Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Configure Windows Sandbox audio support
Disables audio input in sandbox environment. Prevents audio recording and reduces complexity in test environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Application Guard graphics virtualization
Enables GPU virtualization in Application Guard for improved performance. Requires compatible graphics hardware.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Sandbox video capture
Disables video input in sandbox to prevent camera access in isolated test environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable CRL checking for certificate validation
Checks Certificate Revocation Lists to validate revoked certificates. Critical for preventing compromised certificate usage.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable certificate auto-renewal
Automatically renews certificates before expiration. Prevents certificate expiration outages in production environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable certificate auto-enrollment
Automatically enrolls computers for certificates from enterprise PKI. Simplifies certificate lifecycle management in MSP environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure certificate path validation
Enables full validation of certificate chains. Ensures certificate trust chain integrity for all SSL connections.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure trusted root CA distribution
Distributes trusted root certificates to managed computers. Essential for SSL/TLS verification of internal and partner services.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure OCSP settings for certificate validation
Enables Online Certificate Status Protocol for real-time revocation checking. More efficient than CRL for high-volume environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable weak SSL/TLS protocols
Disables SSL 2.0, SSL 3.0, and TLS 1.0 to enforce modern TLS versions. Essential security hardening for modern environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce certificate pinning for specific domains
Pins specific certificates to domains to prevent MITM attacks. Protects users from certificate hijacking attacks.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require strong certificate key length
Sets minimum RSA key length for certificate validation. Modern default of 2048 bits prevents weak certificate acceptance.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Cryptography Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure OCSP responder URL
Specifies custom OCSP responder for certificate status checking. Enables private PKI environments with dedicated OCSP infrastructure.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure certificate signature algorithms
Restricts accepted certificate signature algorithms to modern standards. Prevents downgrade attacks to weak algorithms.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Cryptography Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce lock screen image
Sets company lock screen image on all devices. Displays corporate messaging and security information at logon screen.
Computer Configuration > Policies > Administrative Templates > Windows Components > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure default font
Sets system-wide default font for consistency. Ensures readability and accessibility standards are met.
Computer Configuration > Policies > Administrative Templates > Windows Components > Display
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable file search indexing in File Explorer
Disables indexing of encrypted files and protected stores. Protects sensitive data privacy in File Explorer searches.
Computer Configuration > Policies > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable thumbnail caching
Disables thumbnail cache files creation. Protects privacy and reduces disk usage by preventing thumbnail generation.
Computer Configuration > Policies > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Previous Versions tab
Hides Previous Versions tab in file properties. Prevents users from accessing old versions of files for security.
Computer Configuration > Policies > Administrative Templates > System > File Replication Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable shortcut resolution for network paths
Prevents automatic resolution of broken shortcuts to network paths. Improves security by blocking silent reconnection attempts.
Computer Configuration > Policies > Administrative Templates > System > Control Panel
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →