Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Allow execution of startup scripts with partial GPO scope
Controls whether startup scripts execute if Group Policy cannot be fully applied. Set to 0 to enforce complete policy enforcement.
Computer Configuration > Policies > Administrative Templates > System > Scripts
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure security zones for trusted sites
Adds sites to trusted security zone with relaxed restrictions. Essential for MSP support of internal LOB applications requiring specific security context.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure proxy server settings
Sets centralized proxy configuration for internet traffic. Enables MSPs to enforce corporate proxy and content filtering policies.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Application Guard for Edge
Enables Application Guard isolated browsing for Microsoft Edge. Protects against malicious websites by isolating them in containers.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Control microphone access in Application Guard
Blocks microphone access from Application Guard. Prevents unauthorized audio recording of sensitive discussions.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent users from changing security zone settings
Locks down security zone configuration preventing user modification. Enforces MSP security policies on client workstations.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable changing proxy settings
Prevents users from modifying proxy configuration. Ensures consistent network traffic routing in MSP environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Connection Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Enterprise Mode site list
Applies enterprise mode to specified sites for legacy application compatibility. Critical for supporting older internal web applications.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable managing certificate stores
Prevents users from managing SSL certificates. Protects certificate infrastructure in secured MSP environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable IPv6
Disables IPv6 protocol if not needed in legacy environments. Reduces protocol overhead and attack surface on IPv4-only networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable mDNS (Multicast DNS)
Disables multicast DNS resolution for simplification and security in managed networks. Reduces protocol complexity.
Computer Configuration > Policies > Administrative Templates > Network > mDNS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP service binding
Determines RFC 1156 compliance for SNMP agent. Enable for standard SNMP monitoring tool compatibility.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable LLMNR protocol
Disables Link-Local Multicast Name Resolution to prevent name spoofing attacks. Important security hardening for MSP clients.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure intranet zone sites
Defines which sites are treated as intranet for security zone purposes. Enables lower security restrictions for trusted internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable script debugging
Disables script debugging functionality to reduce attack surface. Prevents users from inspecting or modifying active scripts.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure permitted SNMP managers
Specifies IP addresses or hostnames of SNMP management systems allowed to query this device. Restricts SNMP access in MSP monitoring environments.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP community strings
Sets SNMP community strings for authentication. MSPs should use strong, rotated community strings for security.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure IPv6 transition technologies
Controls IPv6 transition mechanism behavior. Manages coexistence between IPv4 and IPv6 in mixed-mode networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP > IPv6 Transition
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure WPAD settings
Controls Web Proxy Auto-Discovery protocol. Disable to prevent automatic proxy configuration from DHCP/DNS.
Computer Configuration > Policies > Administrative Templates > Network > Web Proxy Auto-Discovery
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NetBIOS over TCP/IP
Sets NetBIOS mode (enabled, disabled, or DHCP configured). Disable in modern networks; keep for legacy SMB protocols.
Computer Configuration > Policies > Administrative Templates > Network > NetBIOS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure SNMP sysContact and sysLocation
Sets system contact and location information for SNMP queries. Helps identify devices in MSP monitoring dashboards.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Control camera access in Application Guard
Blocks camera access from Application Guard. Prevents unauthorized video capture of sensitive information.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Application Guard audit logging
Enables detailed logging of Application Guard activities. Critical for compliance and security investigation in MSP environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Windows Sandbox networking
Enables network access from Sandbox for testing networked applications. Disable for isolated testing scenarios.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →