Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Remote Assistance: Maximum Ticket Time
Limits how long a Remote Assistance invitation remains valid. Minimize to reduce the exposure window.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Local Admin Password Management
Enables LAPS to manage the local Administrator account password. Prevents lateral movement via shared local admin passwords.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Password Age (LAPS)
Sets how often LAPS rotates the local admin password.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove Access to the Context Menus for the Taskbar
Disables right-clicking on the taskbar.
User Configuration > Administrative Templates > Start Menu and Taskbar
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Name of Administrator Account to Manage (LAPS)
Specifies which local admin account LAPS manages. Pair with renamed Administrator account.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit Changes to Display Settings
Prevents users from changing display settings.
User Configuration > Administrative Templates > Control Panel > Display
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable detailed MSI patch logging
Logs patch installation details separately. Helps MSPs troubleshoot update failures and compatibility issues.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access the Camera
Controls whether apps can access the camera. 2 blocks all app camera access.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure WSUS server for DO updates
Mode 3 enables local server caching for enterprises using WSUS. Integrates DO with existing update infrastructure.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access the Microphone
Controls whether apps can access the microphone.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Group Policy Slow Link Detection Threshold
Link speed below which GP skips certain processing (scripts, folder redirection). Adjust for remote/branch office environments.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DefaultNot configured
Controls whether apps can access account name, picture, and other account info.
Recommended2 (Force Deny)
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DefaultNot configured
Prevents apps from reading diagnostic data about other apps.
Recommended2 (Force Deny)
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WinRM Service: Allow CredSSP Authentication
CredSSP delegation passes full credentials to remote hosts. Disable unless required; prefer Kerberos constrained delegation.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →User Group Policy Loopback Processing Mode
Applies computer-scope user policies regardless of who logs on. Use Replace mode on kiosks and RDS servers.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Always Wait for the Network at Startup and Logon
Forces synchronous GP processing at startup and logon. Ensures policies are fully applied before user desktop loads.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Offer Remote Assistance
Prevents helpers from offering remote assistance without user request. Disabling prevents unsolicited remote control.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Registry Policy Processing: Process Even if Not Changed
Forces GPO registry settings to be reapplied on every refresh even if unchanged. Prevents tampering from persisting through GP refresh.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Security Policy Processing: Process Even if Not Changed
Forces security settings to be reapplied every GP refresh cycle. Critical for security baseline enforcement.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Solicited Remote Assistance
Controls whether users can request remote assistance. If enabled, restrict helpers and set a short maximum ticket time.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Remote Shell Access (WinRM)
Controls whether remote PowerShell shells are permitted. Disable if remote management is handled through other means.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Shell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WinRM Client: Allow CredSSP Authentication
Prevents WinRM client from using CredSSP. CredSSP exposes credentials to remote systems and risks credential theft.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Protected View for all document types
Opens potentially risky Office documents in read-only sandboxed mode. Reduces exploit surface for zero-day vulnerabilities in Office.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Protected View
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum System Log Size
Sets the maximum size of the System event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →