Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Disallow Saving Credentials or .NET Passport Credentials
Prevents Windows Credential Manager from storing passwords. Forces users to enter credentials each time, improving security for multi-user environments.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Delegating Fresh Credentials
Controls whether fresh credentials can be delegated for outbound connections. Disabling prevents credential caching for multi-hop scenarios.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require UEFI Firmware Lock
Locks UEFI firmware settings to prevent unauthorized modification. Requires physical access and passwords to change security boot settings.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Credential Delegation to Domain Controllers Only
Limits credentials delegation to domain-joined servers with Kerberos support. Prevents credential delegation to non-domain machines.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Code Integrity - UEFI Lock
Locks Code Integrity policy in UEFI to prevent tampering. Requires physical access to disable, providing tamper-proof protection.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Platform Security Level
Requires specific platform security features for VBS. Value 1 requires IOMMU, 2 requires DMA protection. Critical for advanced security.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Delegation of Non-Exported Credentials
Allows delegation of credentials protected by Data Protection API. Enables secure credential delegation without exposing plain-text credentials.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn On Secure Launch
Enables Secure Boot to verify firmware and boot drivers. Prevents bootkit malware from loading before Windows kernel.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Office Applications from Creating Child Processes
Blocks Office applications (Word, Excel, PowerPoint, Outlook) from spawning child processes. Prevents macro-based malware and script execution.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Process Creations Originating from PSExec and WMI Commands
Blocks creation of processes via PSExec and WMI. Prevents lateral movement attacks and unauthorized remote administration.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable System Guard Secure Launch
Enables System Guard which protects system integrity from the moment hardware boots. Adds additional hypervisor-based protection layer.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Office Applications from Creating Executable Content
Blocks Office macros from creating or launching executables. Prevents macro-based malware from writing and executing files.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Use Advanced Protection Against Ransomware
Enables ransomware-specific protections including behavior monitoring. Detects suspicious encryption activities and file-locking patterns.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Credential Stealing from Windows Local Security Authority Process
Prevents processes from accessing LSASS memory where credentials are stored. Blocks credential theft techniques like Mimikatz.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Automatic Sample Submission
Automatically sends suspicious files to Microsoft for analysis. Enables faster detection and protection against emerging threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Tamper Protection
Prevents malware from disabling Windows Defender. Malware cannot turn off security protections once tamper protection is enabled.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Tamper Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Cloud-Delivered Protection
Enables cloud-based malware protection using Microsoft security intelligence. Value 2=Advanced, provides real-time threat intelligence from global network.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Network Protection
Blocks malicious domains and IP addresses at the network level. Prevents connections to command-and-control servers and phishing sites.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Network Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Executable Content from Email and Webmail
Blocks execution of potentially dangerous file types when extracted from email or webmail. Prevents malware distribution via email attachments.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Win32 API Calls from Office Macros
Blocks Office macros from calling dangerous Win32 APIs. Prevents advanced malware techniques that use API calls to bypass security.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Hardware-Enforced Stack Protection
Enables Control-flow Enforcement Technology (CET) for hardware-based stack protection. Prevents stack-based ROP attacks on supported processors.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block JavaScript and VBScript from Launching Downloaded Executables
Prevents scripts from executing downloaded files. Blocks fileless malware and script-based trojans that download and execute payloads.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Untrusted and Unsigned Processes that Run from USB
Prevents unsigned executables from running when loaded from USB devices. Blocks malware spread via USB media and removable storage.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Persistence Through WMI Event Subscription
Prevents malware from establishing persistence using WMI Event Subscriptions. Blocks malware from surviving reboots.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →