Home » GPO Configurations
Applicable For Endpoint Central MSP 
 
 

GPO Configurations | Computer configuration

Table of Contents

 

Introduction to Windows Configuration Profiles

Group Policy Objects (GPOs) are a core feature in Windows that allow administrators to centrally manage and configure operating system settings, security policies, and user environments. Through GPOs, IT teams can enforce consistent configurations across all endpoints in a domain, ensuring compliance, security, and ease of administration.

In Endpoint Central, Windows Configuration Profiles simplifies the process of deploying these policies by providing a centralized console to manage Administrative Templates and Security Settings. Instead of manually editing settings on each device via the Local Group Policy Editor (gpedit.msc) or Local Security Policy editor (secpol.msc), administrators can create, modify, and deploy Windows Configuration Profiles directly from Endpoint Central, saving time and reducing errors.

Administrative Templates

What are Administrative Templates

Administrative Templates are policy definitions used in Windows Group Policy Management to standardize configurations across devices. In Endpoint Central, they allow administrators to configure OS and application settings without writing custom scripts.

Administrative Templates use ADMX (policy definitions) and ADML (language-specific resources) files to expose settings in the Local Group Policy Editor and map them to registry keys. By leveraging these templates, IT admins can enforce security baselines, improve user productivity, and ensure compliance with organizational standards.

Examples of what you can configure:

  • Restricting access to Control Panel or specific applications
  • Managing Windows Update behavior
  • Configuring network, printer, and desktop settings
  • Controlling Windows Defender and firewall settings

Security Settings

What are Security Settings

Security Settings are a set of Windows Group Policy configurations that control the security behavior of endpoints. Unlike Administrative Templates which primarily map to registry keys, Security Settings enforce core OS security policies such as password requirements, account lockout rules, audit logging, and user privilege assignments.

In Endpoint Central, Security Settings allow administrators to centrally configure and deploy these critical security policies without requiring manual access to each device’s Local Security Policy editor (secpol.msc). This ensures consistent security baselines across all managed Windows endpoints.

Security Settings Categories

Security Settings are organized into the following categories:

Account Policies

  • Password Policy — Controls password requirements such as minimum length, complexity, maximum age, and password history.
  • Account Lockout Policy — Defines lockout thresholds, lockout duration, and reset counters to protect against brute-force attacks.

Local Policies

  • Audit Policy — Configures basic event auditing for logon events, object access, policy changes, privilege use, and more.
  • User Rights Assignment — Controls which users or groups are granted specific privileges, such as “Log on locally”, “Shut down the system”, or “Allow log on through Remote Desktop Services”.
  • Security Options — Configures miscellaneous security behaviors such as interactive logon messages, network access settings, UAC behavior, and SMB signing requirements.

Advanced Audit Policy Configuration

Provides granular control over audit policies, organized into subcategories:

  • Account Logon — Audits credential validation and Kerberos authentication events.
  • Account Management — Audits user, computer, and security group account changes.
  • Detailed Tracking — Audits process creation, termination, and DPAPI activity.
  • DS Access — Audits Active Directory Domain Services access and changes.
  • Logon/Logoff — Audits interactive, network, and remote logon/logoff events.
  • Object Access — Audits access to file system, registry, SAM, and other objects.
  • Policy Change — Audits changes to audit policies, authentication policies, and authorization policies.
  • Privilege Use — Audits the use of sensitive and non-sensitive privileges.
  • System — Audits system integrity, security state changes, and IPsec driver events.

Deploying Windows Configuration Profiles

To create and deploy a Windows Configuration Profile:

  1. Click on Configurations → Windows Configuration Profiles → Create Configuration → Computer Configuration

    Administrative Templates tab

  2. Select the tab for the policy type you want to configure:
  • Administrative Templates — to configure registry-based OS and application settings
  • Security Settings — to configure security policies such as password rules, account lockout, audit logging, and user rights
  1. Enter a descriptive Name and Description for your configuration.
  2. In the left pane, expand the category nodes to navigate to the desired setting.
  3. In the right pane, you’ll see all the policies under the selected node. Scroll to find the exact policy you want to configure.

    Adding Administrative Templates Settings

  4. Click on the Setting. A dialog box will open with configuration options depending on the policy type:

    Configure Administrative Templates Settings

For Administrative Templates:

  • Not Configured / Enabled / Disabled
  • If the policy supports extra input fields (e.g., server name, file path, or numeric value), fill in the required information.

For Security Settings:

  • For toggle-based policies (e.g., Password must meet complexity requirements): Enabled / Disabled
  • For value-based policies (e.g., Minimum password length): Enter the required numeric or text value
  • For audit policies: Select Success, Failure, Success and Failure, or No Auditing
  • For user rights assignment policies: Add or remove users and groups
  1. Configure the setting as per your requirement and click Save or Save & New.
  2. Select all the required settings.
  3. The policies you selected will be listed in the table below. Review and proceed.
  4. Define the Target.
  5. You can also enable notifications to receive emails based on the specified frequency.
  6. Click on the Deploy button to deploy the configuration to all the targets.
  7. To save the configuration as draft, click Save as draft.

Permissions Required

By default, Windows Configuration Profiles (Administrative Templates and Security Settings) are visible to all users with Configuration Write or Full Control access.

To restrict access:

  1. Navigate to Admin → User Administration → Role.
  2. Click Add Role.
  3. Assign Write or Full Control for the Configuration module, then click Restrict Functions.
  4. In the pop-up, uncheck Windows Configuration Profiles.