ABCD
1
Policy PathPolicy NameWindows Server 2016/2019Windows 10/Workstation
2
Welcome to my template for Windows GPOs. Please get familiar with the Group Policy Editor and AD, also know what you are editing before you use this list.

If you are looking for GPOs that are under Computer Configuration/Windows Settings/Security Settings/ look at the LGPO chart because they are the same. Though if you are working with an AD I still suggest you check the other stuff under that path as well.

This spreadsheet is split up into tabs. This sheet houses the main Computer Configuration ones, another holds GPOs for IE and Edge (there are lots and idk if they will give you points .. ugh what a pain) and then one will be for User Configuration.

If there is a (maybe) consider your senario and/or the affect on your ability and ease to administrate the system. You should do with with all GPOs though.

Notes:
- Always consider your senario. There could be some gpos that you need to configure that are not here. For example your senario could say that the users should not be able to configure the desktop background. That can be found in User Configuration/Administrative Templates/Control Panel/Personalization.
- If you are locked out of something it is most likely a GPO (or multiple that are stopping you) there has been only a few times I had to go into registry. Though more often than not you want to change the GPO so it doesnt revert on restart.
- If you are working in an Active Directory make a new policy file for each GPO you change (with some common sense though). Make sure to enable and enforce the new policy (left click on it) and either restart (suggested) or run gpupdate /force
- Might be worth it to check out User Configuration\Administrative Templates\Windows Components\Microsoft User Experience Virtualization\Applications if you need to disable microsoft applications like Microsoft Office

*** Important Note: Account Lockout and Password Policy (if you are working with an AD) make sure to apply them across the domain if you are working with an AD ***
*** Important Note 2: For policy changes to take effect LGPO or GPO restart (suggested) or run gpupdate /force in cmd ***
3
4
Administrative Templates
5
Control PanelAllow Online TipsDisabled (privacy)Disabled (privacy)
6
Control Panel/PersonalizationPrevent enabling lock screen cameraEnabledEnabled
7
Control Panel/PersonalizationPrevent enabling lock screen slide showEnabledEnabled
8
Control Panel/Regional and Language OptionsAllow users to enable online speech recognition servicesDisabledDisabled (maybe)
9
Control Panel/Regional and Language OptionsAllow Input PersonalizationDisabled
10
Network/DNS ClientTurn off multicast name resolutionEnabledEnabled
11
Network/FontsEnable Font ProvidersDisabled
12
Network/Lanman WorkstationEnable insecure guest logonsDisabledDisabled
13
Network/Link-Layer Topology DiscoveryTurn on Mapper I/O (LLTDIO) driverDisabled
14
Network/Link-Layer Topology DiscoveryTurn on Responder (RSPNDR) driverDisabled
15
Network/Microsoft Peer-to-Peer Networking ServicesTurn off Microsoft Peer-to-Peer Networking ServicesEnabledEnabled
16
Network/Network ConnectionsProhibit installation and configuration of Network Bridge on your DNS domain networkEnabled (maybe, not really needed for comp imo)
17
Network/Network ConnectionsProhibit use of Internet Connection Sharing on your DNS domain networkEnabledEnabled
18
Network/Network ConnectionsRequire domain users to elevate when setting a network's locationEnabled
19
Network/Network ProviderHardened UNC Paths\\*\SYSVOL = RequireMutualAuthentication=1,RequireIntegrity=1
\\*\NETLOGON = RequireMutualAuthentication=1,RequireIntegrity=1		\\*\SYSVOL = RequireMutualAuthentication=1,RequireIntegrity=1
\\*\NETLOGON = RequireMutualAuthentication=1,RequireIntegrity=1
20
Network/Windows Connect NowConfiguration of wireless settings using Windows Connect NowDisabled
21
Network/Windows Connect NowProhibit access of the Windows Connect Now wizardsEnabled
22
Network/Windows Connection ManagerMinimize the number of simultaneous connections to the Internet or a Windows DomainEnabled
23
Network/Windows Connection ManagerProhibit connection to non-domain networks when connected to domain authenticated networkEnabled
24
Network/WLAN Service/WLAN SettingsAllow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid servicesDisabled
25
Start Menu and TaskbarTurn off notifications network usageEnabledEnabled
26
SystemDisplay Shutdown Event TrackerEnabledEnabled (big maybe)
27
System/Audit Process CreationInclude command line in process creation eventsDisabled
28
System/Credentials DelegationEncryption Oracle RemediationForce Updated ClientsForce Updated Clients
29
System/Credentials DelegationRemote host allows delegation of non-exportable credentialsEnabledEnabled
30
System/Credentials DelegationRestrict delegation of credentials to remote serversPrefer remote credential guardPrefer remote credential guard
31
System/Device GuardTurn On Virtualization Based SecurityEnabled
Virtualization Based Protection of Code Integrity = Enabled with UEFI lock
Credential Guard Configuration = Disabled
Select Platform Security Level = Secure Boot
Secure Launch Configuration = Enabled
Require UEFI Memory Attributes Table = False		Enabled
Virtualization Based Protection of Code Integrity = Enabled with UEFI lock
Credential Guard Configuration = Disabled
Select Platform Security Level = Secure Boot
Secure Launch Configuration = Enabled
Require UEFI Memory Attributes Table = False
32
System/Device Installation/Device Installation RestrictionsPrevent installation of devices that match any of these device IDsEnabled
Also apply to matching devices that are already installed = True
1 = PCI\CC_0C0A
33
System/Device Installation/Device Installation RestrictionsPrevent installation of devices using drivers that match these device setup classesEnabled
Also apply to matching devices that are already installed = True
1 = {d48179be-ec20-11d1-b6b8-00c04fa372a7}
34
System/Early Launch AntimalwareBoot-Start Driver Initialization PolicyGood, unknown and bad but criticalGood, unknown and bad but critical
35
System/Group PolicyConfigure registry policy processingProcess even if the Group Policy objects have not changed = True
Do not apply during periodic background processing = False		Process even if the Group Policy objects have not changed = True
Do not apply during periodic background processing = False
36
System/Group PolicyContinue experiences on this deviceDisabledDisabled
37
System/Group PolicyTurn off background refresh of Group PolicyDisabled (if you dont want to have to restart gps)Disabled (if you dont want to have to restart gps)
38
System/Internet Communication Management/Internet Communication settingsTurn off access to the StoreEnabledEnabled (maybe)
39
System/Internet Communication Management/Internet Communication settingsTurn off downloading of print drivers over HTTPEnabledEnabled
40
System/Internet Communication Management/Internet Communication settingsTurn off handwriting personalization data sharingEnabledEnabled
41
System/Internet Communication Management/Internet Communication settingsTurn off handwriting recognition error reportingEnabledEnabled
42
System/Internet Communication Management/Internet Communication settingsTurn off Internet Connection Wizard if URL connection is referring to Microsoft.comEnabledEnabled
43
System/Internet Communication Management/Internet Communication settingsTurn off Internet download for Web publishing and online ordering wizardsEnabledEnabled
44
System/Internet Communication Management/Internet Communication settingsTurn off printing over HTTPEnabledEnabled
45
System/Internet Communication Management/Internet Communication settingsTurn off Registration if URL connection is referring to Microsoft.comEnabledEnabled
46
System/Internet Communication Management/Internet Communication settingsTurn off Search Companion content file updatesEnabled (low risk)Enabled (low risk)
47
System/Internet Communication Management/Internet Communication settingsTurn off the "Order Prints" picture taskEnabledEnabled
48
System/Internet Communication Management/Internet Communication settingsTurn off the "Publish to Web" task for files and foldersEnabledEnabled
49
System/Internet Communication Management/Internet Communication settingsTurn off the Windows Messenger Customer Experience Improvement ProgramEnabled (more privacy)Enabled (more privacy)
50
System/Internet Communication Management/Internet Communication settingsTurn off Windows Error ReportingEnabled (more privacy)Enabled (more privacy)
51
System/KerberosSupport device authentication using certificateAutomatic (if you have a DC)Automatic (if you have a DC)
52
System/Kernel DMA ProtectionEnumeration policy for external devices incompatible with Kernel DMA ProtectionBlock allBlock all
53
System/Locale ServicesDisallow copying of user input methods to the system account for sign-inEnabled (do not suggest for comp)Enabled (do not suggest for comp)
54
System/LogonBlock user from showing account details on sign-inEnabledEnabled
55
System/LogonDo not display network selection UIEnabled Enabled
56
System/LogonDo not enumerate connected users on domain-joined computersEnabled Enabled
57
System/LogonEnumerate local users on domain-joined computersDisabledDisabled
58
System/LogonTurn off app notifications on the lock screenEnabledEnabled
59
System/LogonTurn on convenience PIN sign-inDisabledDisabled
60
System/Mitigation OptionsUntrusted Font BlockingBlock untrusted fonts and log eventsBlock untrusted fonts and log events
61
System/Power Management/Sleep SettingsAllow network connectivity during connected-standby (on battery)DisabledDisabled
62
System/Power Management/Sleep SettingsAllow network connectivity during connected-standby (plugged in)DisabledDisabled
63
System/Power Management/Sleep SettingsAllow standby states (S1-S3) when sleeping (on battery)Disabled
64
System/Power Management/Sleep SettingsAllow standby states (S1-S3) when sleeping (plugged in)Disabled
65
System/Power Management/Sleep SettingsRequire a password when a computer wakes (on battery)EnabledEnabled
66
System/Power Management/Sleep SettingsRequire a password when a computer wakes (plugged in)EnabledEnabled
67
System/Remote AssistanceConfigure Offer Remote AssistanceDisabledDisabled
68
System/Remote AssistanceConfigure Solicited Remote AssistanceDisabled
Maximum ticket time (value) = [[[delete]]]
Maximum ticket time (units) = [[[delete]]]
Method for sending email invitations = [[[delete]]]
Permit remote control of this computer = [[[delete]]]		Disabled
Maximum ticket time (value) = [[[delete]]]
Maximum ticket time (units) = [[[delete]]]
Method for sending email invitations = [[[delete]]]
Permit remote control of this computer = [[[delete]]]
69
System/Remote Procedure CallEnable RPC Endpoint Mapper Client AuthenticationEnabled [no DC] (maybe)Enabled (maybe)
70
System/Remote Procedure CallRestrict Unauthenticated RPC clientsAuthenticated [*** NO DC ***]Authenticated
71
System/Removable Storage AccessAll Removable Storage classes: Deny all accessEnabledEnabled
72
System/Troubleshooting and Diagnostics/Microsoft Support Diagnostic ToolMicrosoft Support Diagnostic Tool: Turn on MSDT interactive communication with support providerDisabled (privacy)Disabled (privacy)
73
System/Troubleshooting and Diagnostics/Windows Performance PerfTrackEnable/Disable PerfTrackDisabled (privacy)Disabled (privacy)
74
System/User ProfilesTurn off the advertising IDEnabled (privacy)Enabled (privacy)
75
System/Windows Time Service/Time ProvidersEnable Windows NTP ClientEnabledEnabled
76
System/Windows Time Service/Time ProvidersEnable Windows NTP ServerDisabled [no DC]Disabled
77
Windows Components/App Package DeploymentAllow a Windows app to share application data between usersDisabledDisabled
78
Windows Components/App PrivacyLet Windows apps access account informationForce Deny (privacy & maybe)Force Deny (privacy & maybe)
79
Windows Components/App PrivacyLet Windows apps access call historyForce Deny (privacy & maybe)Force Deny (privacy & maybe)
80
Windows Components/App PrivacyLet Windows apps access contactsForce Deny (privacy & maybe)Force Deny (privacy & maybe)
81
Windows Components/App PrivacyLet Windows apps access emailForce Deny (privacy & maybe)Force Deny (privacy & maybe)
82
Windows Components/App PrivacyLet Windows apps access locationForce Deny (privacy & maybe)Force Deny (privacy & maybe)
83
Windows Components/App PrivacyLet Windows apps access messagingForce Deny (privacy & maybe)Force Deny (privacy & maybe)
84
Windows Components/App PrivacyLet Windows apps access motionForce Deny (privacy & maybe)Force Deny (privacy & maybe)
85
Windows Components/App PrivacyLet Windows apps access the calendarForce Deny (privacy & maybe)Force Deny (privacy & maybe)
86
Windows Components/App PrivacyLet Windows apps access the cameraForce Deny (privacy & maybe)Force Deny (privacy & maybe)
87
Windows Components/App PrivacyLet Windows apps access the microphoneForce Deny (privacy & maybe)Force Deny (privacy & maybe)
88
Windows Components/App PrivacyLet Windows apps access trusted devicesForce Deny (privacy & maybe)Force Deny (privacy & maybe)
89
Windows Components/App PrivacyLet Windows apps control radiosForce Deny (privacy & maybe)Force Deny (privacy & maybe)
90
Windows Components/App PrivacyLet Windows apps sync with devicesForce Deny (privacy & maybe)Force Deny (privacy & maybe)
91
Windows Components/App PrivacyLet Windows apps make phone callsForce Deny (privacy & maybe)Force Deny (privacy & maybe)
92
Windows Components/App PrivacyLet Windows apps access notificationsForce Deny (privacy & maybe)Force Deny (privacy & maybe)
93
Windows Components/App PrivacyLet Windows apps activate with voice while the system is lockedForce DenyForce Deny
94
Windows Components/App runtimeAllow Microsoft accounts to be optionalEnabled (maybe)Enabled (maybe)
95
Windows Components/App runtimeBlock launching Windows Store apps with Windows Runtime API access from hosted contentEnabledEnabled
96
Windows Components/Application CompatibilityTurn off Inventory CollectorEnabled (privacy)Enabled (privacy)
97
Windows Components/AutoPlay PoliciesDisallow Autoplay for non-volume devicesEnabled (maybe)Enabled (maybe)
98
Windows Components/AutoPlay PoliciesSet the default behavior for AutoRunDo not execute any autorun commandsDo not execute any autorun commands
99
Windows Components/AutoPlay PoliciesTurn off AutoplayAll drivesAll drives
100
Windows Components/Biometrics/Facial FeaturesConfigure enhanced anti-spoofingEnabledEnabled
101
Windows Components/BitLocker Drive EncryptionDisable new DMA devices when this computer is lockedEnabled
102
Windows Components/BitLocker Drive Encryption/Operating System DrivesAllow enhanced PINs for startupEnabled
103
Windows Components/BitLocker Drive Encryption/Removable Data DrivesDeny write access to removable drives not protected by BitLockerEnabled
Do not allow write access to devices configured in another organization = False
104
Windows Components/CameraAllow Use of CameraDisabledDisabled (maybe)
105
Windows Components/Cloud ContentTurn off Microsoft consumer experiencesEnabledEnabled
106
Windows Components/ConnectRequire pin for pairingEnabledEnabled
107
Windows Components/Credential User InterfaceDo not display the password reveal buttonEnabled (very low risk)Enabled (very low risk)
108
Windows Components/Credential User InterfaceEnumerate administrator accounts on elevationDisabledDisabled
109
Windows Components/Data Collection and Preview BuildsAllow Telemetry0 -Security [Enterprise Only] or 1 - Basic (if cant)0 -Security [Enterprise Only] or 1 - Basic (if cant)
110
Windows Components/Data Collection and Preview BuildsDisable pre-release features or settingsDisabledDisabled
111
Windows Components/Data Collection and Preview BuildsDo not show feedback notificationsEnabledEnabled
112
Windows Components/Data Collection and Preview BuildsToggle user control over Insider buildsDisabled (maybe)Disabled (maybe)
113
Windows Components/Event Log Service/ApplicationControl Event Log behavior when the log file reaches its maximum sizeDisabledDisabled
114
Windows Components/Event Log Service/ApplicationSpecify the maximum log file size (KB)3276832768
115
Windows Components/Event Log Service/SecurityControl Event Log behavior when the log file reaches its maximum sizeDisabledDisabled
116
Windows Components/Event Log Service/SecuritySpecify the maximum log file size (KB)196608196608
117
Windows Components/Event Log Service/SetupControl Event Log behavior when the log file reaches its maximum sizeDisabledDisabled
118
Windows Components/Event Log Service/SetupSpecify the maximum log file size (KB)3276832768
119
Windows Components/Event Log Service/SystemControl Event Log behavior when the log file reaches its maximum sizeDisabledDisabled
120
Windows Components/Event Log Service/SystemSpecify the maximum log file size (KB)3276832768
121
Windows Components/File ExplorerConfigure Windows Defender SmartScreen

or Configure Windows SmartScreen		Enabled
Pick one of the following settings = Warn and prevent bypass		Enabled
Pick one of the following settings = Warn and prevent bypass
122
Windows Components/File ExplorerTurn off Data Execution Prevention for ExplorerDisabledDisabled
123
Windows Components/File ExplorerTurn off heap termination on corruptionDisabledDisabled
124
Windows Components/File ExplorerTurn off shell protocol protected modeDisabledDisabled
125
Windows Components/Location and SensorsTurn off locationEnabled (privacy)Enabled (privacy)
126
Windows Components/OneDrivePrevent the usage of OneDrive for file storageEnabled (maybe)Enabled (maybe)
127
Windows Components/Microsoft User Experience Virtualization/Windows AppsFinanceDisabled (maybe & privacy)Disabled (maybe & privacy)
128
Windows Components/Microsoft User Experience Virtualization/Windows AppsGamesDisabled (maybe & privacy)Disabled (maybe & privacy)
129
Windows Components/Microsoft User Experience Virtualization/Windows AppsMapsDisabled (maybe & privacy)Disabled (maybe & privacy)
130
Windows Components/Microsoft User Experience Virtualization/Windows AppsMusicDisabled (maybe & privacy)Disabled (maybe & privacy)
131
Windows Components/Microsoft User Experience Virtualization/Windows AppsNewsDisabled (maybe & privacy)Disabled (maybe & privacy)
132
Windows Components/Microsoft User Experience Virtualization/Windows AppsReaderDisabled (maybe & privacy)Disabled (maybe & privacy)
133
Windows Components/Microsoft User Experience Virtualization/Windows AppsSportsDisabled (maybe & privacy)Disabled (maybe & privacy)
134
Windows Components/Microsoft User Experience Virtualization/Windows AppsTravelDisabled (maybe & privacy)Disabled (maybe & privacy)
135
Windows Components/Microsoft User Experience Virtualization/Windows AppsVideoDisabled (maybe & privacy)Disabled (maybe & privacy)
136
Windows Components/Microsoft User Experience Virtualization/Windows AppsWeatherDisabled (maybe & privacy)Disabled (maybe & privacy)
137
Windows Components/Remote Desktop Services/Remote Desktop Connection ClientDo not allow passwords to be savedEnabled (careful if you're in rdp)Enabled (careful if you're in rdp)
138
Windows Components/Remote Desktop Services/Remote Desktop Connection ClientRestrict Remote Desktop Services users to a single Remote Desktop Services sessionEnabled (careful if you're in rdp) (maybe)Enabled (careful if you're in rdp) (maybe)
139
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionDo not allow COM port redirectionEnabled (careful)Enabled (careful)
140
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionDo not allow drive redirectionEnabled (careful if you're in rdp)Enabled (careful if you're in rdp)
141
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionDo not allow LPT port redirectionEnabled (careful)Enabled (careful)
142
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionDo not allow supported Plug and Play device redirectionEnabledEnabled
143
Windows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityAlways prompt for password upon connectionEnabled (careful if you're in rdp)Enabled (careful if you're in rdp)
144
Windows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityDo not allow local administrators to customize permissionsDisabled (careful if you're in rdp)Disabled (careful if you're in rdp)
145
Windows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityRequire secure RPC communicationEnabled (careful if you're in rdp)Enabled (careful if you're in rdp)
146
Windows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityRequire use of specific security layer for remote (RDP) connectionsSSH (careful if you're in rdp)SSH (careful if you're in rdp)
147
Windows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityRequire user authentication for remote connections by using Network Level AuthenticationEnabled (careful if you're in rdp, i suggest you dont do this one if you are rdping in)Enabled (careful if you're in rdp, i suggest you dont do this one if you are rdping in)
148
Windows Components/Remote Desktop Services/Remote Desktop Session Host/SecuritySet client connection encryption levelHigh Level (careful if you're in rdp)High Level (careful if you're in rdp)
149
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time LimitsSet time limit for active but idle Remote Desktop Services sessions300300
150
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time LimitsSet time limit for active Remote Desktop Services sessionsEnabled (careful if you're in rdp)Enabled (careful if you're in rdp)
151
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time LimitsSet time limit for disconnected sessions6060
152
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary foldersDo not delete temp folders upon exitDisabledDisabled
153
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary foldersDo not use temporary folders per sessionDisabledDisabled
154
Windows Components/RSS FeedsPrevent downloading of enclosuresEnabledEnabled
155
Windows Components/SearchAllow CortanaDisabledDisabled
156
Windows Components/SearchAllow Cortana above lock screenDisabledDisabled
157
Windows Components/SearchAllow indexing of encrypted filesDisabledDisabled
158
Windows Components/SearchAllow search and Cortana to use locationDisabled (privacy)Disabled (privacy)
159
Windows Components/Software Protection PlatformTurn off KMS Client Online AVS ValidationEnabled (privacy) (maybe)Enabled (privacy) (maybe)
160
Windows Components/StoreDisable all apps from Microsoft StoreEnabled (maybe)Enabled (maybe)
161
Windows Components/StoreTurn off Automatic Download and Install of updatesDisabledDisabled
162
Windows Components/StoreTurn off the offer to update to the latest version of WindowsEnabled (maybe)Enabled (maybe)
163
Windows Components/StoreTurn off the Store applicationEnabled (maybe)Enabled (maybe)
164
Windows Components/Windows Defender AntivirusConfigure detection for potentially unwanted applicationsBlockBlock
165
Windows Components/Windows Defender Antivirus/MAPSJoin Microsoft MAPSAdvanced MAPS (secure) Disabled (private)Advanced MAPS (secure) Disabled (private)
166
Windows Components/Windows Defender Antivirus/MAPSSend file samples when further analysis is requiredSend safe samplesSend safe samples
167
Windows Components/Windows Defender Antivirus/Real-time ProtectionTurn on behavior monitoringEnabled (secure) Disabled (private)Enabled (secure) Disabled (private)
168
Windows Components/Windows Defender Antivirus/ReportingConfigure Watson eventsDisabledDisabled
169
Windows Components/Windows Defender Antivirus/ScanScan removable drivesEnabledEnabled
170
Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface ReductionConfigure Attack Surface Reduction rulesEnabled
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 = 1
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 1
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 1
d4f940ab-401b-4efc-aadc-ad5f3c50688a = 1
d3e037e1-3eb8-44c8-a917-57927947596d = 1
5beb7efe-fd9a-4556-801d-275e5ffc04cc = 1
3b576869-a4ec-4529-8536-b80a7769e899 = 1
26190899-1602-49e8-8b27-eb1d0a1ce869 = 1
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 1
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 1
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 = 1		Enabled
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 = 1
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 1
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 1
d4f940ab-401b-4efc-aadc-ad5f3c50688a = 1
d3e037e1-3eb8-44c8-a917-57927947596d = 1
5beb7efe-fd9a-4556-801d-275e5ffc04cc = 1
3b576869-a4ec-4529-8536-b80a7769e899 = 1
26190899-1602-49e8-8b27-eb1d0a1ce869 = 1
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 1
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 1
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 = 1
171
Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network ProtectionPrevent users and apps from accessing dangerous websitesBlockBlock
172
Windows Components/Windows Defender SmartScreen/ExplorerConfigure Windows Defender SmartScreenEnabled
Pick one of the following settings = Warn and prevent bypass		Enabled
Pick one of the following settings = Warn and prevent bypass
173
Windows Components/Windows Defender SmartScreen/Microsoft EdgeConfigure Windows Defender SmartScreenEnabled
174
Windows Components/Windows Defender SmartScreen/Microsoft EdgePrevent bypassing Windows Defender SmartScreen prompts for sitesEnabled
175
Windows Components/Windows Game Recording and BroadcastingEnables or disables Windows Game Recording and BroadcastingDisabled
176
Windows Components/Windows Ink WorkspaceAllow suggested apps in Windows Ink WorkspaceDisabledDisabled
177
Windows Components/Windows Ink WorkspaceAllow Windows Ink WorkspaceOn, but disallow access above lockOn, but disallow access above lock
178
Windows Components/Windows InstallerAllow user control over installs (prohibit user install)DisabledDisabled
179
Windows Components/Windows InstallerAlways install with elevated privilegesDisabledDisabled
180
Windows Components/Windows InstallerPrevent Internet Explorer security prompt for Windows Installer scriptsDisabledDisabled
181
Windows Components/Windows Logon OptionsSign-in and lock last interactive user automatically after a restart

or Sign-in last interactive user automatically after a system-initiated restart		DisabledDisabled
182
Windows Components/Windows PowerShellTurn on PowerShell Script Block LoggingDisabled (some other sources say enabled in comp try both)
Log script block invocation start / stop events = [[[delete]]]		Disabled (some other sources say enabled in comp try both)
Log script block invocation start / stop events = [[[delete]]]
183
Windows Components/Windows PowerShellTurn on PowerShell TranscriptionDisabledDisabled
184
Windows Components/Windows Remote Management (WinRM)/WinRM ClientAllow Basic authenticationDisabledDisabled
185
Windows Components/Windows Remote Management (WinRM)/WinRM ClientAllow unencrypted trafficDisabledDisabled
186
Windows Components/Windows Remote Management (WinRM)/WinRM ClientDisallow Digest authenticationEnabledEnabled
187
Windows Components/Windows Remote Management (WinRM)/WinRM ServiceAllow Basic authenticationDisabledDisabled
188
Windows Components/Windows Remote Management (WinRM)/WinRM ServiceAllow remote server management through WinRMDisabledDisabled
189
Windows Components/Windows Remote Management (WinRM)/WinRM ServiceAllow unencrypted trafficDisabledDisabled
190
Windows Components/Windows Remote Management (WinRM)/WinRM ServiceDisallow WinRM from storing RunAs credentialsEnabledEnabled
191
Windows Components/Windows Remote ShellAllow Remote Shell AccessDisabledDisabled
192
Windows Components/Windows UpdateTurn off auto-restart for updates during active hoursEnabledEnabled
193
Windows Components/Windows UpdateTurn on recommended updates via Automatic UpdatesEnabledEnabled
194
Windows Components/Windows UpdateNo auto-restart with logged on users for scheduled automatic updates installationsEnabledEnabled
195
Windows Components/Windows UpdateConfigure Automatic UpdatesEnabled
Auto download and schedule the install		Enabled
Auto download and schedule the install
196
197
LAPS Specific GPOs
198
LAPSDo not allow password expiration time longer than required by policyEnabledEnabled
199
LAPSEnable Local Admin Password ManagementEnabledEnabled
200
LAPSPassword SettingsEnabled
Password Complexity = Large letters + small letters + numbers + special characters
Password Length = 15 or more
Password Age = 30 or fewer		Enabled
Large letters + small letters + numbers + special characters
201
202
MS (Member Server) Security Guide Specific GPOs
203
https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1809-and-windows-server-2019
204
MS Security GuideApply UAC restrictions to local accounts on network logonsEnabledEnabled
205
MS Security GuideConfigure SMB v1 client driverDisable driver (recommended)Disable driver (recommended)
206
MS Security GuideConfigure SMB v1 serverDisabledDisabled
207
MS Security GuideEnable Structured Exception Handling Overwrite Protection (SEHOP)EnabledEnabled
208
MS Security GuideExtended Protection for LDAP Authentication (Domain Controllers only)Enabled, always (recommended) [DC]
209
MS Security GuideNetBT NodeType configurationP-node (recommended)P-node (recommended)
210
MS Security GuideWDigest Authentication (disabling may require KB2871997)DisabledDisabled
211
212
MSS Specific GPOs
213
https://docs.microsoft.com/en-us/archive/blogs/secguide/the-mss-settings
214
MSS (Legacy)MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)DisabledDisabled
215
MSS (Legacy)MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
Highest protection, source routing is completely disabled.		Enabled
Highest protection, source routing is completely disabled.
216
MSS (Legacy)MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
Highest protection, source routing is completely disabled.		Enabled
Highest protection, source routing is completely disabled.
217
MSS (Legacy)MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabledDisabled
218
MSS (Legacy)MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds300000300000
219
MSS (Legacy)MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabledEnabled
220
MSS (Legacy)MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (couldlead to DoS)DisabledDisabled
221
MSS (Legacy)MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)EnabledEnabled
222
MSS (Legacy)MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)5 sec or fewer (0)5 sec or fewer (0)
223
MSS (Legacy)MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted33
224
MSS (Legacy)MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted33
225
MSS (Legacy)MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning90% or less90% or less