Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Protected View for all document types
Opens potentially risky Office documents in read-only sandboxed mode. Reduces exploit surface for zero-day vulnerabilities in Office.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Protected View
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable all add-ins except approved list
Empêche unauthorized Office add-ins that could exfiltrate data or inject malware. Essential for compliance in regulated industries.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Add-in Management
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Office update channel configuration
Sets Office to Semi-Annual Channel for stability. Autorise MSPs to control update timing and avoid disruptive auto-updates during business heures.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Updates
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block external content in Office
Empêche automatic loading of images, videos, and linked content from external sources. Bloque tracking pixels and reduces phishing effectiveness.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > External Content
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →OneDrive Known Folder Move
Automatically migrates Documents, Desktop, and Pictures to OneDrive. Simplifies backup strategy and active à distance work for MSP-managed devices.
Computer Configuration > Policies > Administrative Templates > OneDrive
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Always install with elevated privileges
Autorise standard utilisateurs to install MSI packages with système privileges. Simplifies software deployment in managed environments without requiring utilisateur elevation.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Office telemetry collection
Désactive data collection for AI-powered features and usage analytics. Requis for GDPR/CCPA compliance and reduces bandwidth for managed clients.
Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Privacy > Connected Experiences
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Windows Installer logging
Logs all MSI activities to %temp%\msi*.log for troubleshooting. Critical for MSPs supporting software deployment issues remotely.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict installation sources to managed locations
Restreint MSI source files to specified réseau paths. Empêche installation of unauthorized or malicious packages.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Windows Installer
Can completely disable MSI execution. Set to 0 for MSP environments to maintain compatibility, or use with care for kiosk-type deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Hide error dialogs during installation
Suppresses installation dialogs and error messages for silent deployments. Essential for unattended imaging and large-scale rollouts.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require PIN for Office password reset
Adds second factor to mot de passe reset process. Empêche compte takeover even if primary credentials are compromised.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Authentication
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict background service upgrades
Empêche MSI from triggering automatic système restarts. Autorise MSPs to schedule restarts during maintenance windows.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Outlook cached exchange mode retention
Controls how many jours of mail are cached offline. Reduces mailbox size while maintaining offline accès for mobile and à distance workers.
User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Synchronization
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Microsoft Store completely
Removes Store accès and empêche app installation from Store. Common in verrouillé-down corporate environments to prevent unauthorized software.
Computer Configuration > Policies > Administrative Templates > Windows Components > Store
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block OLE object execution in Office
Bloque embedded objects (DLLs, executables) in Office documents. Empêche common malware delivery vector used in targeted attaques.
User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > OLE
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict user control over patches
Empêche utilisateurs from uninstalling security patches. Maintains security compliance and empêche rollback of critical updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable Outlook external sharing
Forces calendar sharing through SharePoint instead of direct exports. Empêche accidental disclosure of sensitive schedule information.
User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Security
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable PowerPoint Show file execution
Bloque automatic execution of .pps and .ppsx files which bypass safety controls. Reduces attaque surface for presentation-based malware.
User Configuration > Policies > Administrative Templates > Microsoft PowerPoint 2016 > Security
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Limit user control during installation
Restreint utilisateur choices during MSI installation to basic UI only. Empêche utilisateurs from selecting options that could break deployment standards.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Apply transforms during MSI installation
Automatically applies customization transforms to all MSI installations. Ensures consistent configuration across managed deployments.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable per-user MSI installations
Forces all MSI installations to be per-machine only. Empêche fragmented software deployments and simplifies license management.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set Safe Mode for repairs and patches
Active repair and minor update operations without utilisateur interaction. Reduces support calls for simple application updates.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Minimum Password Length
Minimum nombre de caractères requis in a mot de passe. NIST recommande 8+, CIS recommande 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →