Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Windows Firewall: Domain Profile: Allow Local Policy Merge
Controls whether local firewall rules can be merged with GPO rules. No enforces GPO rules only.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Redirection Guard
Protects against printer driver redirection attacks.
Computer Configuration > Administrative Templates > Printers
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn On Recommended Updates via Automatic Updates
Includes recommended (non-critical) updates in automatic update downloads.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off App Notifications on the Lock Screen
Prevents toast notifications from appearing on the lock screen.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Specify Deadline for Automatic Updates and Restarts
Sets a deadline after which updates are automatically installed and the device restarts.
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on Module Logging
Logs PowerShell module activity. Generates event 4103. Required for PowerShell auditing.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Inbound Connections
Default action for inbound connections on public networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Changing Screen Saver
Prevents users from changing screen saver settings.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Web Search
Prevents Windows Search from sending queries to the web.
Computer Configuration > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on Script Execution
Controls the PowerShell execution policy. RemoteSigned requires remote scripts to be signed.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on PowerShell Transcription
Records all PowerShell input and output to a transcript file.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Domain Profile: Firewall State
Ensures Windows Firewall is enabled for domain-joined connections.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Picture Password Sign-In
Disables picture password authentication on domain systems.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Screen Saver
Enables the screen saver. Required for screen saver timeout policies to apply.
User Configuration > Administrative Templates > Control Panel > Personalization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: Restrict Clients Allowed to Make Remote Calls to SAM
Restricts remote SAM enumeration to Administrators only. Prevents tools like BloodHound from enumerating accounts remotely.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn on PowerShell Script Block Logging
Logs the full content of all PowerShell script blocks. Generates event 4104. Critical for threat detection.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Windows PowerShell 2.0
PowerShell 2.0 does not support logging or AMSI. Attackers use it to bypass PS5 security controls. Disable via Windows Features.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Firewall State
Ensures Windows Firewall is enabled for public network connections.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block User from Showing Account Details on Sign-In
Prevents users from showing their email address on the sign-in screen.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Domain Profile: Inbound Connections
Default action for inbound connections not matching any rule.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Windows Startup Sound
Disables the Windows startup sound.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Microsoft Network Server: Digitally Sign Communications (Always)
Requires SMB signing on server side. Prevents SMB relay attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Search and Cortana to Use Location
Prevents Cortana and Search from using location data.
Computer Configuration > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →