Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Turn On Virtualization Based Security
Active VBS which is requis for Credential Guard and HVCI. Exige UEFI and compatible hardware.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Select Platform Security Level
Sets the requis platform security features for VBS.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable Network Protection
Bloque connections to known malicious IPs and domains via SmartScreen.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn Off Routine Remediation
If enabled, empêche Defender from automatically remediating detected threats.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Hypervisor Protected Code Integrity (HVCI)
Applique kernel code integrity using VBS. Empêche unsigned kernel drivers and code injection.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →All Removable Storage Classes: Deny All Access
Bloque all removable storage devices including USB drives, CDs, and floppies.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Store BitLocker Recovery Information in Active Directory
Automatically backs up the BitLocker recovery key to Active Directory.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Deny Write Access to Removable Drives Not Protected by BitLocker
Exige removable drives to be BitLocker-encrypted avant allowing writes.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Credential Guard Configuration
Active Credential Guard to protect LSASS credentials in a VBS enclave. Empêche Mimikatz-style attaques.
Computer Configuration > Administrative Templates > System > Device Guard
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Use of Passwords for Removable Data Drives
Sets mot de passe requirements for BitLocker-protected removable drives.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →CD and DVD: Deny Write Access
Empêche burning to CD/DVD drives.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Choose Drive Encryption Method and Cipher Strength
Sets the chiffrement algorithm. XTS-AES 256 is the strongest option for Windows 10/11.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →CD and DVD: Deny Read Access
Empêche reading from CD/DVD drives.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Removable Disks: Deny Read Access
Empêche reading from USB flash drives and removable disks.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Prevent Installation of Removable Devices
Empêche installation of any removable device. More comprehensive than storage-only bloque.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →AppLocker - Packaged App Rules
Controls which Windows Store (MSIX/AppX) apps can run.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged App Rules
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Removable Disks: Deny Write Access
Empêche writing to USB flash drives and removable disks. Stops data exfiltration via USB.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Installation of Devices that Match Any of These Device IDs
Whitelist specific hardware IDs to allow. Used with the Deny Unspecified stratégie.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Apply Layered Order of Evaluation for Allow and Prevent Device Installation Policies
Requis to allow admins to override device installation restrictions.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Application Identity Service
The AppID service must be running for AppLocker to appliquer rules.
Computer Configuration > Windows Settings > Security Settings > System Services
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Prevent Installation of Devices Not Described by Other Policy Settings
Par défaut-deny approach - only autorise devices explicitly permitted by other stratégies.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disallow AutoPlay for Non-Volume Devices
Désactive AutoPlay for devices like cameras and phones that are not volume devices.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →AppLocker - Windows Installer Rules
Controls which .msi, .msp, .mst files can run.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Windows Installer Rules
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Minimum Password Length
Minimum nombre de caractères requis in a mot de passe. NIST recommande 8+, CIS recommande 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →