Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
DEP Mode for 32-bit Applications
Applies DEP to 32-bit applications for legacy compatibility. Provides protection even for older applications.
Computer Configuration > Administrative Templates > System > Data Execution Prevention
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow network discovery on public networks
Prevents network discovery on public networks. Reduces attack surface for MSP-managed endpoints on untrusted networks.
Computer Configuration > Administrative Templates > Network > Windows Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Minimize the number of simultaneous connections to the Internet or a Windows Domain
Limits simultaneous connections to prevent bandwidth waste and potential security issues. Helps MSPs enforce efficient network resource utilization.
Computer Configuration > Administrative Templates > Network > Windows Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Wi-Fi hotspot 2.0 networks
Disables Hotspot 2.0 network connections. Prevents automatic connection to public hotspots, critical for MSP security policies.
Computer Configuration > Administrative Templates > Network > WlanSvc
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit connection to ad-hoc networks
Blocks creation and connection to ad-hoc wireless networks. Ensures network traffic flows through MSP-approved infrastructure.
Computer Configuration > Administrative Templates > Network > WlanSvc
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Windows to connect to suggested networks
Disables automatic connection to Wi-Fi Sense networks. Prevents connection to open networks shared by contacts, protecting client security.
Computer Configuration > Administrative Templates > Network > WlanSvc
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable DNS registration for Always On VPN
Automatically registers VPN connection IP with DNS. Enables proper name resolution for MSP-managed remote clients.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure VPN reconnection behavior on connection loss
Automatically reconnects VPN after connection loss. Ensures continuous secure connectivity for MSP clients.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure VPN encapsulation type
Enforces maximum encryption for IPSec tunnels. Critical for MSP security compliance requirements.
Computer Configuration > Administrative Templates > Network > RAS > IPSec
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require authentication on VPN connection
Forces user authentication for VPN connections. Strengthens access control in MSP-managed environments.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn off Windows Portable Devices notification
Prevents notification and auto-installation of portable devices. Reduces security risks from USB and mobile devices in MSP-managed environments.
Computer Configuration > Administrative Templates > System > Device Installation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent use of On-Demand DFS
Disables on-demand DFS connections. Prevents unexpected network reconnections that could bypass MSP network controls.
Computer Configuration > Administrative Templates > Network > DFS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable hibernation
Enables hibernation as sleep option. Provides power conservation without losing work state for MSP clients.
Computer Configuration > Administrative Templates > System > Power Management > Sleep Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure trusted networks for Always On VPN
Specifies networks where VPN disconnection is allowed. Allows MSPs to exempt company networks from VPN requirement.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent use of Internet Connection Sharing
Disables Internet Connection Sharing. Prevents endpoints from acting as unauthorized network access points.
Computer Configuration > Administrative Templates > Network > Internet Connection Sharing
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent dial-up connections outside of VPN
Blocks direct dial-up bypassing VPN. Ensures all remote connections use MSP-approved secure channels.
Computer Configuration > Administrative Templates > Network > RAS > Connection Manager
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn off autoplay for all drives
Disables autoplay on all removable media. Reduces malware infection vector and enforces MSP security posture.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set display timeout on battery power
Reduces display timeout on battery to conserve power. Extends battery life for mobile MSP clients.
Computer Configuration > Administrative Templates > System > Power Management > Video and Display Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable split tunneling for Always On VPN
Controls whether non-VPN traffic can bypass tunnel. MSPs typically disable to force all traffic through VPN.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic VPN trigger on untrusted networks
Prevents automatic VPN connection on network changes. Gives MSPs explicit control over when VPN activates.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Fast Startup
Disables Fast Startup to ensure clean system state. Important for MSPs performing system maintenance and updates.
Computer Configuration > Administrative Templates > System > Shutdown Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable VPN reconnect on network change
Reconnects VPN when network topology changes. Maintains continuous security for mobile MSP clients.
Computer Configuration > Administrative Templates > Network > VPN
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn off hard disk after X minutes
Powers down hard disk after inactivity to save energy. Reduces power consumption in MSP-managed deployments.
Computer Configuration > Administrative Templates > System > Power Management > Hard Disk Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure VPN idle disconnect timeout
Automatically disconnects idle VPN sessions after timeout. Reduces security exposure for MSP-managed systems.
Computer Configuration > Administrative Templates > Network > RAS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →