Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Configure Local Setting Override for Reporting to Microsoft MAPS
Empêche local utilisateurs from changing cloud protection paramètres.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn Off Windows Defender Antivirus
If enabled, désactive Defender entirely. Should be Désactivé unless a third-party AV manages this.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn On Real-Time Protection
Ensures real-time scanning is always active.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-Time Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Controlled Folder Access
Ransomware protection - empêche unauthorized apps from modifying protected folders.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow BitLocker Without a Compatible TPM
If enabled, autorise BitLocker with just a mot de passe/USB key and no TPM.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Attack Surface Reduction Rules
ASR rules bloquer common attaque vectors like Office macros spawning processes, credential theft from LSASS, and ransomware behaviors.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn On Virtualization Based Security
Active VBS which is requis for Credential Guard and HVCI. Exige UEFI and compatible hardware.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Select Platform Security Level
Sets the requis platform security features for VBS.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Network Protection
Bloque connections to known malicious IPs and domains via SmartScreen.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn Off Routine Remediation
If enabled, empêche Defender from automatically remediating detected threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Hypervisor Protected Code Integrity (HVCI)
Applique kernel code integrity using VBS. Empêche unsigned kernel drivers and code injection.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Store BitLocker Recovery Information in Active Directory
Automatically backs up the BitLocker recovery key to Active Directory.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Deny Write Access to Removable Drives Not Protected by BitLocker
Exige removable drives to be BitLocker-encrypted avant allowing writes.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Credential Guard Configuration
Active Credential Guard to protect LSASS credentials in a VBS enclave. Empêche Mimikatz-style attaques.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Use of Passwords for Removable Data Drives
Sets mot de passe requirements for BitLocker-protected removable drives.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Choose Drive Encryption Method and Cipher Strength
Sets the chiffrement algorithm. XTS-AES 256 is the strongest option for Windows 10/11.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: Allow Server Operators to Schedule Tasks
Empêche Server Operators from scheduling tasks, which could allow privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Zerologon: Full Enforcement Mode (MS-NRPC)
Applique secure RPC for all Netlogon connections. Atténue CVE-2020-1472 (Zerologon). Ensure all domaine devices are patched avant enabling.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP Server Signing Requirements
Exige LDAP clients to negotiate data signing. Empêche LDAP relay attaques. Set to 2 to require.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Encrypts secure channel data when possible. Should be paired with RequireSignOrSeal.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Require Strong Session Key
Exige 128-bit session keys for secure channel data. All modern environments should have this enabled.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)
Exige all secure channel traffic to be signed or encrypted. Empêche plaintext Netlogon traffic.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP Server Channel Binding Token Requirements
Exige LDAP channel binding for LDAPS connections. Atténue NTLM relay to LDAP attaques. Apply après auditing.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Minimum Password Length
Minimum nombre de caractères requis in a mot de passe. NIST recommande 8+, CIS recommande 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →