Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Network access: Insecure guest logons
Autorise insecure guest authentification to SMB servers. Paramètre to 0 exige secure authentification. Critical for MSPs preventing credential relay on legacy networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Prevent browse to UNC paths
Empêche utilisateurs from browsing UNC paths in task scheduler UI. Paramètre to 1 désactive browsing. MSPs use this to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: SMB Encryption
Applique SMB chiffrement. Value 3 exige chiffrement for all connections. Critical for MSPs protecting sensitive data in transit on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Deny user tasks
Empêche non-administrators from creating scheduled tasks. Paramètre to 1 désactive utilisateur task creation. Critical for MSPs preventing malware persistence via task scheduling.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Hide property pages
Hides task property pages from non-administrators. Paramètre to 1 empêche visibility. MSPs use this to hide sensitive task configurations.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Cache task run results
Caches task execution results for audit purposes. Paramètre to 1 active caching. MSPs use this to detect task execution anomalies.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous access to Named Pipes and Shares
Bloque NULL session accès to named pipes and shares. Paramètre to 1 applique authentification. Critical for MSPs preventing share enumeration attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Task execution policy (restricted)
Restreint task execution to authorized utilisateurs only. Paramètre to 1 active restrictions. Critical for MSPs preventing unauthorized task launches.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Audit task execution
Active auditing of scheduled task execution. Paramètre to 1 logs all task runs. Critical for MSPs detecting malware execution via task scheduler.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: UNC hardened access paths
Restreint task accès to UNC paths requiring authentification. Paramètre to 1 empêche NULL session task execution. MSPs use this to prevent à distance malware execution.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Prevent task property page modification
Empêche utilisateurs from modifying task properties. Paramètre to 1 désactive property edits. MSPs use this to prevent malware from modifying monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous enumeration of shares
Bloque anonymous enumeration of shares. Paramètre to 1 exige authentification for share browsing. MSPs use this to prevent discovery of sensitive shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Disable task deletion
Empêche non-administrators from deleting scheduled tasks. Paramètre to 1 désactive deletion. MSPs use this to prevent tampering with security tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Configure task scheduler service startup
Controls Task Scheduler service startup type. Keep at 2 (Automatic) for normal operation. MSPs monitor this to ensure automatic task execution.
Computer Configuration > Windows Settings > Security Settings > System Services
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →SMB Bandwidth Limiting
Limits SMB throughput as percentage of bandwidth. Value 20 reserves 80% for other traffic. MSPs use this to prevent ransomware lateral movement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Prevent task run suppression
Empêche disabling task execution. Paramètre to 1 forces tasks to run. MSPs enable this for critical remediation and monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Run only interactive tasks
Restreint tasks to interactives sessions only. Keep at 0 to allow background tasks. MSPs enable this only on high-security kiosk systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Custom User Interface (Shell Replacement)
Replaces default Windows Explorer shell with custom application. MSPs use this to lock down kiosk systems or special-purpose devices to single applications.
User Configuration > Administrative Templates > System
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Hide notification area icons
Hides système tray notification area. Paramètre to 1 simplifies taskbar. MSPs use on kiosk systems to reduce utilisateur confusion.
User Configuration > Administrative Templates > Start Menu and Taskbar
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Command Prompt
Désactive Command Prompt completely. Paramètre to 2 désactive for all utilisateurs. Critical for MSPs preventing script execution and système administration.
User Configuration > Administrative Templates > System
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict Control Panel access
Restreint Control Panel accès to specific applets. Paramètre to 1 limits available options. MSPs use this to prevent utilisateurs from changing système paramètres.
User Configuration > Administrative Templates > Control Panel
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Task Manager
Désactive Task Manager accès via Ctrl+Alt+Del. Paramètre to 1 hides Task Manager. Critical for MSPs preventing utilisateurs from terminating kiosk applications.
User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable changing desktop wallpaper
Empêche utilisateurs from changing wallpaper. Paramètre to 1 applique verrouillé wallpaper. MSPs use for branding kiosk systems.
User Configuration > Administrative Templates > Desktop
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Hide specific drives in My Computer
Hides specified drives from Windows Explorer. MSPs use this to prevent accès to sensitive partitions on kiosk or shared systems.
User Configuration > Administrative Templates > Windows Components > Windows Explorer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →