Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Turn Off Automatic Root Certificates Update
If enabled, empêche contacting Windows Update for root certificate updates. Requis for isolated/air-gapped networks.
Computer Configuration > Administrative Templates > System > Internet Communication Management
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Windows Firewall: Log Dropped Packets (Domain Profile)
Logs all dropped packets to the Windows Firewall log. Essential for réseau-based threat detection.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall Log File Maximum Size (Domain Profile)
Maximum size for the Windows Firewall log file. Increase to retain more connection history.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Public Profile: Firewall State
Ensures Windows Firewall is enabled for public réseau connections. Critical for laptops on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Public Profile: Inbound Connections
Bloque all unsolicited inbound connections on public networks. Critical for endpoint protection on untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Public Profile: Allow Local Policy Merge
Controls whether local firewall rules can be merged with GPO rules on public networks. Disable to appliquer GPO rules only.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Public Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Office update channel configuration
Sets Office to Semi-Annual Channel for stability. Autorise MSPs to control update timing and avoid disruptive auto-updates during business heures.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Updates
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →OneDrive Known Folder Move
Automatically migrates Documents, Desktop, and Pictures to OneDrive. Simplifies backup strategy and active à distance work for MSP-managed devices.
Computer Configuration > Policies > Administrative Templates > OneDrive
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Always install with elevated privileges
Autorise standard utilisateurs to install MSI packages with système privileges. Simplifies software deployment in managed environments without requiring utilisateur elevation.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Office telemetry collection
Désactive data collection for AI-powered features and usage analytics. Requis for GDPR/CCPA compliance and reduces bandwidth for managed clients.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Privacy > Connected Experiences
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Windows Installer logging
Logs all MSI activities to %temp%\msi*.log for troubleshooting. Critical for MSPs supporting software deployment issues remotely.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict installation sources to managed locations
Restreint MSI source files to specified réseau paths. Empêche installation of unauthorized or malicious packages.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Windows Installer
Can completely disable MSI execution. Set to 0 for MSP environments to maintain compatibility, or use with care for kiosk-type deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Hide error dialogs during installation
Suppresses installation dialogs and error messages for silent deployments. Essential for unattended imaging and large-scale rollouts.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict background service upgrades
Empêche MSI from triggering automatic système restarts. Autorise MSPs to schedule restarts during maintenance windows.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Microsoft Store completely
Removes Store accès and empêche app installation from Store. Common in verrouillé-down corporate environments to prevent unauthorized software.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict user control over patches
Empêche utilisateurs from uninstalling security patches. Maintains security compliance and empêche rollback of critical updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Limit user control during installation
Restreint utilisateur choices during MSI installation to basic UI only. Empêche utilisateurs from selecting options that could break deployment standards.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Apply transforms during MSI installation
Automatically applies customization transforms to all MSI installations. Ensures consistent configuration across managed deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable per-user MSI installations
Forces all MSI installations to be per-machine only. Empêche fragmented software deployments and simplifies license management.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set Safe Mode for repairs and patches
Active repair and minor update operations without utilisateur interaction. Reduces support calls for simple application updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Cache entire MSI on local drive
Ensures full MSI source is cached locally for repairs and reinstalls. Empêche need for réseau accès during future operations.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable detailed MSI patch logging
Logs patch installation details separately. Helps MSPs troubleshoot update failures and compatibility issues.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Minimum Password Length
Minimum nombre de caractères requis in a mot de passe. NIST recommande 8+, CIS recommande 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →