Group Policy-Managed Desktops Preferences

Starting with Windows Server 2008, Microsoft added a feature to Group Policy called “Preferences” (GPP). This allowed administrators to configure Windows settings Control Panel-style. Just like GPOs, GPPs contain dozens of configuration possibilities and when used properly, can make administration much easier. GPPs are divided into Windows Settings and Control Panel Settings, similar to a GPO. Each GPO has a set of preferences in both the Computer and User configuration settings.

Here’s how I use them on public computers.

Computer Configuration\Preferences\Windows Settings\Registry

  • Update = HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, Value name = PortNumber, Value type = REG_DWORD, Value data = desired RDP port in hex
  • Update = HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, Value name = srvcomment, Value type = REG_SZ, Value data = Whatever you want the end users to see in the System properties pane.
  • Update = HKLM\SYSTEM\CurrentControlSet\Control\CrashControl, Value name = AutoReboot, Value type = REG_DWORD, Value data = 0x1

Editing registry settings en masse is a very powerful capability which can fix or create problems nearly instantly. I add a few tweaks to Windows. The first one changes the port number that Remote Desktop (RDP) listens on for connections. The default is 3389. I change that in addition to creating custom a firewall rule for the new port and scoping it to only include allowed IPs. The second entry adds a comment in the “About” section in the Windows System Control Panel applet. The last value forces Windows to reboot whenever it decides to crash and not present the user with a BSOD.

Computer Configuration\Preferences\Windows Settings\Shortcut

  • Update = Target type = Shell object, Shortcut path = %CommonDesktopDir%\This PC, Target object = This PC, Icon path = %SystemRoot%\System32\SHELL32.dll, Icon index = 15, Run = Maximized

Places a shortcut on all users desktops called “This PC” which is similar to the legacy “My Computer” icon of old. I do this for reasons of familiarity.

Computer Configuration\Preferences\Control Panel Settings\Printers

  • Delete = Local printer “Send to OneNote 16”

Windows and Office like to make the OneNote printer the default for everyone. I delete the printer object for OneNote 2016 so installed printers, after the fact, can be the default. I don’t commonly map printers on public computers, but some labs use a Pharos unit for printing and wherever possible, should be the default.

Leave a Reply