Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Block OLE object execution in Office
Blocks embedded objects (DLLs, executables) in Office documents. Prevents common malware delivery vector used in targeted attacks.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > OLE
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require PIN for Office password reset
Adds second factor to password reset process. Prevents account takeover even if primary credentials are compromised.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Authentication
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable changing desktop wallpaper
Prevents users from changing wallpaper. Setting to 1 enforces locked wallpaper. MSPs use for branding kiosk systems.
User Configuration > Administrative Templates > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce desktop wallpaper
Sets company wallpaper across all managed desktops. Enforces brand consistency and corporate identity in MSP environments.
User Configuration > Policies > Administrative Templates > Desktop > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hide specific drives in My Computer
Hides specified drives from Windows Explorer. MSPs use this to prevent access to sensitive partitions on kiosk or shared systems.
User Configuration > Administrative Templates > Windows Components > Windows Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Custom User Interface (Shell Replacement)
Replaces default Windows Explorer shell with custom application. MSPs use this to lock down kiosk systems or special-purpose devices to single applications.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove context menu items
Removes context menu from desktop. Setting to 1 disables right-click menus. MSPs use this to simplify kiosk user interfaces.
User Configuration > Administrative Templates > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove Settings from Settings App
Controls which Settings pages users can access. MSPs restrict this to prevent system configuration changes on shared devices.
User Configuration > Administrative Templates > Control Panel > Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Task Manager
Disables Task Manager access via Ctrl+Alt+Del. Setting to 1 hides Task Manager. Critical for MSPs preventing users from terminating kiosk applications.
User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable lock screen
Disables Windows lock screen. Setting to 1 goes directly to login. MSPs use on kiosk systems to speed up boot.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure color scheme
Sets system color scheme company-wide. Enforces accessibility standards and visual consistency.
User Configuration > Policies > Administrative Templates > Desktop > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Run dialog access
Disables Run dialog (Win+R). Setting to 1 hides the dialog. Essential for MSPs preventing command execution on locked-down kiosk systems.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Command Prompt
Disables Command Prompt completely. Setting to 2 disables for all users. Critical for MSPs preventing script execution and system administration.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Control Panel access
Restricts Control Panel access to specific applets. Setting to 1 limits available options. MSPs use this to prevent users from changing system settings.
User Configuration > Administrative Templates > Control Panel
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hide notification area icons
Hides system tray notification area. Setting to 1 simplifies taskbar. MSPs use on kiosk systems to reduce user confusion.
User Configuration > Administrative Templates > Start Menu and Taskbar
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove redirected folders on policy removal
Controls whether redirected folders remain on network or are removed when folder redirection policy is deleted. Prevents accidental data loss for MSP-managed environments.
User Configuration > Policies > Administrative Templates > System > Folder Redirection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Reconnect at logon
Automatically reconnect mapped network drives at user logon. Critical for MSP clients relying on persistent drive mappings for shared resources and file access.
User Configuration > Policies > Administrative Templates > Windows Components > File Sharing
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove Drive letters for removable media
Hides specified drive letters from File Explorer and My Computer. Enhances security by restricting access to removable media in MSP-managed environments.
User Configuration > Policies > Administrative Templates > Windows Components > File Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent access to drives via My Computer
Prevents users from accessing specified drive letters through Windows Explorer. Restricts data access to enforce information governance policies.
User Configuration > Policies > Administrative Templates > Windows Components > File Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit user from manually creating offline files
Prevents users from creating offline file shortcuts manually. Enforces centralized offline file management policies in MSP-controlled environments.
User Configuration > Policies > Administrative Templates > Network > Offline Files
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Run logoff scripts asynchronously
Enables asynchronous execution of logoff scripts to speed up logout process without waiting for completion.
User Configuration > Policies > Administrative Templates > System > Scripts
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable popup blocker
Enables IE popup blocker to prevent malicious popups. Standard security baseline for MSP-managed client environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SmartScreen for phishing detection
Enables real-time SmartScreen filter for phishing and malware detection. Critical security control for protecting client data and credentials.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Phishing Filter
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Run logon scripts visible
Controls visibility of logon script execution window. Keep hidden in production to reduce visual clutter during logon process.
User Configuration > Policies > Administrative Templates > System > Scripts
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →