Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
DefaultNot configured
Prevents apps from reading diagnostic data about other apps.
Recommended2 (Force Deny)
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Server Channel Binding Token Requirements
Requires LDAP channel binding for LDAPS connections. Mitigates NTLM relay to LDAP attacks. Apply after auditing.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Server Signing Requirements
Requires LDAP clients to negotiate data signing. Prevents LDAP relay attacks. Set to 2 to require.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WinRM Service: Allow CredSSP Authentication
CredSSP delegation passes full credentials to remote hosts. Disable unless required; prefer Kerberos constrained delegation.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →User Group Policy Loopback Processing Mode
Applies computer-scope user policies regardless of who logs on. Use Replace mode on kiosks and RDS servers.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Active Directory: Use DFSR for SYSVOL Replication
N/A (DFSR configuration) DefaultEnabled (post-2008 domains) RecommendedDFSR (not legacy FRS) DFSR should replace legacy FRS for SYSVOL replication. FRS is deprecated and unsupported on Server 2022+.
Computer Configuration > Administrative Templates > System > DFS Replication
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)
Requires all secure channel traffic to be signed or encrypted. Prevents plaintext Netlogon traffic.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Require Strong Session Key
Requires 128-bit session keys for secure channel data. All modern environments should have this enabled.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Encrypts secure channel data when possible. Should be paired with RequireSignOrSeal.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Disable Machine Account Password Changes
Keep disabled to allow automatic machine account password rotation every 30 days. Enabling this is a security risk.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Digitally Sign Secure Channel Data (When Possible)
Signs secure channel traffic when encryption is not available.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Always Wait for the Network at Startup and Logon
Forces synchronous GP processing at startup and logon. Ensures policies are fully applied before user desktop loads.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Member: Maximum Machine Account Password Age
How often domain-joined computer accounts rotate their passwords. Lower values reduce the window for machine credential attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Offer Remote Assistance
Prevents helpers from offering remote assistance without user request. Disabling prevents unsolicited remote control.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Registry Policy Processing: Process Even if Not Changed
Forces GPO registry settings to be reapplied on every refresh even if unchanged. Prevents tampering from persisting through GP refresh.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Security Policy Processing: Process Even if Not Changed
Forces security settings to be reapplied every GP refresh cycle. Critical for security baseline enforcement.
Computer Configuration > Administrative Templates > System > Group Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Solicited Remote Assistance
Controls whether users can request remote assistance. If enabled, restrict helpers and set a short maximum ticket time.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Firewall: Log Successful Connections (Domain Profile)
Logs successful inbound and outbound connections. Enables detection of C2 beaconing and lateral movement.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Remote Shell Access (WinRM)
Controls whether remote PowerShell shells are permitted. Disable if remote management is handled through other means.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Shell
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Certificate Auto-Enrollment
Automates certificate enrollment and renewal for domain members. Enable to ensure all devices have valid machine certificates.
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →WinRM Client: Allow CredSSP Authentication
Prevents WinRM client from using CredSSP. CredSSP exposes credentials to remote systems and risks credential theft.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →CA Certificate Template: Restrict Enrollment
N/A (CA configuration) DefaultVaries by template RecommendedRequire manager approval on sensitive templates CA certificate templates should require manager approval for sensitive templates. Prevents unauthorized issuance (ESC1/ESC4 attacks).
Computer Configuration > Windows Settings > Security Settings > Public Key Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Windows Firewall: Log Dropped Packets (Domain Profile)
Logs all dropped packets to the Windows Firewall log. Essential for network-based threat detection.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →