Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Enable popup blocker
Active IE popup blocker to prevent malicious popups. Standard security baseline for MSP-managed client environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure proxy server settings
Sets centralized proxy configuration for internet traffic. Active MSPs to appliquer corporate proxy and content filtering stratégies.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Compatibility View for intranet sites
Automatically active compatibility mode for intranet sites. Requis for legacy LOB applications not compatible with modern IE rendering.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure IPv6 transition technologies
Controls IPv6 transition mechanism behavior. Manages coexistence between IPv4 and IPv6 in mixed-mode networks.
Computer Configuration > Policies > Administrative Templates > Network > TCP/IP > IPv6 Transition
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Enterprise Mode site list
Applies enterprise mode to specified sites for legacy application compatibility. Critical for supporting older internal web applications.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Compatibility View
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable script debugging
Désactive script debugging functionality to reduce attaque surface. Empêche utilisateurs from inspecting or modifying active scripts.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Restrict file download security warnings
Controls file download validation and warnings. Empêche utilisateurs from bypassing security checks on downloaded files.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Windows Sandbox networking
Active réseau accès from Sandbox for testing networked applications. Disable for isolated testing scenarios.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Sandbox
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable managing certificate stores
Empêche utilisateurs from managing SSL certificates. Protects certificate infrastructure in secured MSP environments.
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure intranet zone sites
Defines which sites are treated as intranet for security zone purposes. Active lower security restrictions for trusted internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure WPAD settings
Controls Web Proxy Auto-Discovery protocol. Disable to prevent automatic proxy configuration from DHCP/DNS.
Computer Configuration > Policies > Administrative Templates > Network > Web Proxy Auto-Discovery
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure permitted SNMP managers
Specifies IP addresses or hostnames of SNMP management systems allowed to query this device. Restreint SNMP accès in MSP monitoring environments.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable LLMNR protocol
Désactive Link-Local Multicast Name Resolution to prevent name spoofing attaques. Important security durcissement for MSP clients.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure NetBIOS over TCP/IP
Sets NetBIOS mode (enabled, disabled, or DHCP configured). Disable in modern networks; keep for legacy SMB protocols.
Computer Configuration > Policies > Administrative Templates > Network > NetBIOS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable mDNS (Multicast DNS)
Désactive multicast DNS resolution for simplification and security in managed networks. Reduces protocol complexity.
Computer Configuration > Policies > Administrative Templates > Network > mDNS
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SNMP service binding
Determines RFC 1156 compliance for SNMP agent. Enable for standard SNMP monitoring tool compatibility.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SNMP trap destinations
Specifies SNMP trap destinations for événement forwarding. Essential for centralized SNMP monitoring in managed networks.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure network isolation for Application Guard
Isolates Application Guard réseau traffic from host réseau. Empêche untrusted sites from accessing internal resources.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure DNS client settings
Sets DNS suffix search list for internal domaine resolution. Active seamless accès to internal resources.
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require secure SNMP authentication
Sends authentification failure traps for invalid SNMP accès tentatives. Active security monitoring of SNMP accès.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure SNMP sysContact and sysLocation
Sets système contact and location information for SNMP queries. Helps identify devices in MSP monitoring dashboards.
Computer Configuration > Policies > Administrative Templates > Network > SNMP
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Application Guard for Edge
Active Application Guard isolated browsing for Microsoft Edge. Protects against malicious websites by isolating them in containers.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Control camera access in Application Guard
Bloque camera accès from Application Guard. Empêche unauthorized video capture of sensitive information.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow file downloads in Application Guard
Controls file download permissions in Application Guard. Disable downloads to prevent malicious file execution on host.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Application Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →