Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Enable DMA Port Protection
Bloque DMA (Direct Memory Accès) attaques from Thunderbolt, USB, and FireWire devices. Empêche hardware-based privilege escalation.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Office Applications from Creating Child Processes
Bloque Office applications (Word, Excel, PowerPoint, Outlook) from spawning child processes. Empêche macro-based malware and script execution.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Delegating Fresh Credentials
Controls whether fresh credentials can be delegated for outbound connections. Disabling empêche credential caching for multi-hop scenarios.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disallow Saving Credentials or .NET Passport Credentials
Empêche Windows Credential Manager from storing mots de passe. Forces utilisateurs to enter credentials each time, improving security for multi-utilisateur environments.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →CredSSP Encryption Oracle Remediation
Empêche CVE-2018-0886 exploitation by blocking chiffrement oracle attaques during credential delegation. Should remain at 0 (Vulnerable) only for legacy systems.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict Credential Delegation to Domain Controllers Only
Limits credentials delegation to domaine-joined servers with Kerberos support. Empêche credential delegation to non-domaine machines.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable System Guard Secure Launch
Active Système Guard which protects système integrity from the moment hardware boots. Adds additional hypervisor-based protection layer.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Behavior Monitoring
Monitors suspicious behavioral patterns even if malware signatures are unknown. Detects zero-day and advanced threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Delegating Fresh Credentials with NTLM-only Server Authentication
Limits credential delegation to specific servers when NTLM authentification is used. MSPs should configure allowed servers list for À distance Desktop accès.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Delegation of Non-Exported Credentials
Autorise delegation of credentials protected by Data Protection API. Active secure credential delegation without exposing plain-text credentials.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Virtualization Based Security
Active Virtualization Based Security which isolates code execution in a virtual machine. Empêche kernel attaques from accessing système memory.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Code Integrity - UEFI Lock
Locks Code Integrity stratégie in UEFI to prevent tampering. Exige physical accès to disable, providing tamper-proof protection.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require Kerberos Authentication for Credential Delegation
Applique Kerberos protocol for credential delegation instead of NTLM. Improves security by using modern authentification mechanisms.
Computer Configuration > Administrative Templates > System > Credentials Delegation
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn On Secure Launch
Active Secure Boot to verify firmware and boot drivers. Empêche bootkit malware from loading avant Windows kernel.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require Platform Security Level
Exige specific platform security features for VBS. Value 1 exige IOMMU, 2 exige DMA protection. Critical for advanced security.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Untrusted and Unsigned Processes that Run from USB
Empêche unsigned executables from running when loaded from USB devices. Bloque malware spread via USB media and removable storage.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Execution of Potentially Obfuscated Scripts
Detects and bloque obfuscated PowerShell and VBScript payloads. Empêche script-based malware that tentatives to hide its true intent.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Specify the Type of Scans to Run
Configure scan type: 1=Quick scan, 2=Full scan. MSPs should set to 2 for complete système protection, or 1 for faster scans.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Credential Stealing from Windows Local Security Authority Process
Empêche processes from accessing LSASS memory where credentials are stored. Bloque credential theft techniques like Mimikatz.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Persistence Through WMI Event Subscription
Empêche malware from establishing persistence using WMI Event Subscriptions. Bloque malware from surviving reboots.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block JavaScript and VBScript from Launching Downloaded Executables
Empêche scripts from executing downloaded files. Bloque fileless malware and script-based trojans that download and execute payloads.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Automatic Sample Submission
Automatically sends suspicious files to Microsoft for analysis. Active faster detection and protection against emerging threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Executable Content from Email and Webmail
Bloque execution of potentially dangerous file types when extracted from email or webmail. Empêche malware distribution via email attachments.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Process Creations Originating from PSExec and WMI Commands
Bloque creation of processes via PSExec and WMI. Empêche lateral movement attaques and unauthorized à distance administration.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →