Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Turn Off Automatic Root Certificates Update
If enabled, prevents contacting Windows Update for root certificate updates. Required for isolated/air-gapped networks.
Computer Configuration > Administrative Templates > System > Internet Communication Management
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →System Cryptography: Force Strong Key Protection
Requires user password confirmation before private keys are used. Protects stored cryptographic keys from silent theft.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Private Profile: Firewall State
Ensures Windows Firewall is enabled for private network connections.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Private Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Firewall State
Ensures Windows Firewall is enabled for public network connections. Critical for laptops on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Office telemetry collection
Disables data collection for AI-powered features and usage analytics. Required for GDPR/CCPA compliance and reduces bandwidth for managed clients.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Privacy > Connected Experiences
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Allow Local Policy Merge
Controls whether local firewall rules can be merged with GPO rules on public networks. Disable to enforce GPO rules only.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Office update channel configuration
Sets Office to Semi-Annual Channel for stability. Allows MSPs to control update timing and avoid disruptive auto-updates during business hours.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Updates
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Windows Installer logging
Logs all MSI activities to %temp%\msi*.log for troubleshooting. Critical for MSPs supporting software deployment issues remotely.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict user control over patches
Prevents users from uninstalling security patches. Maintains security compliance and prevents rollback of critical updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →OneDrive Known Folder Move
Automatically migrates Documents, Desktop, and Pictures to OneDrive. Simplifies backup strategy and enables remote work for MSP-managed devices.
Computer Configuration > Policies > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set Safe Mode for repairs and patches
Enables repair and minor update operations without user interaction. Reduces support calls for simple application updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Apply transforms during MSI installation
Automatically applies customization transforms to all MSI installations. Ensures consistent configuration across managed deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limit user control during installation
Restricts user choices during MSI installation to basic UI only. Prevents users from selecting options that could break deployment standards.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hide error dialogs during installation
Suppresses installation dialogs and error messages for silent deployments. Essential for unattended imaging and large-scale rollouts.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Always install with elevated privileges
Allows standard users to install MSI packages with system privileges. Simplifies software deployment in managed environments without requiring user elevation.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Windows Installer
Can completely disable MSI execution. Set to 0 for MSP environments to maintain compatibility, or use with care for kiosk-type deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Cache entire MSI on local drive
Ensures full MSI source is cached locally for repairs and reinstalls. Prevents need for network access during future operations.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable per-user MSI installations
Forces all MSI installations to be per-machine only. Prevents fragmented software deployments and simplifies license management.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic Store app updates
Requires manual approval for Store app updates. Allows MSPs to control update timing and test compatibility before deployment.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block non-Store applications
Restricts execution to Store apps only. Enforces security policy for highly restricted environments like kiosks or healthcare facilities.
Computer Configuration > Policies > Windows Components > App Package Deployment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict background service upgrades
Prevents MSI from triggering automatic system restarts. Allows MSPs to schedule restarts during maintenance windows.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict installation sources to managed locations
Restricts MSI source files to specified network paths. Prevents installation of unauthorized or malicious packages.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set cache size on local drive
Controls percentage of disk space used for caching downloaded updates. Higher cache reduces redundant downloads from peer devices.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →