Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Domain Member: Require Strong Session Key
Requires 128-bit session keys for secure channel data. All modern environments should have this enabled.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Encrypts secure channel data when possible. Should be paired with RequireSignOrSeal.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Disable Machine Account Password Changes
Keep disabled to allow automatic machine account password rotation every 30 days. Enabling this is a security risk.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Sign Secure Channel Data (When Possible)
Signs secure channel traffic when encryption is not available.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Maximum Machine Account Password Age
How often domain-joined computer accounts rotate their passwords. Lower values reduce the window for machine credential attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Elevation Prompt for Administrators in Admin Approval Mode
Controls UAC elevation prompts for administrators. Value 1 shows secure desktop prompt. MSPs should enforce this for security visibility on privileged actions.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow UIAccess Applications to Prompt for Elevation without Using Secure Desktop
Controls whether UIAccess applications can bypass secure desktop prompting. Should remain disabled to prevent malware from spoofing elevation prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Delegating Default Credentials
Prevents credential caching for delegation to remote servers. Disabling blocks credential theft from cached credentials on compromised systems.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Switch to Secure Desktop when Prompting for Elevation
UAC prompts appear on a secure desktop isolated from user applications. Prevents keyloggers and credential harvesting malware from intercepting prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Delegating Fresh Credentials with NTLM-only Server Authentication
Limits credential delegation to specific servers when NTLM authentication is used. MSPs should configure allowed servers list for Remote Desktop access.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Elevation Prompt for Standard Users
Determines UAC behavior for standard users. Value 0 auto-denies elevation requests without prompting. Prevents users from running elevated tasks without admin approval.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Behavior of Elevation Prompt for Administrators
Controls elevation behavior: 2=Prompt on secure desktop, 5=Prompt without requiring password. MSPs should set to 2 for maximum security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Administrator Password for Elevation
Specifies whether administrators must enter credentials to elevate. Value 1 enforces password prompt on secure desktop. Critical for audit trails.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Only Elevate Signed Executables
Only allows elevation of digitally signed executables. Prevents unsigned malware from elevating privileges. Essential for MSP security hardening.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Run All Administrators in Admin Approval Mode
Enables UAC for all administrators. When disabled, removes all UAC protections and elevation prompts. MSPs must keep this enabled for compliance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Detect Application Installations and Prompt for Elevation
Shows UAC prompt on secure desktop when Windows detects installer packages being executed. Critical for preventing unauthorized software deployment.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Delegating Saved Credentials
Controls whether saved credentials can be delegated to other machines. Should remain disabled to prevent lateral movement attacks.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CredSSP Encryption Oracle Remediation
Prevents CVE-2018-0886 exploitation by blocking encryption oracle attacks during credential delegation. Should remain at 0 (Vulnerable) only for legacy systems.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Virtualize File and Registry Write Failures to Per-User Locations
Redirects legacy application write failures to user-writable locations instead of blocking them. Improves app compatibility while maintaining security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Virtualization Based Security
Enables Virtualization Based Security which isolates code execution in a virtual machine. Prevents kernel attacks from accessing system memory.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable DMA Port Protection
Blocks DMA (Direct Memory Access) attacks from Thunderbolt, USB, and FireWire devices. Prevents hardware-based privilege escalation.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Behavior of Elevation Prompt for Standard Users
Controls standard user elevation: 0=Auto-deny without prompt, 1=Prompt for credentials. MSPs typically set to 0 to prevent privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Kerberos Authentication for Credential Delegation
Enforces Kerberos protocol for credential delegation instead of NTLM. Improves security by using modern authentication mechanisms.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Delegation to Remote Servers Only
When enabled, enforces Restricted Admin mode which prevents credential caching. Critical for preventing pass-the-hash and credential theft attacks.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →