for Business. Enable to deploy phishing-resistant authentication.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Microsoft Network Client: Digitally Sign Communications (Always)
Requires SMB signing on client side. Prevents SMB relay attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Password Manager
Controls the built-in Edge password manager. Disable if using a dedicated password manager.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DNS Client: Turn Off Multicast Name Resolution (LLMNR)
Disables LLMNR. Prevents LLMNR poisoning attacks used by Responder.
Computer Configuration > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit Use of Internet Connection Sharing on DNS Domain Network
Prevents users from enabling Internet Connection Sharing.
Computer Configuration > Administrative Templates > Network > Network Connections
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Windows Location Provider
Disables the Windows location provider.
Computer Configuration > Administrative Templates > Windows Components > Location and Sensors > Windows Location Provider
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limit the Sync App Download Speed to a Fixed Rate
Limits OneDrive sync bandwidth to prevent saturation of network links.
Computer Configuration > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Show Feedback Notifications
Disables Windows feedback prompts.
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Keep History of Recently Opened Documents
Prevents Windows from tracking recently opened files.
User Configuration > Administrative Templates > Start Menu and Taskbar
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Security: Restrict NTLM: Incoming NTLM Traffic
Blocks incoming NTLM authentication requests. Use after auditing to avoid breaking legacy apps.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum System Log Size
Sets the maximum size of the System event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →