Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Task Scheduler: Run only interactive tasks
Restricts tasks to interactive sessions only. Keep at 0 to allow background tasks. MSPs enable this only on high-security kiosk systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Task Manager
Disables Task Manager access via Ctrl+Alt+Del. Setting to 1 hides Task Manager. Critical for MSPs preventing users from terminating kiosk applications.
User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable lock screen
Disables Windows lock screen. Setting to 1 goes directly to login. MSPs use on kiosk systems to speed up boot.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous enumeration of SAM accounts and shares
Restricts anonymous SAM and share enumeration. Setting to 2 requires authentication for enumeration. Critical for MSPs blocking reconnaissance attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to shares
Blocks anonymous share enumeration and access. Setting to 1 requires authentication. Essential for MSPs protecting file shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure color scheme
Sets system color scheme company-wide. Enforces accessibility standards and visual consistency.
User Configuration > Policies > Administrative Templates > Desktop > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Run dialog access
Disables Run dialog (Win+R). Setting to 1 hides the dialog. Essential for MSPs preventing command execution on locked-down kiosk systems.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Command Prompt
Disables Command Prompt completely. Setting to 2 disables for all users. Critical for MSPs preventing script execution and system administration.
User Configuration > Administrative Templates > System
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Let Everyone permissions apply to anonymous users
Controls if Everyone group includes anonymous users. Keep at 0 to deny anonymous access. Critical for preventing NULL session resource access.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Named Pipes that can be accessed anonymously
Lists named pipes accessible via NULL sessions. MSPs keep empty to prevent WMI and RPC attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Restrict Control Panel access
Restricts Control Panel access to specific applets. Setting to 1 limits available options. MSPs use this to prevent users from changing system settings.
User Configuration > Administrative Templates > Control Panel
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Hide notification area icons
Hides system tray notification area. Setting to 1 simplifies taskbar. MSPs use on kiosk systems to reduce user confusion.
User Configuration > Administrative Templates > Start Menu and Taskbar
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Model for local account authentication
Controls guest account remote login. Setting to 1 prevents blank password authentication. Critical for MSPs preventing guest account abuse.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to Named Pipes
Blocks NULL session connections to named pipes. Setting to 1 requires authentication. Critical for MSPs preventing WMIEXEC and admin$ enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Do not allow anonymous enumeration of computer accounts
Prevents anonymous enumeration of computer accounts. Setting to 1 blocks computer discovery. MSPs use this to prevent reconnaissance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Remotely accessible registry paths and sub-paths
Specifies registry subtrees remotely accessible. MSPs restrict to prevent remote registry enumeration attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Shares that can be accessed anonymously
Lists shares accessible via NULL sessions. MSPs keep empty to prevent anonymous data access and discovery.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable WebDAV client
Disables WebDAV client functionality to reduce attack surface and prevent unauthorized remote file access. Recommended for high-security MSP environments.
Computer Configuration > Policies > Administrative Templates > Network > WebDAV
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure offline files sync bandwidth
Sets bandwidth throttling for offline files synchronization. Prevents network congestion during sync operations in managed client environments.
Computer Configuration > Policies > Administrative Templates > Network > Offline Files
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Run startup scripts in parallel
Enables parallel processing of multiple startup scripts for improved boot performance in complex provisioning scenarios.
Computer Configuration > Policies > Administrative Templates > System > Scripts
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable file caching for network files
Controls the size of offline files cache in kilobytes. Allows configuration of local cache capacity for improved offline performance.
Computer Configuration > Policies > Administrative Templates > Network > Offline Files
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure DNS client settings
Sets DNS suffix search list for internal domain resolution. Enables seamless access to internal resources.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Remotely accessible registry paths
Specifies registry paths remotely accessible. MSPs restrict to only necessary paths to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Insecure guest logons
Allows insecure guest authentication. Setting to 0 requires secure auth. Critical for MSPs preventing credential relay attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →