Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Domain Member: Maximum Machine Account Password Age
How often domaine-joined ordinateur comptes rotate their mots de passe. Lower values reduce the window for machine credential attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Registry Policy Processing: Process Even if Not Changed
Forces GPO registry paramètres to be reapplied on every refresh even if unchanged. Empêche tampering from persisting through GP refresh.
Computer Configuration > Administrative Templates > System > Group Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Disable Machine Account Password Changes
Keep disabled to allow automatic machine compte mot de passe rotation every 30 jours. Enabling this is a security risk.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Offer Remote Assistance
Empêche helpers from offering à distance assistance without utilisateur request. Disabling empêche unsolicited à distance control.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →User Group Policy Loopback Processing Mode
Applies ordinateur-scope utilisateur stratégies regardless of who logs on. Use Replace mode on kiosks and RDS servers.
Computer Configuration > Administrative Templates > System > Group Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Always Wait for the Network at Startup and Logon
Forces synchronous GP processing at startup and connexion. Ensures stratégies are fully applied avant utilisateur desktop loads.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →WinRM Client: Allow CredSSP Authentication
Empêche WinRM client from using CredSSP. CredSSP exposes credentials to à distance systems and risks credential theft.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Solicited Remote Assistance
Controls whether utilisateurs can request à distance assistance. If enabled, restrict helpers and set a short maximum ticket time.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Private Profile: Firewall State
Ensures Windows Firewall is enabled for private réseau connections.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Private Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Remote Assistance: Maximum Ticket Time
Limits how long a À distance Assistance invitation remains valid. Minimize to reduce the exposure window.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →WinRM Service: Allow CredSSP Authentication
CredSSP delegation passes full credentials to à distance hosts. Disable unless requis; prefer Kerberos constrained delegation.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Remote Shell Access (WinRM)
Controls whether à distance PowerShell shells are permitted. Disable if à distance management is handled through other means.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Shell
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →CA Certificate Template: Restrict Enrollment
N/A (CA configuration) DefaultVaries by template RecommendedRequire manager approval on sensitive templates CA certificate templates should require manager approval for sensitive templates. Empêche unauthorized issuance (ESC1/ESC4 attaques).
Computer Configuration > Windows Settings > Security Settings > Public Key Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →System Cryptography: Force Strong Key Protection
Exige utilisateur mot de passe confirmation avant private keys are used. Protects stored cryptographic keys from silent theft.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Windows Firewall: Log Successful Connections (Domain Profile)
Logs successful inbound and outbound connections. Active detection of C2 beaconing and lateral movement.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Certificate Auto-Enrollment
Automates certificate enrollment and renewal for domaine members. Enable to ensure all devices have valid machine certificates.
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn Off Automatic Root Certificates Update
If enabled, empêche contacting Windows Update for root certificate updates. Requis for isolated/air-gapped networks.
Computer Configuration > Administrative Templates > System > Internet Communication Management
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Windows Firewall: Log Dropped Packets (Domain Profile)
Logs all dropped packets to the Windows Firewall log. Essential for réseau-based threat detection.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall Log File Maximum Size (Domain Profile)
Maximum size for the Windows Firewall log file. Increase to retain more connection history.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Public Profile: Firewall State
Ensures Windows Firewall is enabled for public réseau connections. Critical for laptops on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Public Profile: Inbound Connections
Bloque all unsolicited inbound connections on public networks. Critical for endpoint protection on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Public Profile: Allow Local Policy Merge
Controls whether local firewall rules can be merged with GPO rules on public networks. Disable to appliquer GPO rules only.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block execution of potentially unsafe macros
Bloque all macros without notification. Empêche malware execution via Office documents. Critical for MSP-managed environments handling untrusted documents.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Minimum Password Length
Minimum nombre de caractères requis in a mot de passe. NIST recommande 8+, CIS recommande 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →