Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Configure Enterprise Mode site list
Applies enterprise mode to specified sites for legacy application compatibility. Critical for supporting older internal web applications.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable script debugging
Désactive script debugging functionality to reduce attaque surface. Empêche utilisateurs from inspecting or modifying active scripts.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict file download security warnings
Controls file download validation and warnings. Empêche utilisateurs from bypassing security checks on downloaded files.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Windows Sandbox networking
Active réseau accès from Sandbox for testing networked applications. Disable for isolated testing scenarios.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable managing certificate stores
Empêche utilisateurs from managing SSL certificates. Protects certificate infrastructure in secured MSP environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure intranet zone sites
Defines which sites are treated as intranet for security zone purposes. Active lower security restrictions for trusted internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure WPAD settings
Controls Web Proxy Auto-Discovery protocol. Disable to prevent automatic proxy configuration from DHCP/DNS.
Computer Configuration > Policies > Administrative Templates > Network > Web Proxy Auto-Discovery
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure permitted SNMP managers
Specifies IP addresses or hostnames of SNMP management systems allowed to query this device. Restreint SNMP accès in MSP monitoring environments.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable LLMNR protocol
Désactive Link-Local Multicast Name Resolution to prevent name spoofing attaques. Important security durcissement for MSP clients.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure NetBIOS over TCP/IP
Sets NetBIOS mode (enabled, disabled, or DHCP configured). Disable in modern networks; keep for legacy SMB protocols.
Computer Configuration > Policies > Administrative Templates > Network > NetBIOS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable mDNS (Multicast DNS)
Désactive multicast DNS resolution for simplification and security in managed networks. Reduces protocol complexity.
Computer Configuration > Policies > Administrative Templates > Network > mDNS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SNMP service binding
Determines RFC 1156 compliance for SNMP agent. Enable for standard SNMP monitoring tool compatibility.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SNMP trap destinations
Specifies SNMP trap destinations for événement forwarding. Essential for centralized SNMP monitoring in managed networks.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure network isolation for Application Guard
Isolates Application Guard réseau traffic from host réseau. Empêche untrusted sites from accessing internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure DNS client settings
Sets DNS suffix search list for internal domaine resolution. Active seamless accès to internal resources.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require secure SNMP authentication
Sends authentification failure traps for invalid SNMP accès tentatives. Active security monitoring of SNMP accès.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SNMP sysContact and sysLocation
Sets système contact and location information for SNMP queries. Helps identify devices in MSP monitoring dashboards.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Application Guard for Edge
Active Application Guard isolated browsing for Microsoft Edge. Protects against malicious websites by isolating them in containers.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Control camera access in Application Guard
Bloque camera accès from Application Guard. Empêche unauthorized video capture of sensitive information.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow file downloads in Application Guard
Controls file download permissions in Application Guard. Disable downloads to prevent malicious file execution on host.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable certificate auto-enrollment
Automatically enrolls computers for certificates from enterprise PKI. Simplifies certificate lifecycle management in MSP environments.
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Windows Sandbox
Active isolated sandbox environment for testing untrusted applications. Valuable for MSPs testing patches and software avant deployment.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Control microphone access in Application Guard
Bloque microphone accès from Application Guard. Empêche unauthorized audio recording of sensitive discussions.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Application Guard graphics virtualization
Active GPU virtualization in Application Guard for improved performance. Exige compatible graphics hardware.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →