Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Block Persistence Through WMI Event Subscription
Prevents malware from establishing persistence using WMI Event Subscriptions. Blocks malware from surviving reboots.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Abuse of Exploited Vulnerable Drivers
Prevents execution of vulnerable drivers that can be exploited for privilege escalation. Blocks vulnerable driver abuse attacks.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Heap Protection
Implements heap randomization and protection mechanisms. Prevents heap-based buffer overflow attacks from modifying heap metadata.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Execution of Potentially Obfuscated Scripts
Detects and blocks obfuscated PowerShell and VBScript payloads. Prevents script-based malware that attempts to hide its true intent.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Real-Time Protection
Enables real-time scanning of files as they are accessed or modified. Provides immediate detection and blocking of malware.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Behavior Monitoring
Monitors suspicious behavioral patterns even if malware signatures are unknown. Detects zero-day and advanced threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Potentially Unwanted Application (PUA) Protection
Detects and removes potentially unwanted applications like adware and spyware. Protects system from unwanted software.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Scheduled Scan Day
Specifies the day for scheduled full scans (0=Sunday). Value 0 schedules scans for Sunday. MSPs should set to off-hours day.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Specify the Type of Scans to Run
Configures scan type: 1=Quick scan, 2=Full scan. MSPs should set to 2 for complete system protection, or 1 for faster scans.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Definition Update Sources
Specifies order of sources for signature updates. Should prioritize MMPC and MOMAAS for reliable updates. Critical for maintaining protection.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Signature Updates
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Mandatory ASLR
Forces ASLR on all processes even those not compiled with ASLR support. Increases randomization coverage across the system.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Controlled Folder Access
Protects important folders from unauthorized modification by malware. Blocks ransomware from encrypting user documents and files.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Structured Exception Handling Overwrite Protection (SEHOP)
Validates exception handlers during runtime. Prevents SEH-based buffer overflow exploits from hijacking exception handling.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable WPA2-Personal encryption for wireless networks
Enforces minimum WPA2 encryption for wireless connections. Critical security requirement for MSP compliance standards.
Computer Configuration > Administrative Templates > Network > 802.11 Wireless Networking
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Control Flow Guard (CFG)
Enables CFG which validates indirect code jumps. Prevents ROP (Return-Oriented Programming) attacks that use code gadgets.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Force ASLR for Images
Applies ASLR to all images and DLLs system-wide. Ensures consistent address randomization across all loaded modules.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Exclusions by File Extension
Specifies file extensions to exclude from scanning. MSPs should configure sparingly to avoid security gaps. Document all exclusions.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Address Space Layout Randomization (ASLR)
Randomizes memory addresses of system components at boot. Makes it difficult for exploits to predict memory locations and execute code.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Data Execution Prevention (DEP)
Enables DEP which marks memory regions as non-executable. Prevents code injection attacks from executing arbitrary code in data regions.
Computer Configuration > Administrative Templates > System > Data Execution Prevention
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit connection to non-domain networks
Prevents users from connecting to non-domain networks when a domain network is available. Critical for MSP clients requiring network segmentation and preventing unauthorized network access.
Computer Configuration > Administrative Templates > Network > Windows Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Wireless network adapters shall not have roaming between access points
Controls wireless roaming behavior. Helps MSPs maintain stable connections and prevent association with unmanaged networks.
Computer Configuration > Administrative Templates > Network > WlanSvc
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit access to properties of a user
Prevents users from modifying wireless network properties. Ensures MSP-managed wireless profiles remain unchanged by end users.
Computer Configuration > Administrative Templates > Network > Windows Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Force device tunnel for Always On VPN
Enforces system-level VPN tunnel before user logon. Critical for MSPs requiring zero-trust network access.
Computer Configuration > Administrative Templates > Network > RAS > Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Child Processes from Bypassing Exploit Protection
Forces child processes to inherit parent process exploit protections. Prevents malware from disabling protections in spawned processes.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →