Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Task Scheduler: Prevent browse to UNC paths
Empêche utilisateurs from browsing UNC paths in task scheduler UI. Paramètre to 1 désactive browsing. MSPs use this to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: SMB Encryption
Applique SMB chiffrement. Value 3 exige chiffrement for all connections. Critical for MSPs protecting sensitive data in transit on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Deny user tasks
Empêche non-administrators from creating scheduled tasks. Paramètre to 1 désactive utilisateur task creation. Critical for MSPs preventing malware persistence via task scheduling.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Hide property pages
Hides task property pages from non-administrators. Paramètre to 1 empêche visibility. MSPs use this to hide sensitive task configurations.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Cache task run results
Caches task execution results for audit purposes. Paramètre to 1 active caching. MSPs use this to detect task execution anomalies.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous access to Named Pipes and Shares
Bloque NULL session accès to named pipes and shares. Paramètre to 1 applique authentification. Critical for MSPs preventing share enumeration attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Task execution policy (restricted)
Restreint task execution to authorized utilisateurs only. Paramètre to 1 active restrictions. Critical for MSPs preventing unauthorized task launches.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Audit task execution
Active auditing of scheduled task execution. Paramètre to 1 logs all task runs. Critical for MSPs detecting malware execution via task scheduler.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: UNC hardened access paths
Restreint task accès to UNC paths requiring authentification. Paramètre to 1 empêche NULL session task execution. MSPs use this to prevent à distance malware execution.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Prevent task property page modification
Empêche utilisateurs from modifying task properties. Paramètre to 1 désactive property edits. MSPs use this to prevent malware from modifying monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous enumeration of shares
Bloque anonymous enumeration of shares. Paramètre to 1 exige authentification for share browsing. MSPs use this to prevent discovery of sensitive shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Disable task deletion
Empêche non-administrators from deleting scheduled tasks. Paramètre to 1 désactive deletion. MSPs use this to prevent tampering with security tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Configure task scheduler service startup
Controls Task Scheduler service startup type. Keep at 2 (Automatic) for normal operation. MSPs monitor this to ensure automatic task execution.
Computer Configuration > Windows Settings > Security Settings > System Services
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →SMB Bandwidth Limiting
Limits SMB throughput as percentage of bandwidth. Value 20 reserves 80% for other traffic. MSPs use this to prevent ransomware lateral movement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Prevent task run suppression
Empêche disabling task execution. Paramètre to 1 forces tasks to run. MSPs enable this for critical remediation and monitoring tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Task Scheduler: Run only interactive tasks
Restreint tasks to interactives sessions only. Keep at 0 to allow background tasks. MSPs enable this only on high-security kiosk systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous access to Named Pipes
Bloque NULL session connections to named pipes. Paramètre to 1 exige authentification. Critical for MSPs preventing WMIEXEC and admin$ enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Do not allow anonymous enumeration of computer accounts
Empêche anonymous enumeration of ordinateur comptes. Paramètre to 1 bloque ordinateur discovery. MSPs use this to prevent reconnaissance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Model for local account authentication
Controls guest compte à distance login. Paramètre to 1 empêche blank mot de passe authentification. Critical for MSPs preventing guest compte abuse.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous access to shares
Bloque anonymous share enumeration and accès. Paramètre to 1 exige authentification. Essential for MSPs protecting file shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Named Pipes that can be accessed anonymously
Lists named pipes accessible via NULL sessions. MSPs keep empty to prevent WMI and RPC attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Remotely accessible registry paths
Specifies registry paths remotely accessible. MSPs restrict to only necessary paths to prevent information disclosure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Slow link mode for offline files
Configure connection speed threshold for offline files slow link detection. Active efficient sync behavior on slow réseau connections.
Computer Configuration > Policies > Administrative Templates > Network > Offline Files
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Remotely accessible registry paths and sub-paths
Specifies registry subtrees remotely accessible. MSPs restrict to prevent à distance registry enumeration attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →