Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
LDAP channel binding token requirements
Enforce LDAP channel binding on domain controllers to prevent LDAP relay attacks. Setting to 2 enforces channel binding requirements. Essential for MSPs protecting against modern authentication attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn off System Restore
Disables System Restore to free disk space. MSPs typically use backup solutions instead of System Restore.
Computer Configuration > Administrative Templates > System > System Restore
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do not display last user name on logon screen
Hides last logged-in username. Reduces information disclosure for MSP security compliance.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set error reporting consent level
Requires explicit user consent for error reporting. Prevents automatic crash data transmission from MSP clients.
Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Restrict NTLM: NTLM authentication in this domain
Restricts NTLM usage in the domain at DC level. Setting to 4 denies NTLM and logs attempts. Critical for MSPs enforcing domain-wide Kerberos migration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic data collection for known issues
Prevents automatic data collection for known problems. Reduces privacy exposure for MSP clients.
Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure error report upload frequency
Controls how often queued reports are uploaded. MSPs can reduce network impact by decreasing frequency.
Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Windows from automatically sending diagnostic data
Disables telemetry data collection. Essential for MSP privacy compliance and reducing data exfiltration.
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limit error report archive depth
Limits stored error reports to conserve disk space. Prevents storage exhaustion on MSP-managed systems.
Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow floppy copy of Recovery Console
Prevents copying Recovery Console to removable media. Protects against unauthorized system recovery attempts.
Computer Configuration > Administrative Templates > System > Recovery Console
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent access to Safe Mode
Blocks access to Safe Mode boot options. Prevents unauthorized troubleshooting on MSP-managed systems.
Computer Configuration > Administrative Templates > System > Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent creation of diagnostic memory dumps
Disables automatic crash dump generation to save disk space. MSPs can enable selectively when debugging.
Computer Configuration > Administrative Templates > System > Startup and Recovery
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable disk quotas
Enables disk quota enforcement on NTFS volumes. Essential for MSPs managing shared storage and preventing runaway disk usage.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set default disk quota warning level
Triggers warning at 750MB before hitting quota. Gives MSP users time to clean up before quota enforcement.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent System Restore configuration changes
Prevents users from modifying System Restore settings. Ensures MSP-controlled system recovery policies.
Computer Configuration > Administrative Templates > System > System Restore
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow recovery console access
Permits Recovery Console access for authorized administrators. Critical for MSP emergency system recovery.
Computer Configuration > Administrative Templates > System > Recovery Console
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Restrict NTLM: Incoming NTLM traffic
Restricts incoming NTLM authentication on the computer. Setting to 2 denies NTLM traffic. Critical for MSPs eliminating legacy authentication vectors in client environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure crash dump location
Specifies where crash dumps are saved. Allows MSPs to collect dumps for analysis.
Computer Configuration > Administrative Templates > System > Startup and Recovery
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set automatic reboot timeout after crash
Automatically reboots after critical failure. Reduces downtime for MSP production systems.
Computer Configuration > Administrative Templates > System > Startup and Recovery
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent access to Windows Recovery Environment
Controls access to WinRE for recovery operations. MSPs typically enable for legitimate troubleshooting.
Computer Configuration > Administrative Templates > System > Windows Recovery Environment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set default disk quota limit
Establishes default 1GB quota per user. Allows MSPs to standardize storage allocation across organizations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Log event when quota limit exceeded
Logs critical events when quota is exceeded. Allows MSPs to track quota violations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Logon message banner text
Defines legal notice displayed at logon. Essential for MSP legal compliance and access policies.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Log event when quota threshold exceeded
Logs warning events when approaching quota. Enables MSP monitoring of disk usage patterns.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →