Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Set quality update deferral period
Delays security patches by 14 jours for early compatibility testing. Balances security against stability in critical infrastructure.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set update service to WSUS
Routes updates through internal WSUS server. Active patch management control and reduces internet bandwidth consumption.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure active hours for updates
Sets when utilisateurs are actively working (9 AM - 5 PM). Updates install outside these heures to minimize utilisateur disruption.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Exclude specific KB articles from installation
Empêche driver updates through Windows Update. Autorise MSPs to control driver deployment separately.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set expedited security update behavior
Autorise emergency security updates to bypass deferral periods. Ensures critical zero-day patches deploy immediately.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable peer updates over metered connections
Empêche update downloads over metered networks. Protects mobile utilisateurs from unexpected data charges.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Elevation Prompt for Administrators in Admin Approval Mode
Controls UAC elevation prompts for administrators. Value 1 shows secure desktop prompt. MSPs should appliquer this for security visibility on privileged actions.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable automatic restart after updates
Empêche automatic reboot while utilisateurs are logged in. Autorise scheduling restarts during maintenance windows.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Force updates through Group Policy
Sets Windows Update to auto-download and schedule installation. Value 4 autorise admin to choose install time.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Switch to Secure Desktop when Prompting for Elevation
UAC prompts appear on a secure desktop isolated from utilisateur applications. Empêche keyloggers and credential harvesting malware from intercepting prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require Administrator Password for Elevation
Specifies whether administrators must enter credentials to elevate. Value 1 applique mot de passe prompt on secure desktop. Critical for audit trails.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Network Protection
Bloque malicious domains and IP addresses at the réseau level. Empêche connections to command-and-control servers and phishing sites.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Network Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Behavior of Elevation Prompt for Standard Users
Controls standard utilisateur elevation: 0=Auto-deny without prompt, 1=Prompt for credentials. MSPs typically set to 0 to prevent privilege escalation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure deadline grace period
Provides 2-day grace period après deadline avant forced restart. Balances compliance with utilisateur scheduling flexibility.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update for Business
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Detect Application Installations and Prompt for Elevation
Shows UAC prompt on secure desktop when Windows detects installer packages being executed. Critical for preventing unauthorized software deployment.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Behavior of Elevation Prompt for Administrators
Controls elevation behavior: 2=Prompt on secure desktop, 5=Prompt without requiring mot de passe. MSPs should set to 2 for maximum security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict Delegation to Remote Servers Only
When enabled, applique Restreint Admin mode which empêche credential caching. Critical for preventing pass-the-hash and credential theft attaques.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Elevation Prompt for Standard Users
Determines UAC behavior for standard utilisateurs. Value 0 auto-denies elevation requests without prompting. Empêche utilisateurs from running elevated tasks without admin approval.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Run All Administrators in Admin Approval Mode
Active UAC for all administrators. When disabled, removes all UAC protections and elevation prompts. MSPs must keep this enabled for compliance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Virtualize File and Registry Write Failures to Per-User Locations
Redirects legacy application write failures to utilisateur-writable locations instead of blocking them. Improves app compatibility while maintaining security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow UIAccess Applications to Prompt for Elevation without Using Secure Desktop
Controls whether UIAccess applications can bypass secure desktop prompting. Should remain disabled to prevent malware from spoofing elevation prompts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Only Elevate Signed Executables
Only autorise elevation of digitally signed executables. Empêche unsigned malware from elevating privileges. Essential for MSP security durcissement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Delegating Saved Credentials
Controls whether saved credentials can be delegated to other machines. Should remain disabled to prevent lateral movement attaques.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require UEFI Firmware Lock
Locks UEFI firmware paramètres to prevent unauthorized modification. Exige physical accès and mots de passe to change security boot paramètres.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →