Group Policy-Managed Desktops, Part 2

Public computers require the operating system and application to be out of the user’s way. Providing the defaults for user desktop session on Windows is challenging. Here is what I do to make users can teach their classes, have their conferences, and do their work in our computer labs. The settings I use are extensive, so this post will just cover the computer configuration settings. Part 3 will be for the user configuration. The following is not an exhaustive list of what should or even could be done with a GPO. In the end, resulting policies will be shaped by the needs of the organization.

I break settings down according to GPO so that they may be applied or removed individually without affecting existing functionality that may not need to change. I have a separate GPO each for Windows, Office, Firefox, Chrome and Adobe Acrobat/Reader.

DISCLAIMER – There are a dizzying amount of settings that can be configured in a GPO. Tons. Each setting needs to be evaluated and tested in a lab environment before it is released to production. Changes made to GPOs in an effort to troubleshoot errant behavior should be done one setting at a time. Change – Test – Accept or Revert. A great thing about group policy and its variety of settings is that GPOs can be used in any type of environment.

The Windows 10 GPO

Computer Configuration\Policies\Windows Settings\Security Settings

Local Policies\Audit Policy

  • Audit failures for both account logon events and regular
    logon events

We want to get a record of failed logon attempts on both ends where successive entries
could indicate possible brute force attempts.

Local Policies\User Rights Assignment

  • Allow log on through Terminal Services = BUILTIN\Administrators, DOMAIN\IT Support Group
  • Deny access to this computer from the network = guest
  • Deny log on locally = guest
  • Shutdown the system = BUILTIN\Administrators, DOMAIN\IT Support Group

Anyone coming in over remote desktop should be sanctioned this way. The Windows guest user account should have zero access privileges. Any access to computer resources, local or network should be done with an actual user account. Public computers are expected to be on during stated times of operation. Power-conscious users will shut off a PC regardless of
the next person to come. The last setting here removes the shutdown option from the Start menu. To make this setting be completely effective, the setting “Allow users shut down without logging on” needs to be disabled or else they can just log off and shut down from the login screen. None of this prevents someone from holding down the power button and shutting off that way.

Local Policies\Security Options

  • Interactive logon: Do not display last user name = Enabled
  • Interactive logon: Do not require CTRL+ALT+DEL = Disabled

For obvious reasons we want to not show the last person who last logged into Windows on a public computer. Honestly, this should be configured domain-wide. Brute force attempts through remote desktop will have a better chance of succeeding if they can determine the username last used on the target PC. For familiarity’s sake with what users have been used to doing for decades, I enable CTRL+ALT+DEL. That also opens the lock screen immediately upon the
key presses instead of requiring the user to press any key.

  • Network access: Do not allow anonymous enumeration of SAM accounts = Enabled
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled

Anyone requesting access to resources both local and network has to have a bona-fide Windows account. No guests. This way Windows can determine the appropriate level of access from the resource’s ACL.

  • Network security: LAN Manager authentication level = Send NTLMv2 response only, Refuse LM
    & NTLM

We want to ensure the strongest available version of NTLM is used wherever possible, whenever needed. Older apps, not able to use NTLMv2, will not be able function in this environment. Those applications should be upgraded or reconsidered.

  • Accounts: Block Microsoft accounts = Users can’t add or log on with Microsoft accounts

Windows allows users to log in with their Microsoft accounts. Such accounts cannot be managed with Group policy to an effective extent, so I disable the option to do so.

Event Log

  • Maximum application log size 1000000 kilobytes
  • Maximum security log size 1000000 kilobytes
  • Maximum system log size 1000000 kilobytes

The event log can tell us a great about what’s happening on a Windows PC. I opt to make the log’s size 1 gigabyte so there’s plenty of space to record events going far back.

Restricted Groups

DOMAIN\IT Support Group should be added to the local computer’s administrators group (BUILTIN\Administrators) and the local “File and Print Sharing Users” group, for RDP access to PCs running Windows 10. The restricted groups function adds the select groups to the designated group and makes sure they remain members of that group. Any user/group casually added to a restricted group is removed after the GPO is refreshed on the computer. Conversely, groups can be prevented from becoming members of a designated group by using restricted groups.

System Services

Here, group policy can be used to control the startup configuration of Windows services. I make sure the Remote Desktop Services and Windows Update services are set to “Startup Mode: Automatic.” Windows Update should be automatic by default, but just in case someone changes that… Third-party applications that add services to Windows can also be specified here. Adobe’s update service, and Oracle’s java update service are good candidates.

Windows Firewall with Advanced Security

This is the area where the firewall should be configured for Windows 7 and later operating systems. There is another section for the firewall in with the network configuration settings, under administrative templates. Those were meant for 2000, XP OS’s. They’ll still work, but the options in Security Settings are more versatile. I plan on doing a post on just the firewall alone, so I won’t get into it here, but I’ll suggest that the GPO make sure the firewall is enabled (can’t be disabled), and that exceptions for RDP are added and scoped only for IP ranges that are is use only by IT, or those needing to connect that way. Do not open RDP to the whole world for want of DoS attacks through RDP. I would allow the creation of local rules, but not the ability to disable rules specified by the GPO. If the firewall’s configuration is a problem, move to a different OU and see if that helps.

Computer Configuration\Policies\Windows Settings\Administrative Templates

There are a ton of settings here. I’ll try to go through them as simply and concisely as possible. These settings apply to the computer, indifferent of who logs into Windows.

Control Panel/Personalization
  • Force a specific default lock screen and logon image = \\server\share\LockScreenImage.png or C:\Windows\Web\Screen\LockScreenImage.png
  • Turn off fun facts, tip, tricks, and more on lock screen = Enabled

The lock screen can be useful for displaying informational images, or a touch of corporate branding. It is also a great visual indication that a PC is in fact receiving the computer-based GPO settings from the presence of the GPO-assigned lock screen image being displayed.

Control Panel/User Accounts
  • Apply the default account picture to all users = Enabled

I like to swap the default Windows user icon image with a custom one. I just replace the images in “C:\ProgramData\Microsoft\User Account Pictures” with versions of my own for each image using the same names and file sizes/types. I think it makes the whole experience look better.

Start Menu and Taskbar
  • Start Layout File = C:\Path\To\LayoutModification.xml

This setting is great. On a template install of Windows 10, you can set the Start Menu tiles as desired and export that layout to an XML file with PowerShell. The GPO setting makes sure everyone gets the same Start layout, making documentation and troubleshooting easier for IT folks.

System/Group Policy
  • Configure user Group Policy loopback processing mode = Enabled, Mode: Replace

Given that my PCs are used in public environments, I want my GPO to provide the same settings no matter who longs into Windows. Commonly, the user accounts for my clients do not live in the same OU on which my GPO is applied. The loopback function allows the GPO’s settings to apply to users outside of the GPO’s OU. The options are merge and replace. They do as their names suggest. Merge combines the user’s overall user-based GPO settings (collectively), which can be numerous, and combines them with what’s specified in the loopback GPO. In the event of a settings conflict, the setting from the last GPO applied wins. That may not necessarily be your loopback GPO. Replace takes all of the user’s user-based GPO settings and ignores them for what’s specified in the loopback GPO. Use this setting with caution and certainly test it out before release to production.

  • Always wait for the network at computer startup and logon = Enabled
  • Hide Entry points for fast user switching = Enabled
  • Show first sign-in animation = Disabled

Whenever Windows begins to run automated tasks which require connectivity, make sure the network is available. This might lengthen startup and login times by a couple of seconds, but that is better than troubleshooting weird network errors. Generally, my computers only need one user login session at a time. Falling short of this, processes which requires that no users be logged in at the time they run might fail because of one or more persistent session remaining. Fast user switching is fine for shared computers, not the case here. In computer labs and classrooms, user privacy is of a concern when it comes to their data. The best way to ensure this is to make sure none remains after they log off. To this end, each of my user’s profiles are removed when they log off from Windows. Even if they use the same computer several times per week, each login session is new. Watching a first-login animation sequence once is annoying, and completely unacceptable for each login. The animation also slows the login process all together. I turn it off.

System/Power Management/Sleep Settings
  • Allow applications to prevent automatic sleep (plugged-in) = Enabled
  • Allow automatic sleep with Open Network Files (plugged-in) = Disabled
  • Require a password when a computer wakes (plugged-in) = Disabled
  • Specify the system sleep timeout (plugged-in) = 0
  • Specify the unattended sleep timeout (plugged-in) = 0
System/Power Management/Video and Display Settings
  • Turn off the display (plugged-in) = Enabled (3600 seconds)

Most presentations involving a computer will involve some sort of multimedia content. PowerPoint and online videos have become a staple in some classes. Having Windows blank the screen and go to sleep after fifteen minutes is counter to what the instructors have to do in those rooms. I set the display to turn off after an hour of idle time. A simple mouse movement will bring it back.

Windows Components/File Explorer
  • Set a default associations configuration file = Enabled (C:\Path\to\defaultassociations.xml)
  • Start File Explorer with ribbon minimized = Enabled (Never open new File Explorer windows with the ribbon minimized)

Specifying what applications handle what types of files is usually done for everyone by customizing a default user profile the old way of copying C:\Users\CustomProfile to C:\Users\Default. That approach is no longer valid and will lead to more problems in the future. Windows has a way of setting default applications for all users with an XML file and group policy. Simply take an example installation, set the desired defaults and export them to an XML file with PowerShell. I find the new ribbon menu in Explorer quite useful. However, the default behavior to hide until an on-hover event occurs over it with a mouse is annoying. I just show it. All of our users have 22″ screens or larger in their areas. It’ll fit.

Windows Components/Internet Explorer
  • Automatically activate newly installed add-ons = Enabled
  • Prevent participation in the Customer Experience Improvement Program = Enabled
  • Prevent running First Run wizard = Go directly to home page
  • Turn off add-on performance notifications = Enabled
  • Turn on menu bar by default = Enabled

With the introduction of Windows 10, Internet Explorer was superseded by the Edge web browser, which will itself be superseded by a Chromium derivative in the near future. IE11 is still installed on all versions of Windows 10 with the LTSB/LTSC versions only shipping with IE (No Edge). I still set defaults for IE’s configuration despite its near zero-level of use outside of Byzantine web apps which require IE for their functionality. While security is always a foremost priority, I’m aiming to get the user running with IE by reducing the first run prompts. The settings pretty much explain themselves, and are few among a large amount of possible IE GPO settings.

Windows Components/Internet Explorer/Accelerators
  • Turn off Accelerators = Enabled

IE has the capability to use accelerator plugins to enhance its browsing experience. I disable those on the reason that I don’t want unsanctioned code/plugins running or prompting users to run.

Windows Components/Microsoft Edge
  • Configure Start pages = Homepage URL
  • Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed = Enabled (Prevent tab loading)
  • Prevent the First Run webpage from opening on Microsoft Edge = Enabled

Now, I have two browsers to configure via GPO. Like IE, Edge’s GPO section is pretty expansive and I only set a few defaults. I set the homepage URL as the start page. I disable the first run webpage from opening as well. I really wish software developers did not do stuff like this.

Windows Components/OneDrive
  • Prevent the usage of OneDrive for file storage = Enabled.

I have nothing against OneDrive or cloud storage. What I’m trying to do here is disable OneDrive’s tendency to download and update the OneDrive application for each new user whenever they log on to Windows. File syncing to online storage is great, just not here.

Windows Components/Remote Desktop Services/Remote Desktop Connection Client
  • Do not allow passwords to be saved = Enabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
  • Allow users to connect remotely by using Remote Desktop Services = Enabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
  • Always prompt for password upon connection = Enabled

RDP is a tremendous help when comes to the fight against having to run around and visit machines for administration. Not everyone should be able to do this, just the PCs used by the IT folks. Scoping access is done in the firewall settings. I don’t want anyone saving passwords for these connections either. I want every remote connection attempt to be individually authenticated each time it is made.

Windows Components/Store
  • Turn off Automatic Download and install of updates = Enabled
  • Turn off the offer to update to the latest version of Windows = Enabled

The Microsoft Store and the way it is implemented on Windows has become a real challenge to administrators. No user has ever asked me for a store app. Ever… I avoid the whole mess. The second option pauses the option to upgrade Windows to the latest point release, another muddy pond of a system. I don’t want point releases going on during the semester, so I turn it off with this and WSUS.

Windows Components/Windows Media Center
  • Do not allow Windows Media Center to run = Enabled

This particularly affects Windows PCs with Windows Media Center (XP, Vista, and 7). My concern here is fielding support calls for people trying to play a video and finding themselves in WMC. Use VLC, or Windows Media Player instead.

Windows Components/Windows Media Player
  • Do Not Show First Use Dialog Boxes = Enabled

Getting rid of the first run prompts for WMP. They’re not a big deal, but never assume the level of experience and end user might have.













Leave a Reply