Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Disallow AutoPlay for Non-Volume Devices
Disables AutoPlay for devices like cameras and phones that are not volume devices.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Application Identity Service
The AppID service must be running for AppLocker to enforce rules.
Computer Configuration > Windows Settings > Security Settings > System Services
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Users to Connect Remotely Using Remote Desktop Services
Master switch for allowing inbound RDP connections.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →AppLocker - Windows Installer Rules
Controls which .msi, .msp, .mst files can run.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Windows Installer Rules
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →AppLocker - Packaged App Rules
Controls which Windows Store (MSIX/AppX) apps can run.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged App Rules
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Network Level Authentication for Remote Connections
Requires NLA before establishing a full RDP session. Reduces exposure of the login screen.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set Time Limit for Active but Idle Sessions
Disconnects idle RDP sessions after the specified time.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require Use of Specific Security Layer for Remote Desktop Connections
Enforces TLS for RDP connections. Prevents downgrade attacks.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Point and Print Restrictions
Controls whether users get UAC prompts when installing drivers via Point and Print.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →No Auto-Restart with Logged-On Users
Prevents automatic restart while users are logged in.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Automatic Updates
Controls how Windows Update downloads and installs updates. Value 4 is the standard managed setting.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set Time Limit for Disconnected Sessions
Terminates disconnected RDP sessions after a set period.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Clipboard Redirection
Disables clipboard sharing between RDP client and server.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Basic Authentication (WinRM Client)
Prevents the WinRM client from using Basic authentication.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Unencrypted Traffic (WinRM Service)
Prevents WinRM from sending or receiving unencrypted traffic.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Basic Authentication (WinRM Service)
Basic auth sends credentials in base64 (essentially plaintext). Should be disabled.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Drive Redirection
Prevents local drives from being mapped in RDP sessions. Reduces data exfiltration risk.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disallow Digest Authentication
Digest authentication sends credentials in a format that can be cracked offline.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remove Access to Use All Windows Update Features
Prevents users from accessing Windows Update directly. Forces use of WSUS.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Private Profile: Firewall State
Ensures Windows Firewall is enabled for private network connections.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Private Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Print Spooler to Accept Client Connections
Disabling this mitigates PrintNightmare (CVE-2021-1675) by preventing remote access to the spooler.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limits Print Driver Installation to Administrators
Prevents non-admins from installing printer drivers. Mitigates PrintNightmare.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Specify Intranet Microsoft Update Service Location
Points clients to an internal WSUS server instead of Windows Update.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →