Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Allow Telemetry
Controls how much diagnostic data is sent to Microsoft. 0 requires Windows Enterprise/Education.
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Password Settings (LAPS)
Sets password complexity for LAPS-managed local admin passwords.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Cortana Above Lock Screen
Prevents Cortana from being accessible on the lock screen.
Computer Configuration > Administrative Templates > Windows Components > Search
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Location
Disables the Windows location platform.
Computer Configuration > Administrative Templates > Windows Components > Location and Sensors
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Advertising ID
Disables the per-user advertising ID used by apps for targeted advertising.
Computer Configuration > Administrative Templates > System > User Profiles
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn Off Windows Error Reporting
Prevents crash dumps and error reports from being sent to Microsoft.
Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access Contacts
Controls whether apps can access the contacts list.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Do Not Allow Password Expiration Time Longer Than Required by Policy
Prevents extending LAPS password expiration beyond what policy allows.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access Location
Controls whether apps can access location data.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Remote Assistance: Maximum Ticket Time
Limits how long a Remote Assistance invitation remains valid. Minimize to reduce the exposure window.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable Local Admin Password Management
Enables LAPS to manage the local Administrator account password. Prevents lateral movement via shared local admin passwords.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Password Age (LAPS)
Sets how often LAPS rotates the local admin password.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Name of Administrator Account to Manage (LAPS)
Specifies which local admin account LAPS manages. Pair with renamed Administrator account.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable detailed MSI patch logging
Logs patch installation details separately. Helps MSPs troubleshoot update failures and compatibility issues.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access the Camera
Controls whether apps can access the camera. 2 blocks all app camera access.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Zerologon: Vulnerable Channel Allowlist
Allowlist for devices exempted from Zerologon enforcement. Should be empty in fully patched environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure WSUS server for DO updates
Mode 3 enables local server caching for enterprises using WSUS. Integrates DO with existing update infrastructure.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Inbound Connections
Blocks all unsolicited inbound connections on public networks. Critical for endpoint protection on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Allow Server Operators to Schedule Tasks
Prevents Server Operators from scheduling tasks, which could allow privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Refuse Machine Account Password Changes
If enabled, DCs refuse machine account password changes. Keep disabled to allow normal machine account rotation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access the Microphone
Controls whether apps can access the microphone.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Group Policy Slow Link Detection Threshold
Link speed below which GP skips certain processing (scripts, folder redirection). Adjust for remote/branch office environments.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DefaultNot configured
Controls whether apps can access account name, picture, and other account info.
Recommended2 (Force Deny)
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →