Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Enable Windows Sandbox
Enables isolated sandbox environment for testing untrusted applications. Valuable for MSPs testing patches and software before deployment.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure network isolation for Application Guard
Isolates Application Guard network traffic from host network. Prevents untrusted sites from accessing internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require secure SNMP authentication
Sends authentication failure traps for invalid SNMP access attempts. Enables security monitoring of SNMP access.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow clipboard sharing in Application Guard
Controls clipboard access between Application Guard and host. Limited access reduces data exfiltration risk.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure CRL timeout settings
Sets timeout in seconds for CRL retrieval attempts. Balances validation accuracy with network performance.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent changing lock screen image
Prevents users from modifying lock screen. Ensures security messages and company information remain visible.
Computer Configuration > Policies > Administrative Templates > Windows Components > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure printing behavior in Application Guard
Disables printing from Application Guard to prevent document leakage. Balances usability with security requirements.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow file downloads in Application Guard
Controls file download permissions in Application Guard. Disable downloads to prevent malicious file execution on host.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Sandbox audio support
Disables audio input in sandbox environment. Prevents audio recording and reduces complexity in test environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Application Guard graphics virtualization
Enables GPU virtualization in Application Guard for improved performance. Requires compatible graphics hardware.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Sandbox video capture
Disables video input in sandbox to prevent camera access in isolated test environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable CRL checking for certificate validation
Checks Certificate Revocation Lists to validate revoked certificates. Critical for preventing compromised certificate usage.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable certificate auto-renewal
Automatically renews certificates before expiration. Prevents certificate expiration outages in production environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable certificate auto-enrollment
Automatically enrolls computers for certificates from enterprise PKI. Simplifies certificate lifecycle management in MSP environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure certificate path validation
Enables full validation of certificate chains. Ensures certificate trust chain integrity for all SSL connections.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure default File Explorer folder view
Sets default folder view to Details for all users. Provides consistent and detailed file information display.
User Configuration > Policies > Administrative Templates > Windows Components > File Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure trusted root CA distribution
Distributes trusted root certificates to managed computers. Essential for SSL/TLS verification of internal and partner services.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure OCSP settings for certificate validation
Enables Online Certificate Status Protocol for real-time revocation checking. More efficient than CRL for high-volume environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable weak SSL/TLS protocols
Disables SSL 2.0, SSL 3.0, and TLS 1.0 to enforce modern TLS versions. Essential security hardening for modern environments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce certificate pinning for specific domains
Pins specific certificates to domains to prevent MITM attacks. Protects users from certificate hijacking attacks.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require strong certificate key length
Sets minimum RSA key length for certificate validation. Modern default of 2048 bits prevents weak certificate acceptance.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Cryptography Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure OCSP responder URL
Specifies custom OCSP responder for certificate status checking. Enables private PKI environments with dedicated OCSP infrastructure.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Revocation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure certificate signature algorithms
Restricts accepted certificate signature algorithms to modern standards. Prevents downgrade attacks to weak algorithms.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Cryptography Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow user certificate installation
Prevents user installation of untrusted certificates. Enforces centralized certificate management in MSP-controlled environments.
User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →