Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Choose Drive Encryption Method and Cipher Strength
Sets the encryption algorithm. XTS-AES 256 is the strongest option for Windows 10/11.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn On Virtualization Based Security
Enables VBS which is required for Credential Guard and HVCI. Requires UEFI and compatible hardware.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Select Platform Security Level
Sets the required platform security features for VBS.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Write Access to Removable Drives Not Protected by BitLocker
Requires removable drives to be BitLocker-encrypted before allowing writes.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CD and DVD: Deny Write Access
Prevents burning to CD/DVD drives.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Credential Guard Configuration
Enables Credential Guard to protect LSASS credentials in a VBS enclave. Prevents Mimikatz-style attacks.
Computer Configuration > Administrative Templates > System > Device Guard
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Installation of Devices Not Described by Other Policy Settings
Default-deny approach - only allows devices explicitly permitted by other policies.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Apply Layered Order of Evaluation for Allow and Prevent Device Installation Policies
Required to allow admins to override device installation restrictions.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow BitLocker Without a Compatible TPM
If enabled, allows BitLocker with just a password/USB key and no TPM.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →All Removable Storage Classes: Deny All Access
Blocks all removable storage devices including USB drives, CDs, and floppies.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →AppLocker - Executable Rules
Controls which .exe and .com files can run. Default rules allow standard program locations.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Always Prompt for Password Upon Connection
Prevents saved credentials from being used to auto-connect via RDP.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Choose How BitLocker-Protected OS Drives Can Be Recovered
Configures recovery options including AD key escrow. Critical for MSP management.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Use of Passwords for Removable Data Drives
Sets password requirements for BitLocker-protected removable drives.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Installation of Devices that Match Any of These Device IDs
Whitelist specific hardware IDs to allow. Used with the Deny Unspecified policy.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Store BitLocker Recovery Information in Active Directory
Automatically backs up the BitLocker recovery key to Active Directory.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Removable Disks: Deny Write Access
Prevents writing to USB flash drives and removable disks. Stops data exfiltration via USB.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CD and DVD: Deny Read Access
Prevents reading from CD/DVD drives.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Removable Disks: Deny Read Access
Prevents reading from USB flash drives and removable disks.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Installation of Removable Devices
Prevents installation of any removable device. More comprehensive than storage-only blocks.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →AppLocker - Script Rules
Controls which .ps1, .bat, .cmd, .vbs, .js files can run.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Script Rules
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Installation of Devices Using Drivers that Match These Device Setup Classes
Blocks device classes by GUID. Use USB storage class GUID to block all USB storage while allowing HID devices.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off AutoPlay
Disables AutoPlay for all drives including USB. Prevents autorun-based malware.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →