Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Name of Administrator Account to Manage (LAPS)
Specifies which local admin account LAPS manages. Pair with renamed Administrator account.
Computer Configuration > Administrative Templates > System > LAPS
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Prohibit Changes to Display Settings
Prevents users from changing display settings.
User Configuration > Administrative Templates > Control Panel > Display
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Redirect Desktop Folder
Redirects the Desktop folder to a network location for backup and roaming.
User Configuration > Windows Settings > Folder Redirection > Desktop
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Grant User Exclusive Rights to Redirected Folders
Ensures only the user and administrators have access to their redirected folder.
User Configuration > Windows Settings > Folder Redirection > [any folder] > Settings
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable detailed MSI patch logging
Logs patch installation details separately. Helps MSPs troubleshoot update failures and compatibility issues.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access the Camera
Controls whether apps can access the camera. 2 blocks all app camera access.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Zerologon: Vulnerable Channel Allowlist
Allowlist for devices exempted from Zerologon enforcement. Should be empty in fully patched environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure WSUS server for DO updates
Mode 3 enables local server caching for enterprises using WSUS. Integrates DO with existing update infrastructure.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Windows Firewall: Public Profile: Inbound Connections
Blocks all unsolicited inbound connections on public networks. Critical for endpoint protection on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Redirect AppData (Roaming) Folder
Redirects application data for roaming profiles.
User Configuration > Windows Settings > Folder Redirection > AppData (Roaming)
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Allow Server Operators to Schedule Tasks
Prevents Server Operators from scheduling tasks, which could allow privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: Refuse Machine Account Password Changes
If enabled, DCs refuse machine account password changes. Keep disabled to allow normal machine account rotation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Let Apps Access the Microphone
Controls whether apps can access the microphone.
Computer Configuration > Administrative Templates > Windows Components > App Privacy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Group Policy Slow Link Detection Threshold
Link speed below which GP skips certain processing (scripts, folder redirection). Adjust for remote/branch office environments.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DefaultNot configured
Controls whether apps can access account name, picture, and other account info.
Recommended2 (Force Deny)
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Zerologon: Full Enforcement Mode (MS-NRPC)
Enforces secure RPC for all Netlogon connections. Mitigates CVE-2020-1472 (Zerologon). Ensure all domain devices are patched before enabling.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DefaultNot configured
Prevents apps from reading diagnostic data about other apps.
Recommended2 (Force Deny)
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Server Channel Binding Token Requirements
Requires LDAP channel binding for LDAPS connections. Mitigates NTLM relay to LDAP attacks. Apply after auditing.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Server Signing Requirements
Requires LDAP clients to negotiate data signing. Prevents LDAP relay attacks. Set to 2 to require.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WinRM Service: Allow CredSSP Authentication
CredSSP delegation passes full credentials to remote hosts. Disable unless required; prefer Kerberos constrained delegation.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →User Group Policy Loopback Processing Mode
Applies computer-scope user policies regardless of who logs on. Use Replace mode on kiosks and RDS servers.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Active Directory: Use DFSR for SYSVOL Replication
N/A (DFSR configuration) DefaultEnabled (post-2008 domains) RecommendedDFSR (not legacy FRS) DFSR should replace legacy FRS for SYSVOL replication. FRS is deprecated and unsupported on Server 2022+.
Computer Configuration > Administrative Templates > System > DFS Replication
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)
Requires all secure channel traffic to be signed or encrypted. Prevents plaintext Netlogon traffic.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →