The Ultimate Microsoft Group Policy Intelligence Platform
Stop guessing what policies do. Start engineering Windows environments with precision.
PolicyForge is an open-source intelligence platform for Microsoft Group Policy, ADMX, MDM CSP, and Intune. It bridges the gap between:
- π Raw ADMX files that are unreadable at scale
- π₯οΈ Group Policy Editor that provides zero context
- βοΈ Intune with its completely different language (CSP)
- π Security baselines that are rigid and undocumented
PolicyForge is not documentation. It is infrastructure for IT decision-making.
π Live Web UI: ms-gpo.vercel.app β Search policies, filter by risk level & category, view MITRE ATT&CK mappings, registry paths, PowerShell commands, and Intune OMA-URIs in one place.
| Feature | Status |
|---|---|
| 80+ policies indexed with context, impact & use cases | β Live |
| MITRE ATT&CK mapping for every security policy | β Live |
| GPO β Intune OMA-URI translations | β Live |
| Registry β PowerShell reference | β Live |
| ADMX auto-parser (batch-generates Markdown) | β Live |
| Policy Diff Tracker (Windows 10 vs 11 vs Server) | β Live |
| PowerShell translation engine (GPO β Intune CSV) | β Live |
| Enterprise hardening template (CIS L2 / STIG) | β Live |
| Gaming optimization template | β Live |
| Kiosk / lockdown template | β Live |
| Red team evasion research (MITRE-mapped) | β Live |
| Microsoft Edge security policies (EDGE-001β013) | β Live |
| Microsoft Office macro security policies (OFFICE-001β005) | β Live |
| Web UI policy search dashboard | β Live β ms-gpo.vercel.app |
| AI policy recommendation engine | π Phase 4 |
β
Phase 1 β Foundation (Complete)
βββ Repository structure
βββ POLICY_SCHEMA.json (standardized schema)
βββ 3 seed policies with full MITRE/CSP/Registry mapping
βββ ADMX parser engine (automation/admx-parser/)
β
Phase 2 β Scale (Complete)
βββ 80+ policies across Windows Security, Privacy, Defender, Edge, Office, Account Policies
βββ GPO β Intune OMA-URI translation mappings
βββ PowerShell translation engine (GPO β Intune CSV export)
βββ Policy Diff Tracker (automation/policy-diff/)
βββ Registry β PowerShell bulk reference
βββ Templates: Enterprise Hardening, Gaming, Kiosk, Red Team
βββ Post-deployment verification scripts
β
Phase 3 β Web UI (Complete)
βββ Next.js search dashboard β https://ms-gpo.vercel.app
βββ Filter by: category (Defender, Edge, Office, Network, Privacy, Security)
βββ Filter by: risk level (Critical, High, Medium, Low)
βββ Real-time search across policies, registry, MITRE, OMA-URI
βββ Policy cards with MITRE ATT&CK tags, risk badges, category labels
π Phase 4 β AI Layer (Q4 2026)
βββ Natural language policy query: "Harden 50 SMB endpoints"
βββ Auto-generate GPO pack from environment description
βββ Policy simulator: "What happens if I enable this?"
βββ Conflict prediction engine
π Phase 5 β SaaS (2027)
βββ PolicyForge Cloud: web dashboard + API
βββ Tenant-aware policy recommendations
βββ Compliance reporter (CIS, DISA STIG, NIST 800-53)
βββ MDE / Defender for Business integration
PolicyForge/
β
βββ π policies/
β βββ windows/security/ # 19 hardening policies (WIN-SECURITY-001β019)
β βββ windows/privacy/ # 3 privacy policies (WIN-PRIVACY-001β003)
β βββ windows/network/ # Network isolation policies
β βββ windows/account-policies/ # 13 account policies (ACC-001β013)
β βββ windows/applocker/ # AppLocker policies
β βββ windows/audit/ # Audit policies
β βββ windows/bitlocker/ # BitLocker policies
β βββ windows/credentials/ # Credential protection policies
β βββ windows/firewall/ # Windows Firewall policies
β βββ windows/smb/ # SMB hardening policies
β βββ windows/update/ # Windows Update policies
β βββ windows/user-rights/ # User Rights Assignment policies
β βββ windows/wdac/ # Windows Defender App Control policies
β βββ defender/ # 10 Defender policies (DEF-001βDEF-010)
β βββ edge/ # 13 Edge browser policies (EDGE-001βEDGE-013)
β βββ office/ # 5 Office macro policies (OFFICE-001βOFFICE-005)
β βββ server/ # Windows Server policies (Phase 3)
β
βββ π templates/
β βββ security-baselines/ # Enterprise baseline (CIS L2 / STIG)
β βββ enterprise-hardening/ # 5-layer hardening + verify.ps1
β βββ gaming-optimization/ # Performance tuning for gaming PCs
β βββ kiosk-mode/ # Full lockdown + assigned access
β βββ redteam-evasion/ # Offensive research (authorized use)
β
βββ π translations/
β βββ gpo-to-intune/ # GPO β OMA-URI mappings + PS engine
β βββ registry-mapping/ # Registry β PowerShell reference
β
βββ π automation/
β βββ admx-parser/ # ADMX β Markdown generator
β βββ policy-diff/ # Windows version diff tracker
β
βββ π dashboards/
β βββ web-ui/ # Phase 3 β Next.js (Live: ms-gpo.vercel.app)
β
βββ README.md
βββ CONTRIBUTING.md
βββ CHANGELOG.md
βββ SECURITY.md
βββ POLICY_SCHEMA.json
βββ LICENSE
| Category | Count | Directory |
|---|---|---|
| Windows Security | 19 | policies/windows/security/ |
| Windows Account Policies | 13 | policies/windows/account-policies/ |
| Microsoft Edge | 13 | policies/edge/ |
| Microsoft Defender | 10 | policies/defender/ |
| Microsoft Office | 5 | policies/office/ |
| Windows Privacy | 3 | policies/windows/privacy/ |
| Windows Firewall, SMB, AppLocker, BitLocker, Audit, Update, User Rights, WDAC, Network, Credentials | 10+ | policies/windows/*/ |
| Total | 80+ |
| Goal | PolicyForge Resource |
|---|---|
| Harden endpoints against ransomware | templates/enterprise-hardening/ + policies/defender/DEF-006 |
| Block macro malware (Emotet/QakBot) | policies/office/OFFICE-001 + policies/office/OFFICE-002 |
| Migrate GPO to Intune | translations/gpo-to-intune/windows-security.md |
| Block LLMNR poisoning attacks | policies/windows/security/WIN-SECURITY-003 |
| Enforce Edge SmartScreen for all users | policies/edge/EDGE-003 |
| Lock down a kiosk / POS terminal | templates/kiosk-mode/ |
| Find policies deprecated in Windows 11 | automation/policy-diff/policy_diff.py |
| Optimize a gaming PC via GPO | templates/gaming-optimization/ |
| Validate hardening post-deployment | templates/enterprise-hardening/verify.ps1 |
| Search & explore all policies visually | ms-gpo.vercel.app |
Visit ms-gpo.vercel.app to search all policies by name, registry path, MITRE technique, or OMA-URI. Filter by category and risk level instantly β no setup required.
# Browse policies by category
ls policies/defender/
ls policies/windows/security/
ls policies/edge/
ls policies/office/
# Every policy file includes: registry path, PowerShell, Intune CSP, MITRE mapping
cat policies/office/OFFICE-002-block-macros-from-internet.md# Batch-generate Markdown from all ADMX files on your Windows machine
python automation/admx-parser/admx_parser.py \
--admx-dir "C:\Windows\PolicyDefinitions" \
--output-dir ./generated-policies# Scan live registry and export Intune OMA-URI CSV
.\translations\gpo-to-intune\translation-engine.ps1 -OutputCsv .\intune-export.csv
# Then import CSV into: Intune > Devices > Configuration > Create > Custom# Run as Administrator after applying enterprise hardening
.\templates\enterprise-hardening\verify.ps1
# Outputs PASS/FAIL/MISSING for 13 critical controlsPolicyForge grows through community intelligence. Every contribution makes the platform more valuable for the global sysadmin community.
Ways to contribute:
- π Add a new policy explanation (copy
policies/_TEMPLATE.md) - π Submit a GPO β Intune mapping we're missing
- π§ͺ Share a real-world deployment config
- π΄ Document an attack path and its defensive fix
- π Translate policies for non-English documentation
See CONTRIBUTING.md for full guidelines, badge rewards, and the contributor leaderboard.
MIT License β see LICENSE for details.
Made with β€οΈ by the PolicyForge community
π Try the Live Web UI Β Β·Β
β Star this repo if it helps you