Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
RPC: Restrict Remote RPC Clients
Enforces restrictions on unauthenticated RPC clients connecting remotely. Setting to 1 requires authentication. Critical for MSPs preventing RPC-based lateral movement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: SMB Encryption
Enforces SMB encryption. Value 3 requires encryption for all connections. Critical for MSPs protecting sensitive data in transit on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Disable SMBv1
Disables legacy SMBv1 protocol. Setting to 0 completely disables SMBv1. Critical for MSPs eliminating WannaCry/NotPetya attack vectors from client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Named Pipes that can be accessed anonymously
Lists named pipes accessible via NULL sessions. MSPs keep this empty to prevent attack tools from enumerating the network.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Prevent task run suppression
Prevents disabling task execution. Setting to 1 forces tasks to run. MSPs enable this for critical remediation and monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Prevent browse to UNC paths
Prevents users from browsing UNC paths in task scheduler UI. Setting to 1 disables browsing. MSPs use this to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Shares that can be accessed anonymously
Lists shares accessible via NULL sessions. MSPs keep this empty to prevent anonymous share enumeration and data exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Configure task scheduler service startup
Controls Task Scheduler service startup type. Keep at 2 (Automatic) for normal operation. MSPs monitor this to ensure automatic task execution.
Computer Configuration > Windows Settings > Security Settings > System Services
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hide specific drives in My Computer
Hides specified drives from Windows Explorer. MSPs use this to prevent access to sensitive partitions on kiosk or shared systems.
User Configuration > Administrative Templates > Windows Components > Windows Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of SAM accounts
Prevents anonymous users from enumerating SAM database. Setting to 1 blocks enumeration. Essential for MSPs preventing account discovery attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP trap destinations
Specifies SNMP trap destinations for event forwarding. Essential for centralized SNMP monitoring in managed networks.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of shares
Blocks anonymous enumeration of shares. Setting to 1 requires authentication for share browsing. MSPs use this to prevent discovery of sensitive shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Deny user tasks
Prevents non-administrators from creating scheduled tasks. Setting to 1 disables user task creation. Critical for MSPs preventing malware persistence via task scheduling.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: UNC hardened access paths
Restricts task access to UNC paths requiring authentication. Setting to 1 prevents NULL session task execution. MSPs use this to prevent remote malware execution.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →SMB Bandwidth Limiting
Limits SMB throughput as percentage of bandwidth. Value 20 reserves 80% for other traffic. MSPs use this to prevent ransomware lateral movement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Audit task execution
Enables auditing of scheduled task execution. Setting to 1 logs all task runs. Critical for MSPs detecting malware execution via task scheduler.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of SAM accounts
Prevents anonymous users from enumerating SAM. Setting to 1 requires authentication. Essential for MSPs blocking user account discovery attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Prevent task property page modification
Prevents users from modifying task properties. Setting to 1 disables property edits. MSPs use this to prevent malware from modifying monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Task execution policy (restricted)
Restricts task execution to authorized users only. Setting to 1 enables restrictions. Critical for MSPs preventing unauthorized task launches.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Hide property pages
Hides task property pages from non-administrators. Setting to 1 prevents visibility. MSPs use this to hide sensitive task configurations.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Cache task run results
Caches task execution results for audit purposes. Setting to 1 enables caching. MSPs use this to detect task execution anomalies.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Custom User Interface (Shell Replacement)
Replaces default Windows Explorer shell with custom application. MSPs use this to lock down kiosk systems or special-purpose devices to single applications.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove context menu items
Removes context menu from desktop. Setting to 1 disables right-click menus. MSPs use this to simplify kiosk user interfaces.
User Configuration > Administrative Templates > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove Settings from Settings App
Controls which Settings pages users can access. MSPs restrict this to prevent system configuration changes on shared devices.
User Configuration > Administrative Templates > Control Panel > Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →