Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
DefaultNot configured
Empêche apps from reading diagnostic data about other apps.
Recommended2 (Force Deny)
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP Server Channel Binding Token Requirements
Exige LDAP channel binding for LDAPS connections. Atténue NTLM relay to LDAP attaques. Apply après auditing.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: Refuse Machine Account Password Changes
If enabled, DCs refuse machine compte mot de passe changes. Keep disabled to allow normal machine compte rotation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Security Policy Processing: Process Even if Not Changed
Forces security paramètres to be reapplied every GP refresh cycle. Critical for security baseline l'application.
Computer Configuration > Administrative Templates > System > Group Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Zerologon: Vulnerable Channel Allowlist
Allowlist for devices exempted from Zerologon l'application. Should be empty in fully patched environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Active Directory: Use DFSR for SYSVOL Replication
N/A (DFSR configuration) DefaultEnabled (post-2008 domains) RecommendedDFSR (not legacy FRS) DFSR should replace legacy FRS for SYSVOL replication. FRS is deprecated and unsupported on Server 2022+.
Computer Configuration > Administrative Templates > System > DFS Replication
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Digitally Sign Secure Channel Data (When Possible)
Signs secure channel traffic when chiffrement is not available.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Group Policy Slow Link Detection Threshold
Link speed below which GP skips certain processing (scripts, folder redirection). Adjust for à distance/branch office environments.
Computer Configuration > Administrative Templates > System > Group Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Maximum Machine Account Password Age
How often domaine-joined ordinateur comptes rotate their mots de passe. Lower values reduce the window for machine credential attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Registry Policy Processing: Process Even if Not Changed
Forces GPO registry paramètres to be reapplied on every refresh even if unchanged. Empêche tampering from persisting through GP refresh.
Computer Configuration > Administrative Templates > System > Group Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Member: Disable Machine Account Password Changes
Keep disabled to allow automatic machine compte mot de passe rotation every 30 jours. Enabling this is a security risk.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Offer Remote Assistance
Empêche helpers from offering à distance assistance without utilisateur request. Disabling empêche unsolicited à distance control.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →User Group Policy Loopback Processing Mode
Applies ordinateur-scope utilisateur stratégies regardless of who logs on. Use Replace mode on kiosks and RDS servers.
Computer Configuration > Administrative Templates > System > Group Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Always Wait for the Network at Startup and Logon
Forces synchronous GP processing at startup and connexion. Ensures stratégies are fully applied avant utilisateur desktop loads.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →WinRM Client: Allow CredSSP Authentication
Empêche WinRM client from using CredSSP. CredSSP exposes credentials to à distance systems and risks credential theft.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Solicited Remote Assistance
Controls whether utilisateurs can request à distance assistance. If enabled, restrict helpers and set a short maximum ticket time.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Windows Firewall: Private Profile: Firewall State
Ensures Windows Firewall is enabled for private réseau connections.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Private Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Remote Assistance: Maximum Ticket Time
Limits how long a À distance Assistance invitation remains valid. Minimize to reduce the exposure window.
Computer Configuration > Administrative Templates > System > Remote Assistance
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →WinRM Service: Allow CredSSP Authentication
CredSSP delegation passes full credentials to à distance hosts. Disable unless requis; prefer Kerberos constrained delegation.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Remote Shell Access (WinRM)
Controls whether à distance PowerShell shells are permitted. Disable if à distance management is handled through other means.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Shell
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →CA Certificate Template: Restrict Enrollment
N/A (CA configuration) DefaultVaries by template RecommendedRequire manager approval on sensitive templates CA certificate templates should require manager approval for sensitive templates. Empêche unauthorized issuance (ESC1/ESC4 attaques).
Computer Configuration > Windows Settings > Security Settings > Public Key Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →System Cryptography: Force Strong Key Protection
Exige utilisateur mot de passe confirmation avant private keys are used. Protects stored cryptographic keys from silent theft.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Windows Firewall: Log Successful Connections (Domain Profile)
Logs successful inbound and outbound connections. Active detection of C2 beaconing and lateral movement.
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Domain Profile
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Minimum Password Length
Minimum nombre de caractères requis in a mot de passe. NIST recommande 8+, CIS recommande 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →