Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Block Win32 API Calls from Office Macros
Bloque Office macros from calling dangerous Win32 APIs. Empêche advanced malware techniques that use API calls to bypass security.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Abuse of Exploited Vulnerable Drivers
Empêche execution of vulnerable drivers that can be exploited for privilege escalation. Bloque vulnerable driver abuse attaques.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Block Office Applications from Creating Executable Content
Bloque Office macros from creating or launching executables. Empêche macro-based malware from writing and executing files.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Use Advanced Protection Against Ransomware
Active ransomware-specific protections including behavior monitoring. Detects suspicious chiffrement activities and file-locking patterns.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Structured Exception Handling Overwrite Protection (SEHOP)
Valide exception handlers during runtime. Empêche SEH-based buffer overflow exploits from hijacking exception handling.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Cloud-Delivered Protection
Active cloud-based malware protection using Microsoft security intelligence. Value 2=Advanced, provides real-time threat intelligence from global réseau.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Real-Time Protection
Active real-time scanning of files as they are accessed or modified. Provides immediate detection and blocking of malware.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Controlled Folder Access
Protects important folders from unauthorized modification by malware. Bloque ransomware from encrypting utilisateur documents and files.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Scheduled Scan Day
Specifies the day for scheduled full scans (0=Sunday). Value 0 schedules scans for Sunday. MSPs should set to off-heures day.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Address Space Layout Randomization (ASLR)
Randomizes memory addresses of système components at boot. Makes it difficult for exploits to predict memory locations and execute code.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Control Flow Guard (CFG)
Active CFG which valide indirect code jumps. Empêche ROP (Return-Oriented Programming) attaques that use code gadgets.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Potentially Unwanted Application (PUA) Protection
Detects and removes potentially unwanted applications like adware and spyware. Protects système from unwanted software.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Tamper Protection
Empêche malware from disabling Windows Defender. Malware cannot turn off security protections once tamper protection is enabled.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Tamper Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable DNS registration for Always On VPN
Automatically registers VPN connection IP with DNS. Active proper name resolution for MSP-managed à distance clients.
Computer Configuration > Administrative Templates > Network > VPN
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Definition Update Sources
Specifies order of sources for signature updates. Should prioritize MMPC and MOMAAS for reliable updates. Critical for maintaining protection.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Signature Updates
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Prohibit access to properties of a user
Empêche utilisateurs from modifying wireless réseau properties. Ensures MSP-managed wireless profiles remain unchanged by end utilisateurs.
Computer Configuration > Administrative Templates > Network > Windows Connection Manager
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Exclusions by File Extension
Specifies file extensions to exclude from scanning. MSPs should configure sparingly to avoid security gaps. Document all exclusions.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Data Execution Prevention (DEP)
Active DEP which marks memory regions as non-executable. Empêche code injection attaques from executing arbitrary code in data regions.
Computer Configuration > Administrative Templates > System > Data Execution Prevention
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Heap Protection
Implements heap randomization and protection mechanisms. Empêche heap-based buffer overflow attaques from modifying heap metadata.
Computer Configuration > Administrative Templates > System > Exploit Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Prohibit connection to non-domain networks
Empêche utilisateurs from connecting to non-domaine networks when a domaine réseau is available. Critical for MSP clients requiring réseau segmentation and preventing unauthorized réseau accès.
Computer Configuration > Administrative Templates > Network > Windows Connection Manager
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Mandatory ASLR
Forces ASLR on all processes even those not compiled with ASLR support. Increases randomization coverage across the système.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Windows to connect to suggested networks
Désactive automatic connection to Wi-Fi Sense networks. Empêche connection to open networks shared by contacts, protecting client security.
Computer Configuration > Administrative Templates > Network > WlanSvc
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow network discovery on public networks
Empêche réseau discovery on public networks. Reduces attaque surface for MSP-managed endpoints on untrusted networks.
Computer Configuration > Administrative Templates > Network > Windows Connection Manager
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Force ASLR for Images
Applies ASLR to all images and DLLs système-wide. Ensures consistent address randomization across all loaded modules.
Computer Configuration > Administrative Templates > System > Exploit Guard > Exploit Guard > Exploit protection settings
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →