Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Encrypts secure channel data when possible. Should be paired with RequireSignOrSeal.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Disable Machine Account Password Changes
Keep disabled to allow automatic machine account password rotation every 30 days. Enabling this is a security risk.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Sign Secure Channel Data (When Possible)
Signs secure channel traffic when encryption is not available.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Always Wait for the Network at Startup and Logon
Forces synchronous GP processing at startup and logon. Ensures policies are fully applied before user desktop loads.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Maximum Machine Account Password Age
How often domain-joined computer accounts rotate their passwords. Lower values reduce the window for machine credential attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Offer Remote Assistance
Prevents helpers from offering remote assistance without user request. Disabling prevents unsolicited remote control.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Registry Policy Processing: Process Even if Not Changed
Forces GPO registry settings to be reapplied on every refresh even if unchanged. Prevents tampering from persisting through GP refresh.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Security Policy Processing: Process Even if Not Changed
Forces security settings to be reapplied every GP refresh cycle. Critical for security baseline enforcement.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Solicited Remote Assistance
Controls whether users can request remote assistance. If enabled, restrict helpers and set a short maximum ticket time.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Firewall: Log Successful Connections (Domain Profile)
Logs successful inbound and outbound connections. Enables detection of C2 beaconing and lateral movement.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Remote Shell Access (WinRM)
Controls whether remote PowerShell shells are permitted. Disable if remote management is handled through other means.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Shell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Certificate Auto-Enrollment
Automates certificate enrollment and renewal for domain members. Enable to ensure all devices have valid machine certificates.
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WinRM Client: Allow CredSSP Authentication
Prevents WinRM client from using CredSSP. CredSSP exposes credentials to remote systems and risks credential theft.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CA Certificate Template: Restrict Enrollment
N/A (CA configuration) DefaultVaries by template RecommendedRequire manager approval on sensitive templates CA certificate templates should require manager approval for sensitive templates. Prevents unauthorized issuance (ESC1/ESC4 attacks).
Computer Configuration > Windows Settings > Security Settings > Public Key Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Firewall: Log Dropped Packets (Domain Profile)
Logs all dropped packets to the Windows Firewall log. Essential for network-based threat detection.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall Log File Maximum Size (Domain Profile)
Maximum size for the Windows Firewall log file. Increase to retain more connection history.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Automatic Root Certificates Update
If enabled, prevents contacting Windows Update for root certificate updates. Required for isolated/air-gapped networks.
Computer Configuration > Administrative Templates > System > Internet Communication Management
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →System Cryptography: Force Strong Key Protection
Requires user password confirmation before private keys are used. Protects stored cryptographic keys from silent theft.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Private Profile: Firewall State
Ensures Windows Firewall is enabled for private network connections.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Private Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Firewall State
Ensures Windows Firewall is enabled for public network connections. Critical for laptops on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Protected View for all document types
Opens potentially risky Office documents in read-only sandboxed mode. Reduces exploit surface for zero-day vulnerabilities in Office.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Protected View
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Office telemetry collection
Disables data collection for AI-powered features and usage analytics. Required for GDPR/CCPA compliance and reduces bandwidth for managed clients.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Privacy > Connected Experiences
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Allow Local Policy Merge
Controls whether local firewall rules can be merged with GPO rules on public networks. Disable to enforce GPO rules only.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →