Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Controls outgoing NTLM usage on the computer. Setting to 2 blocks NTLM for remote connections. Essential for MSPs preventing clients from authenticating to NTLM-only systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: NTLM SSP Security: Minimum session security
Enforces 128-bit encryption and NTLMv2 session security. Value 537133056 enables both requirements. MSPs use this to prevent downgrade attacks on client authentication.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: LAN Manager authentication level
Sets minimum NTLM authentication level. Level 5 requires NTLMv2/Kerberos. MSPs set this to eliminate LM hash weaknesses and legacy protocol support.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Allow LocalSystem NULL session fallback
Controls whether LocalSystem can fallback to NULL sessions. Setting to 0 disables fallback. MSPs use this to force authenticated sessions throughout infrastructure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →RPC Endpoint Mapper: Authentication level for unauthenticated connections
Requires authentication for RPC endpoint mapper queries. Setting to 1 enforces authentication. Critical for MSPs preventing RPC enumeration attacks on client systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit: Audit Other Account Logon Events
Audits NTLM-based authentications and other account logon attempts. Setting to 3 logs both success and failure. Essential for MSPs detecting compromised credentials in client environments.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DCOM: Authentication Level
Sets DCOM authentication level to Packet Privacy (6). Requires encryption of all DCOM traffic. Critical for MSPs protecting sensitive RPC/DCOM communications.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable RPC Connection Pooling
Disables RPC connection pooling. Setting to 1 requires new connections per request, reducing session hijacking. MSPs use this to harden RPC security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: UNC Hardened Access (domain systems)
Restricts anonymous NULL session access to UNC paths. Setting to 1 requires authentication. Essential for MSPs blocking WMIEXEC and similar attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DCOM: Default Impersonation Level
Sets DCOM impersonation level to Identify (3). Prevents DCOM clients from impersonating callers. MSPs use this to limit privilege escalation via DCOM.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit: Audit Kerberos Authentication Service
Tracks Kerberos authentication events on domain computers. Setting to 3 logs successes and failures. Helps MSPs monitor NTLM deprecation progress.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Minimum password length
Sets minimum password length to prevent weak NTLM/NTLMv2 hashes. MSPs enforce 14+ characters to mitigate password cracking against hashed credentials.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →RPC: Restrict Unauthenticated RPC clients
Prevents unauthenticated RPC clients from connecting to the computer. Setting to 1 denies NULL sessions. Essential for MSPs blocking anonymous RPC exploitation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →RPC: Enable RPC over named pipes
Controls RPC over named pipes support. Keep enabled for compatibility but combine with authentication settings. MSPs monitor this for security posture.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Insecure guest logons
Allows insecure guest authentication to SMB servers. Setting to 0 requires secure authentication. Critical for MSPs preventing credential relay on legacy networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DCOM: Machine Access Restrictions (Security Descriptor)
Controls DCOM access permissions at machine level. MSPs restrict this to prevent lateral movement via DCOM exploitation on client workstations.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DCOM: Machine Launch Restrictions (Security Descriptor)
Controls who can launch DCOM applications. Restricting prevents attackers from launching DCOM objects for privilege escalation or persistence.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure RPC connection timeout
Sets RPC connection timeout in milliseconds. Value 30000 forces disconnection after 30 seconds. MSPs use this to prevent resource exhaustion.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Microsoft network server: Digitally sign communications (always)
Requires SMB signing on all connections. Setting to 1 enforces signing. Essential for MSPs preventing man-in-the-middle attacks on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WMI: Restrict WMI Remote Access
Controls WMI access control behavior. Default (0) respects WMI namespace security. MSPs audit this to ensure WMI is properly restricted on client systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →RPC: Restrict Remote RPC Clients
Enforces restrictions on unauthenticated RPC clients connecting remotely. Setting to 1 requires authentication. Critical for MSPs preventing RPC-based lateral movement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: SMB Encryption
Enforces SMB encryption. Value 3 requires encryption for all connections. Critical for MSPs protecting sensitive data in transit on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Disable SMBv1
Disables legacy SMBv1 protocol. Setting to 0 completely disables SMBv1. Critical for MSPs eliminating WannaCry/NotPetya attack vectors from client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Named Pipes that can be accessed anonymously
Lists named pipes accessible via NULL sessions. MSPs keep this empty to prevent attack tools from enumerating the network.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →