Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Restrict installation sources to managed locations
Restricts MSI source files to specified network paths. Prevents installation of unauthorized or malicious packages.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set cache size on local drive
Controls percentage of disk space used for caching downloaded updates. Higher cache reduces redundant downloads from peer devices.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set minimum peer connection delay
Devices must cache updates for 3 days minimum before sharing. Ensures stability and reduces troubleshooting from pushing untested updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limit DO connections to specific network adapter
Restricts peer caching to wired connections only. Preserves mobile data for remote workers and prevents metering penalties.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Microsoft Store completely
Removes Store access and prevents app installation from Store. Common in locked-down corporate environments to prevent unauthorized software.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Delivery Optimization group ID
Groups devices for peer caching across office locations. Reduces bandwidth costs by allowing local P2P sharing between branch sites.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable peer caching over VPN
Blocks P2P sharing over VPN connections. Prevents updates from being uploaded across remote worker connections.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Windows Update telemetry
Disables compatibility and usage data collection during updates. Required for HIPAA and GDPR compliance.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Store app suggestions and notifications
Removes promotional content and update suggestions from Store. Reduces noise and prevents accidental installs of recommended apps.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Store app background updates
Prevents Store apps from updating in background. Reduces unexpected bandwidth usage and system resource consumption.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Automatic Updates through Windows Update for Business
Enables automatic update installation. Ensures all endpoints maintain current security patches.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent sideloading of Store apps
Blocks installation of Store apps from external sources. Prevents trojanized app packages from compromising endpoints.
Computer Configuration > Policies > Administrative Templates > Windows Components > App Package Deployment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set download mode for bandwidth management
Controls whether devices download from peers, Microsoft servers, or both. Setting to 2 (Group Download) reduces WAN bandwidth by caching updates locally.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict peer connections to domain networks only
Limits peering to internal network only. Prevents sensitive updates from being downloaded via untrusted internet peers.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict app installation to enterprise catalog
Routes Store access to managed business catalog. Enables controlled app distribution with licensing and compliance tracking.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set expedited security update behavior
Allows emergency security updates to bypass deferral periods. Ensures critical zero-day patches deploy immediately.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set maximum upload bandwidth as percentage
Limits upload bandwidth for P2P sharing to 20% of connection. Prevents DO from consuming all available bandwidth during business hours.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Force updates through Group Policy
Sets Windows Update to auto-download and schedule installation. Value 4 allows admin to choose install time.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set update service to WSUS
Routes updates through internal WSUS server. Enables patch management control and reduces internet bandwidth consumption.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set download mode for metered connections
Restricts downloading to Microsoft servers only when on metered networks. Prevents expensive data overages for mobile users.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable DO telemetry collection for monitoring
Allows Microsoft to collect DO efficiency metrics. Helps MSPs identify bandwidth savings and P2P effectiveness.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set feature update deferral period
Delays major Windows updates by 180 days. Allows testing in lab environments before deploying to production client base.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set maximum download bandwidth in MB/s
Limits download speed to 50 MB/s to prevent network saturation. Ensures business applications maintain performance during updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum System Log Size
Sets the maximum size of the System event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →