Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Block execution of potentially unsafe macros
Blocks all macros without notification. Prevents malware execution via Office documents. Critical for MSP-managed environments handling untrusted documents.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Trusted Locations for Office files
Designates safe locations where Office files execute without security warnings. Reduces helpdesk tickets for legitimate business documents while maintaining security posture.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Trusted Locations
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Office update channel configuration
Sets Office to Semi-Annual Channel for stability. Allows MSPs to control update timing and avoid disruptive auto-updates during business hours.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Updates
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable all add-ins except approved list
Prevents unauthorized Office add-ins that could exfiltrate data or inject malware. Essential for compliance in regulated industries.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Add-in Management
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block external content in Office
Prevents automatic loading of images, videos, and linked content from external sources. Blocks tracking pixels and reduces phishing effectiveness.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > External Content
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Windows Installer logging
Logs all MSI activities to %temp%\msi*.log for troubleshooting. Critical for MSPs supporting software deployment issues remotely.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict user control over patches
Prevents users from uninstalling security patches. Maintains security compliance and prevents rollback of critical updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →OneDrive Known Folder Move
Automatically migrates Documents, Desktop, and Pictures to OneDrive. Simplifies backup strategy and enables remote work for MSP-managed devices.
Computer Configuration > Policies > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set Safe Mode for repairs and patches
Enables repair and minor update operations without user interaction. Reduces support calls for simple application updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Outlook cached exchange mode retention
Controls how many days of mail are cached offline. Reduces mailbox size while maintaining offline access for mobile and remote workers.
User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Synchronization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Apply transforms during MSI installation
Automatically applies customization transforms to all MSI installations. Ensures consistent configuration across managed deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable PowerPoint Show file execution
Blocks automatic execution of .pps and .ppsx files which bypass safety controls. Reduces attack surface for presentation-based malware.
User Configuration > Policies > Administrative Templates > Microsoft PowerPoint 2016 > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limit user control during installation
Restricts user choices during MSI installation to basic UI only. Prevents users from selecting options that could break deployment standards.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Outlook external sharing
Forces calendar sharing through SharePoint instead of direct exports. Prevents accidental disclosure of sensitive schedule information.
User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hide error dialogs during installation
Suppresses installation dialogs and error messages for silent deployments. Essential for unattended imaging and large-scale rollouts.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Always install with elevated privileges
Allows standard users to install MSI packages with system privileges. Simplifies software deployment in managed environments without requiring user elevation.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Windows Installer
Can completely disable MSI execution. Set to 0 for MSP environments to maintain compatibility, or use with care for kiosk-type deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block OLE object execution in Office
Blocks embedded objects (DLLs, executables) in Office documents. Prevents common malware delivery vector used in targeted attacks.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > OLE
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require PIN for Office password reset
Adds second factor to password reset process. Prevents account takeover even if primary credentials are compromised.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Authentication
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Cache entire MSI on local drive
Ensures full MSI source is cached locally for repairs and reinstalls. Prevents need for network access during future operations.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable per-user MSI installations
Forces all MSI installations to be per-machine only. Prevents fragmented software deployments and simplifies license management.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic Store app updates
Requires manual approval for Store app updates. Allows MSPs to control update timing and test compatibility before deployment.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block non-Store applications
Restricts execution to Store apps only. Enforces security policy for highly restricted environments like kiosks or healthcare facilities.
Computer Configuration > Policies > Windows Components > App Package Deployment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum System Log Size
Sets the maximum size of the System event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →