Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
WDigest Authentication
WDigest stores credentials in plaintext in memory. Must be disabled to prevent Mimikatz cleartext credential harvesting.
Computer Configuration > Administrative Templates > MS Security Guide
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit Installation and Configuration of Network Bridge
Prevents users from creating network bridges that could bypass security controls.
Computer Configuration > Administrative Templates > Network > Network Connections
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure NetBIOS Settings
Disabling NetBIOS prevents NetBIOS name poisoning attacks. Set via DHCP option 001 or registry.
Computer Configuration > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Windows Hello for Business PIN
Controls Windows Hello for Business. Enable to deploy phishing-resistant authentication.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Microsoft Network Client: Digitally Sign Communications (Always)
Requires SMB signing on client side. Prevents SMB relay attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Password Manager
Controls the built-in Edge password manager. Disable if using a dedicated password manager.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DNS Client: Turn Off Multicast Name Resolution (LLMNR)
Disables LLMNR. Prevents LLMNR poisoning attacks used by Responder.
Computer Configuration > Administrative Templates > Network > DNS Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit Use of Internet Connection Sharing on DNS Domain Network
Prevents users from enabling Internet Connection Sharing.
Computer Configuration > Administrative Templates > Network > Network Connections
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Windows Location Provider
Disables the Windows location provider.
Computer Configuration > Administrative Templates > Windows Components > Location and Sensors > Windows Location Provider
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Limit the Sync App Download Speed to a Fixed Rate
Limits OneDrive sync bandwidth to prevent saturation of network links.
Computer Configuration > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Show Feedback Notifications
Disables Windows feedback prompts.
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Security: Restrict NTLM: Incoming NTLM Traffic
Blocks incoming NTLM authentication requests. Use after auditing to avoid breaking legacy apps.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Bypassing SmartScreen Prompts for Downloads
Prevents users from bypassing SmartScreen warnings for downloaded files.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Block Access to a List of URLs
Blocks access to specified URLs or URL patterns.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Microsoft Defender SmartScreen
Enables SmartScreen phishing and malware protection in Edge.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Set What Information is Shared in Search
Controls how much information is shared with Microsoft during web searches.
Computer Configuration > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Bypassing SmartScreen Prompts for Sites
Prevents users from clicking through SmartScreen warnings for malicious sites.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Control Use of the Autofill Feature for Addresses
Controls whether Edge autofills address information.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Silently Sign In Users to the OneDrive Sync App with Windows Credentials
Automatically signs users into OneDrive using their Windows credentials. Enables seamless SSO.
Computer Configuration > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Syncing OneDrive Accounts for Only Specific Organizations
Restricts OneDrive sync to only your organization tenant. Prevents data exfiltration to personal tenants.
Computer Configuration > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Control Use of the Autofill Feature for Credit Cards
Prevents Edge from storing and autofilling credit card information.
Computer Configuration > Administrative Templates > Microsoft Edge
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prevent Users from Syncing Personal OneDrive Accounts
Prevents users from syncing personal (non-work) OneDrive accounts on corporate devices.
Computer Configuration > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable Windows Consumer Features
Disables consumer features like app suggestions, third-party app recommendations in Start Menu.
Computer Configuration > Administrative Templates > Windows Components > Cloud Content
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →