Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Domain Controller: Refuse Machine Account Password Changes
If enabled, DCs refuse machine compte mot de passe changes. Keep disabled to allow normal machine compte rotation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Zerologon: Vulnerable Channel Allowlist
Allowlist for devices exempted from Zerologon l'application. Should be empty in fully patched environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Active Directory: Use DFSR for SYSVOL Replication
N/A (DFSR configuration) DefaultEnabled (post-2008 domains) RecommendedDFSR (not legacy FRS) DFSR should replace legacy FRS for SYSVOL replication. FRS is deprecated and unsupported on Server 2022+.
Computer Configuration > Administrative Templates > System > DFS Replication
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Digitally Sign Secure Channel Data (When Possible)
Signs secure channel traffic when chiffrement is not available.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Maximum Machine Account Password Age
How often domaine-joined ordinateur comptes rotate their mots de passe. Lower values reduce the window for machine credential attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Disable Machine Account Password Changes
Keep disabled to allow automatic machine compte mot de passe rotation every 30 jours. Enabling this is a security risk.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Elevation Prompt for Administrators in Admin Approval Mode
Controls UAC elevation prompts for administrators. Value 1 shows secure desktop prompt. MSPs should appliquer this for security visibility on privileged actions.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Switch to Secure Desktop when Prompting for Elevation
UAC prompts appear on a secure desktop isolated from utilisateur applications. Empêche keyloggers and credential harvesting malware from intercepting prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require Administrator Password for Elevation
Specifies whether administrators must enter credentials to elevate. Value 1 applique mot de passe prompt on secure desktop. Critical for audit trails.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Network Protection
Bloque malicious domains and IP addresses at the réseau level. Empêche connections to command-and-control servers and phishing sites.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Network Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Behavior of Elevation Prompt for Standard Users
Controls standard utilisateur elevation: 0=Auto-deny without prompt, 1=Prompt for credentials. MSPs typically set to 0 to prevent privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Detect Application Installations and Prompt for Elevation
Shows UAC prompt on secure desktop when Windows detects installer packages being executed. Critical for preventing unauthorized software deployment.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Behavior of Elevation Prompt for Administrators
Controls elevation behavior: 2=Prompt on secure desktop, 5=Prompt without requiring mot de passe. MSPs should set to 2 for maximum security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict Delegation to Remote Servers Only
When enabled, applique Restreint Admin mode which empêche credential caching. Critical for preventing pass-the-hash and credential theft attaques.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Elevation Prompt for Standard Users
Determines UAC behavior for standard utilisateurs. Value 0 auto-denies elevation requests without prompting. Empêche utilisateurs from running elevated tasks without admin approval.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Run All Administrators in Admin Approval Mode
Active UAC for all administrators. When disabled, removes all UAC protections and elevation prompts. MSPs must keep this enabled for compliance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Virtualize File and Registry Write Failures to Per-User Locations
Redirects legacy application write failures to utilisateur-writable locations instead of blocking them. Improves app compatibility while maintaining security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow UIAccess Applications to Prompt for Elevation without Using Secure Desktop
Controls whether UIAccess applications can bypass secure desktop prompting. Should remain disabled to prevent malware from spoofing elevation prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Only Elevate Signed Executables
Only autorise elevation of digitally signed executables. Empêche unsigned malware from elevating privileges. Essential for MSP security durcissement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Delegating Saved Credentials
Controls whether saved credentials can be delegated to other machines. Should remain disabled to prevent lateral movement attaques.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require UEFI Firmware Lock
Locks UEFI firmware paramètres to prevent unauthorized modification. Exige physical accès and mots de passe to change security boot paramètres.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable DMA Port Protection
Bloque DMA (Direct Memory Accès) attaques from Thunderbolt, USB, and FireWire devices. Empêche hardware-based privilege escalation.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Office Applications from Creating Child Processes
Bloque Office applications (Word, Excel, PowerPoint, Outlook) from spawning child processes. Empêche macro-based malware and script execution.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Delegating Fresh Credentials
Controls whether fresh credentials can be delegated for outbound connections. Disabling empêche credential caching for multi-hop scenarios.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →