Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Set quality update deferral period
Delays security patches by 14 days for early compatibility testing. Balances security against stability in critical infrastructure.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure active hours for updates
Sets when users are actively working (9 AM - 5 PM). Updates install outside these hours to minimize user disruption.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set restart deadline for feature updates
Forces restart 14 days after update availability if user has ignored notifications. Prevents perpetually unpatched systems.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic restart after updates
Prevents automatic reboot while users are logged in. Allows scheduling restarts during maintenance windows.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable peer updates over metered connections
Prevents update downloads over metered networks. Protects mobile users from unexpected data charges.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure deadline grace period
Provides 2-day grace period after deadline before forced restart. Balances compliance with user scheduling flexibility.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Exclude specific KB articles from installation
Prevents driver updates through Windows Update. Allows MSPs to control driver deployment separately.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Force device tunnel for Always On VPN
Enforces system-level VPN tunnel before user logon. Critical for MSPs requiring zero-trust network access.
Computer Configuration > Administrative Templates > Network > RAS > Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable DNS registration for Always On VPN
Automatically registers VPN connection IP with DNS. Enables proper name resolution for MSP-managed remote clients.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure VPN reconnection behavior on connection loss
Automatically reconnects VPN after connection loss. Ensures continuous secure connectivity for MSP clients.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure VPN encapsulation type
Enforces maximum encryption for IPSec tunnels. Critical for MSP security compliance requirements.
Computer Configuration > Administrative Templates > Network > RAS > IPSec
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require authentication on VPN connection
Forces user authentication for VPN connections. Strengthens access control in MSP-managed environments.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure trusted networks for Always On VPN
Specifies networks where VPN disconnection is allowed. Allows MSPs to exempt company networks from VPN requirement.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent dial-up connections outside of VPN
Blocks direct dial-up bypassing VPN. Ensures all remote connections use MSP-approved secure channels.
Computer Configuration > Administrative Templates > Network > RAS > Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable split tunneling for Always On VPN
Controls whether non-VPN traffic can bypass tunnel. MSPs typically disable to force all traffic through VPN.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic VPN trigger on untrusted networks
Prevents automatic VPN connection on network changes. Gives MSPs explicit control over when VPN activates.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable VPN reconnect on network change
Reconnects VPN when network topology changes. Maintains continuous security for mobile MSP clients.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure VPN idle disconnect timeout
Automatically disconnects idle VPN sessions after timeout. Reduces security exposure for MSP-managed systems.
Computer Configuration > Administrative Templates > Network > RAS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NTP server
Specifies NTP server(s) for time synchronization. MSPs should configure reliable, redundant NTP sources.
Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Refuse machine account password changes
Controls whether domain controllers refuse machine account password changes. Keep at 0 to allow legitimate password rotation. Important for MSPs managing domain security without disrupting trust relationships.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure maximum negative time correction
Limits maximum negative time adjustment to 2 days. Prevents backward time jumps affecting MSP audit trails.
Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows NTP Type
Sets NTP client type to use NTP instead of domain controller. Provides more accurate time synchronization for MSP clients.
Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NTP client maximum poll interval
Sets maximum poll interval to 1024 seconds. Reduces NTP traffic while maintaining time accuracy for MSP systems.
Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NTP server special poll interval
Sets NTP server polling interval. Ensures consistent time distribution across MSP domain.
Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →