Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Control microphone access in Application Guard
Blocks microphone access from Application Guard. Prevents unauthorized audio recording of sensitive discussions.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Enterprise Mode site list
Applies enterprise mode to specified sites for legacy application compatibility. Critical for supporting older internal web applications.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable IPv6
Disables IPv6 protocol if not needed in legacy environments. Reduces protocol overhead and attack surface on IPv4-only networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable mDNS (Multicast DNS)
Disables multicast DNS resolution for simplification and security in managed networks. Reduces protocol complexity.
Computer Configuration > Policies > Administrative Templates > Network > mDNS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP service binding
Determines RFC 1156 compliance for SNMP agent. Enable for standard SNMP monitoring tool compatibility.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable LLMNR protocol
Disables Link-Local Multicast Name Resolution to prevent name spoofing attacks. Important security hardening for MSP clients.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure intranet zone sites
Defines which sites are treated as intranet for security zone purposes. Enables lower security restrictions for trusted internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure permitted SNMP managers
Specifies IP addresses or hostnames of SNMP management systems allowed to query this device. Restricts SNMP access in MSP monitoring environments.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP community strings
Sets SNMP community strings for authentication. MSPs should use strong, rotated community strings for security.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure IPv6 transition technologies
Controls IPv6 transition mechanism behavior. Manages coexistence between IPv4 and IPv6 in mixed-mode networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP > IPv6 Transition
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure WPAD settings
Controls Web Proxy Auto-Discovery protocol. Disable to prevent automatic proxy configuration from DHCP/DNS.
Computer Configuration > Policies > Administrative Templates > Network > Web Proxy Auto-Discovery
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NetBIOS over TCP/IP
Sets NetBIOS mode (enabled, disabled, or DHCP configured). Disable in modern networks; keep for legacy SMB protocols.
Computer Configuration > Policies > Administrative Templates > Network > NetBIOS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP sysContact and sysLocation
Sets system contact and location information for SNMP queries. Helps identify devices in MSP monitoring dashboards.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Control camera access in Application Guard
Blocks camera access from Application Guard. Prevents unauthorized video capture of sensitive information.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Application Guard audit logging
Enables detailed logging of Application Guard activities. Critical for compliance and security investigation in MSP environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Windows Sandbox networking
Enables network access from Sandbox for testing networked applications. Disable for isolated testing scenarios.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Windows Sandbox
Enables isolated sandbox environment for testing untrusted applications. Valuable for MSPs testing patches and software before deployment.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure network isolation for Application Guard
Isolates Application Guard network traffic from host network. Prevents untrusted sites from accessing internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require secure SNMP authentication
Sends authentication failure traps for invalid SNMP access attempts. Enables security monitoring of SNMP access.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow clipboard sharing in Application Guard
Controls clipboard access between Application Guard and host. Limited access reduces data exfiltration risk.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure CRL timeout settings
Sets timeout in seconds for CRL retrieval attempts. Balances validation accuracy with network performance.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent changing lock screen image
Prevents users from modifying lock screen. Ensures security messages and company information remain visible.
Computer Configuration > Policies > Administrative Templates > Windows Components > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure printing behavior in Application Guard
Disables printing from Application Guard to prevent document leakage. Balances usability with security requirements.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow file downloads in Application Guard
Controls file download permissions in Application Guard. Disable downloads to prevent malicious file execution on host.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →