Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Block Abuse of Exploited Vulnerable Drivers
Prevents execution of vulnerable drivers that can be exploited for privilege escalation. Blocks vulnerable driver abuse attacks.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Heap Protection
Implements heap randomization and protection mechanisms. Prevents heap-based buffer overflow attacks from modifying heap metadata.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Execution of Potentially Obfuscated Scripts
Detects and blocks obfuscated PowerShell and VBScript payloads. Prevents script-based malware that attempts to hide its true intent.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Real-Time Protection
Enables real-time scanning of files as they are accessed or modified. Provides immediate detection and blocking of malware.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Behavior Monitoring
Monitors suspicious behavioral patterns even if malware signatures are unknown. Detects zero-day and advanced threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Potentially Unwanted Application (PUA) Protection
Detects and removes potentially unwanted applications like adware and spyware. Protects system from unwanted software.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Scheduled Scan Day
Specifies the day for scheduled full scans (0=Sunday). Value 0 schedules scans for Sunday. MSPs should set to off-hours day.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Specify the Type of Scans to Run
Configures scan type: 1=Quick scan, 2=Full scan. MSPs should set to 2 for complete system protection, or 1 for faster scans.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Definition Update Sources
Specifies order of sources for signature updates. Should prioritize MMPC and MOMAAS for reliable updates. Critical for maintaining protection.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Signature Updates
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Mandatory ASLR
Forces ASLR on all processes even those not compiled with ASLR support. Increases randomization coverage across the system.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Controlled Folder Access
Protects important folders from unauthorized modification by malware. Blocks ransomware from encrypting user documents and files.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Structured Exception Handling Overwrite Protection (SEHOP)
Validates exception handlers during runtime. Prevents SEH-based buffer overflow exploits from hijacking exception handling.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Control Flow Guard (CFG)
Enables CFG which validates indirect code jumps. Prevents ROP (Return-Oriented Programming) attacks that use code gadgets.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Force ASLR for Images
Applies ASLR to all images and DLLs system-wide. Ensures consistent address randomization across all loaded modules.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Exclusions by File Extension
Specifies file extensions to exclude from scanning. MSPs should configure sparingly to avoid security gaps. Document all exclusions.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Address Space Layout Randomization (ASLR)
Randomizes memory addresses of system components at boot. Makes it difficult for exploits to predict memory locations and execute code.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Data Execution Prevention (DEP)
Enables DEP which marks memory regions as non-executable. Prevents code injection attacks from executing arbitrary code in data regions.
Computer Configuration > Administrative Templates > System > Data Execution Prevention
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Child Processes from Bypassing Exploit Protection
Forces child processes to inherit parent process exploit protections. Prevents malware from disabling protections in spawned processes.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DEP Mode for 32-bit Applications
Applies DEP to 32-bit applications for legacy compatibility. Provides protection even for older applications.
Computer Configuration > Administrative Templates > System > Data Execution Prevention
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Do not store LAN Manager hash on next password change
Prevents storage of LM hashes on password change. Setting to 1 disables LM storage. Essential for MSPs eliminating weak authentication material.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove Run menu from Start menu
Hides Run menu to limit user actions. Restricts access to tools that could bypass MSP controls.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do not display last user name on logon screen
Hides last logged-in username. Reduces information disclosure for MSP security compliance.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Restrict NTLM: NTLM authentication in this domain
Restricts NTLM usage in the domain at DC level. Setting to 4 denies NTLM and logs attempts. Critical for MSPs enforcing domain-wide Kerberos migration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Restrict NTLM: Incoming NTLM traffic
Restricts incoming NTLM authentication on the computer. Setting to 2 denies NTLM traffic. Critical for MSPs eliminating legacy authentication vectors in client environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →