Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Turn Off Routine Remediation
If enabled, prevents Defender from automatically remediating detected threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hypervisor Protected Code Integrity (HVCI)
Enforces kernel code integrity using VBS. Prevents unsigned kernel drivers and code injection.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Additional Authentication at Startup
Required to allow BitLocker without a compatible TPM, or to require a PIN in addition to TPM.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Attack Surface Reduction Rules
ASR rules block common attack vectors like Office macros spawning processes, credential theft from LSASS, and ransomware behaviors.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Network Protection
Blocks connections to known malicious IPs and domains via SmartScreen.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Local Setting Override for Reporting to Microsoft MAPS
Prevents local users from changing cloud protection settings.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Choose Drive Encryption Method and Cipher Strength
Sets the encryption algorithm. XTS-AES 256 is the strongest option for Windows 10/11.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn On Virtualization Based Security
Enables VBS which is required for Credential Guard and HVCI. Requires UEFI and compatible hardware.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Select Platform Security Level
Sets the required platform security features for VBS.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Write Access to Removable Drives Not Protected by BitLocker
Requires removable drives to be BitLocker-encrypted before allowing writes.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Credential Guard Configuration
Enables Credential Guard to protect LSASS credentials in a VBS enclave. Prevents Mimikatz-style attacks.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow BitLocker Without a Compatible TPM
If enabled, allows BitLocker with just a password/USB key and no TPM.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Choose How BitLocker-Protected OS Drives Can Be Recovered
Configures recovery options including AD key escrow. Critical for MSP management.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Use of Passwords for Removable Data Drives
Sets password requirements for BitLocker-protected removable drives.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Store BitLocker Recovery Information in Active Directory
Automatically backs up the BitLocker recovery key to Active Directory.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Zerologon: Vulnerable Channel Allowlist
Allowlist for devices exempted from Zerologon enforcement. Should be empty in fully patched environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Allow Server Operators to Schedule Tasks
Prevents Server Operators from scheduling tasks, which could allow privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Refuse Machine Account Password Changes
If enabled, DCs refuse machine account password changes. Keep disabled to allow normal machine account rotation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Zerologon: Full Enforcement Mode (MS-NRPC)
Enforces secure RPC for all Netlogon connections. Mitigates CVE-2020-1472 (Zerologon). Ensure all domain devices are patched before enabling.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Server Channel Binding Token Requirements
Requires LDAP channel binding for LDAPS connections. Mitigates NTLM relay to LDAP attacks. Apply after auditing.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Server Signing Requirements
Requires LDAP clients to negotiate data signing. Prevents LDAP relay attacks. Set to 2 to require.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Active Directory: Use DFSR for SYSVOL Replication
N/A (DFSR configuration) DefaultEnabled (post-2008 domains) RecommendedDFSR (not legacy FRS) DFSR should replace legacy FRS for SYSVOL replication. FRS is deprecated and unsupported on Server 2022+.
Computer Configuration > Administrative Templates > System > DFS Replication
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)
Requires all secure channel traffic to be signed or encrypted. Prevents plaintext Netlogon traffic.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →