Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Set restart deadline for feature updates
Forces restart 14 days after update availability if user has ignored notifications. Prevents perpetually unpatched systems.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic restart after updates
Prevents automatic reboot while users are logged in. Allows scheduling restarts during maintenance windows.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow UIAccess Applications to Prompt for Elevation without Using Secure Desktop
Controls whether UIAccess applications can bypass secure desktop prompting. Should remain disabled to prevent malware from spoofing elevation prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Delegating Default Credentials
Prevents credential caching for delegation to remote servers. Disabling blocks credential theft from cached credentials on compromised systems.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable peer updates over metered connections
Prevents update downloads over metered networks. Protects mobile users from unexpected data charges.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure deadline grace period
Provides 2-day grace period after deadline before forced restart. Balances compliance with user scheduling flexibility.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Switch to Secure Desktop when Prompting for Elevation
UAC prompts appear on a secure desktop isolated from user applications. Prevents keyloggers and credential harvesting malware from intercepting prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Delegating Fresh Credentials with NTLM-only Server Authentication
Limits credential delegation to specific servers when NTLM authentication is used. MSPs should configure allowed servers list for Remote Desktop access.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Elevation Prompt for Standard Users
Determines UAC behavior for standard users. Value 0 auto-denies elevation requests without prompting. Prevents users from running elevated tasks without admin approval.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Behavior of Elevation Prompt for Administrators
Controls elevation behavior: 2=Prompt on secure desktop, 5=Prompt without requiring password. MSPs should set to 2 for maximum security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Exclude specific KB articles from installation
Prevents driver updates through Windows Update. Allows MSPs to control driver deployment separately.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Administrator Password for Elevation
Specifies whether administrators must enter credentials to elevate. Value 1 enforces password prompt on secure desktop. Critical for audit trails.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Only Elevate Signed Executables
Only allows elevation of digitally signed executables. Prevents unsigned malware from elevating privileges. Essential for MSP security hardening.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Run All Administrators in Admin Approval Mode
Enables UAC for all administrators. When disabled, removes all UAC protections and elevation prompts. MSPs must keep this enabled for compliance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Detect Application Installations and Prompt for Elevation
Shows UAC prompt on secure desktop when Windows detects installer packages being executed. Critical for preventing unauthorized software deployment.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Delegating Saved Credentials
Controls whether saved credentials can be delegated to other machines. Should remain disabled to prevent lateral movement attacks.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CredSSP Encryption Oracle Remediation
Prevents CVE-2018-0886 exploitation by blocking encryption oracle attacks during credential delegation. Should remain at 0 (Vulnerable) only for legacy systems.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Virtualize File and Registry Write Failures to Per-User Locations
Redirects legacy application write failures to user-writable locations instead of blocking them. Improves app compatibility while maintaining security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Virtualization Based Security
Enables Virtualization Based Security which isolates code execution in a virtual machine. Prevents kernel attacks from accessing system memory.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable DMA Port Protection
Blocks DMA (Direct Memory Access) attacks from Thunderbolt, USB, and FireWire devices. Prevents hardware-based privilege escalation.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Behavior of Elevation Prompt for Standard Users
Controls standard user elevation: 0=Auto-deny without prompt, 1=Prompt for credentials. MSPs typically set to 0 to prevent privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Kerberos Authentication for Credential Delegation
Enforces Kerberos protocol for credential delegation instead of NTLM. Improves security by using modern authentication mechanisms.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Delegation to Remote Servers Only
When enabled, enforces Restricted Admin mode which prevents credential caching. Critical for preventing pass-the-hash and credential theft attacks.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disallow Saving Credentials or .NET Passport Credentials
Prevents Windows Credential Manager from storing passwords. Forces users to enter credentials each time, improving security for multi-user environments.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →