Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Use Advanced Protection Against Ransomware
Active ransomware-specific protections including behavior monitoring. Detects suspicious chiffrement activities and file-locking patterns.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Structured Exception Handling Overwrite Protection (SEHOP)
Valide exception handlers during runtime. Empêche SEH-based buffer overflow exploits from hijacking exception handling.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Cloud-Delivered Protection
Active cloud-based malware protection using Microsoft security intelligence. Value 2=Advanced, provides real-time threat intelligence from global réseau.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Real-Time Protection
Active real-time scanning of files as they are accessed or modified. Provides immediate detection and blocking of malware.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Controlled Folder Access
Protects important folders from unauthorized modification by malware. Bloque ransomware from encrypting utilisateur documents and files.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Scheduled Scan Day
Specifies the day for scheduled full scans (0=Sunday). Value 0 schedules scans for Sunday. MSPs should set to off-heures day.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Address Space Layout Randomization (ASLR)
Randomizes memory addresses of système components at boot. Makes it difficult for exploits to predict memory locations and execute code.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Control Flow Guard (CFG)
Active CFG which valide indirect code jumps. Empêche ROP (Return-Oriented Programming) attaques that use code gadgets.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Potentially Unwanted Application (PUA) Protection
Detects and removes potentially unwanted applications like adware and spyware. Protects système from unwanted software.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Tamper Protection
Empêche malware from disabling Windows Defender. Malware cannot turn off security protections once tamper protection is enabled.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Tamper Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Definition Update Sources
Specifies order of sources for signature updates. Should prioritize MMPC and MOMAAS for reliable updates. Critical for maintaining protection.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Signature Updates
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Exclusions by File Extension
Specifies file extensions to exclude from scanning. MSPs should configure sparingly to avoid security gaps. Document all exclusions.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Data Execution Prevention (DEP)
Active DEP which marks memory regions as non-executable. Empêche code injection attaques from executing arbitrary code in data regions.
Computer Configuration > Administrative Templates > System > Data Execution Prevention
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Heap Protection
Implements heap randomization and protection mechanisms. Empêche heap-based buffer overflow attaques from modifying heap metadata.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Mandatory ASLR
Forces ASLR on all processes even those not compiled with ASLR support. Increases randomization coverage across the système.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Force ASLR for Images
Applies ASLR to all images and DLLs système-wide. Ensures consistent address randomization across all loaded modules.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Prevent Child Processes from Bypassing Exploit Protection
Forces child processes to inherit parent process exploit protections. Empêche malware from disabling protections in spawned processes.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Hardware-Enforced Stack Protection
Active Control-flow Enforcement Technology (CET) for hardware-based stack protection. Empêche stack-based ROP attaques on supported processors.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DEP Mode for 32-bit Applications
Applies DEP to 32-bit applications for legacy compatibility. Provides protection even for older applications.
Computer Configuration > Administrative Templates > System > Data Execution Prevention
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Controls outgoing NTLM usage on the ordinateur. Paramètre to 2 bloque NTLM for à distance connections. Essential for MSPs preventing clients from authenticating to NTLM-only systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Do not display last user name on logon screen
Hides last logged-in username. Reduces information disclosure for MSP security compliance.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Remove Run menu from Start menu
Hides Run menu to limit utilisateur actions. Restreint accès to tools that could bypass MSP controls.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC: Restrict Remote RPC Clients
Applique restrictions on unauthenticated RPC clients connecting remotely. Paramètre to 1 exige authentification. Critical for MSPs preventing RPC-based lateral movement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Display logon message banner
Shows banner message avant connexion. Critical for MSP compliance with legal notice requirements.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →