Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Task Scheduler: Prevent task run suppression
Prevents disabling task execution. Setting to 1 forces tasks to run. MSPs enable this for critical remediation and monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Prevent browse to UNC paths
Prevents users from browsing UNC paths in task scheduler UI. Setting to 1 disables browsing. MSPs use this to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Shares that can be accessed anonymously
Lists shares accessible via NULL sessions. MSPs keep this empty to prevent anonymous share enumeration and data exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Configure task scheduler service startup
Controls Task Scheduler service startup type. Keep at 2 (Automatic) for normal operation. MSPs monitor this to ensure automatic task execution.
Computer Configuration > Windows Settings > Security Settings > System Services
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of SAM accounts
Prevents anonymous users from enumerating SAM database. Setting to 1 blocks enumeration. Essential for MSPs preventing account discovery attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP trap destinations
Specifies SNMP trap destinations for event forwarding. Essential for centralized SNMP monitoring in managed networks.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of shares
Blocks anonymous enumeration of shares. Setting to 1 requires authentication for share browsing. MSPs use this to prevent discovery of sensitive shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Deny user tasks
Prevents non-administrators from creating scheduled tasks. Setting to 1 disables user task creation. Critical for MSPs preventing malware persistence via task scheduling.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: UNC hardened access paths
Restricts task access to UNC paths requiring authentication. Setting to 1 prevents NULL session task execution. MSPs use this to prevent remote malware execution.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →SMB Bandwidth Limiting
Limits SMB throughput as percentage of bandwidth. Value 20 reserves 80% for other traffic. MSPs use this to prevent ransomware lateral movement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Audit task execution
Enables auditing of scheduled task execution. Setting to 1 logs all task runs. Critical for MSPs detecting malware execution via task scheduler.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of SAM accounts
Prevents anonymous users from enumerating SAM. Setting to 1 requires authentication. Essential for MSPs blocking user account discovery attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Prevent task property page modification
Prevents users from modifying task properties. Setting to 1 disables property edits. MSPs use this to prevent malware from modifying monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Task execution policy (restricted)
Restricts task execution to authorized users only. Setting to 1 enables restrictions. Critical for MSPs preventing unauthorized task launches.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Hide property pages
Hides task property pages from non-administrators. Setting to 1 prevents visibility. MSPs use this to hide sensitive task configurations.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Cache task run results
Caches task execution results for audit purposes. Setting to 1 enables caching. MSPs use this to detect task execution anomalies.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Run only interactive tasks
Restricts tasks to interactive sessions only. Keep at 0 to allow background tasks. MSPs enable this only on high-security kiosk systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of SAM accounts and shares
Restricts anonymous SAM and share enumeration. Setting to 2 requires authentication for enumeration. Critical for MSPs blocking reconnaissance attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to shares
Blocks anonymous share enumeration and access. Setting to 1 requires authentication. Essential for MSPs protecting file shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Let Everyone permissions apply to anonymous users
Controls if Everyone group includes anonymous users. Keep at 0 to deny anonymous access. Critical for preventing NULL session resource access.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Named Pipes that can be accessed anonymously
Lists named pipes accessible via NULL sessions. MSPs keep empty to prevent WMI and RPC attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Model for local account authentication
Controls guest account remote login. Setting to 1 prevents blank password authentication. Critical for MSPs preventing guest account abuse.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to Named Pipes
Blocks NULL session connections to named pipes. Setting to 1 requires authentication. Critical for MSPs preventing WMIEXEC and admin$ enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Do not allow anonymous enumeration of computer accounts
Prevents anonymous enumeration of computer accounts. Setting to 1 blocks computer discovery. MSPs use this to prevent reconnaissance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →