Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Network access: Restrict anonymous access to Named Pipes
Bloque NULL session connections to named pipes. Paramètre to 1 exige authentification. Critical for MSPs preventing WMIEXEC and admin$ enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Do not allow anonymous enumeration of computer accounts
Empêche anonymous enumeration of ordinateur comptes. Paramètre to 1 bloque ordinateur discovery. MSPs use this to prevent reconnaissance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict Run dialog access
Désactive Run dialog (Win+R). Paramètre to 1 hides the dialog. Essential for MSPs preventing command execution on verrouillé-down kiosk systems.
User Configuration > Administrative Templates > System
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Model for local account authentication
Controls guest compte à distance login. Paramètre to 1 empêche blank mot de passe authentification. Critical for MSPs preventing guest compte abuse.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous access to shares
Bloque anonymous share enumeration and accès. Paramètre to 1 exige authentification. Essential for MSPs protecting file shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Named Pipes that can be accessed anonymously
Lists named pipes accessible via NULL sessions. MSPs keep empty to prevent WMI and RPC attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Remotely accessible registry paths
Specifies registry paths remotely accessible. MSPs restrict to only necessary paths to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Remove Settings from Settings App
Controls which Settings pages utilisateurs can accès. MSPs restrict this to prevent système configuration changes on shared devices.
User Configuration > Administrative Templates > Control Panel > Settings
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Remotely accessible registry paths and sub-paths
Specifies registry subtrees remotely accessible. MSPs restrict to prevent à distance registry enumeration attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous enumeration of SAM accounts
Empêche anonymous utilisateurs from enumerating SAM. Paramètre to 1 exige authentification. Essential for MSPs blocking utilisateur compte discovery attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Let Everyone permissions apply to anonymous users
Controls if Everyone group includes anonymous utilisateurs. Keep at 0 to deny anonymous accès. Critical for preventing NULL session resource accès.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Shares that can be accessed anonymously
Lists shares accessible via NULL sessions. MSPs keep empty to prevent anonymous data accès and discovery.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable IPv6
Désactive IPv6 protocol if not needed in legacy environments. Reduces protocol overhead and attaque surface on IPv4-only networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous enumeration of SAM accounts and shares
Restreint anonymous SAM and share enumeration. Paramètre to 2 exige authentification for enumeration. Critical for MSPs blocking reconnaissance attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Insecure guest logons
Autorise insecure guest authentification. Paramètre to 0 exige secure auth. Critical for MSPs preventing credential relay attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure security zones for trusted sites
Adds sites to trusted security zone with relaxed restrictions. Essential for MSP support of internal LOB applications requiring specific security context.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SNMP community strings
Sets SNMP community strings for authentification. MSPs should use strong, rotated community strings for security.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SmartScreen for phishing detection
Active real-time SmartScreen filter for phishing and malware detection. Critical security control for protecting client data and credentials.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Phishing Filter
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Prevent users from changing security zone settings
Locks down security zone configuration preventing utilisateur modification. Applique MSP security stratégies on client workstations.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable changing proxy settings
Empêche utilisateurs from modifying proxy configuration. Ensures consistent réseau traffic routing in MSP environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Connection Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable popup blocker
Active IE popup blocker to prevent malicious popups. Standard security baseline for MSP-managed client environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure proxy server settings
Sets centralized proxy configuration for internet traffic. Active MSPs to appliquer corporate proxy and content filtering stratégies.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Compatibility View for intranet sites
Automatically active compatibility mode for intranet sites. Requis for legacy LOB applications not compatible with modern IE rendering.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure IPv6 transition technologies
Controls IPv6 transition mechanism behavior. Manages coexistence between IPv4 and IPv6 in mixed-mode networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP > IPv6 Transition
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →