Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

How to: Build a ThinBased-PC with Windows 7/XP

As described in an earlier published article PDI: Physical Desktop Infrastructure real Thin Clients are getting richer featured. While this is needed to satisfy the requirements of the Remote Based Products like Citrix XenApp, Citrix XenDesktop en VMware View, this has also some side effects:

  • Real Thin Clients are getting more expensive, in such way prices are currently compatible with normal PCs.
  • Thin Clients nowadays need to be fully managed, because much more features are available and should be updated. Also nowadays several ThinClient Operating Systems really needs updates for fixes and security vulnerabilities. So the big advantage of lower maintenance tasks in comparison with traditional PCs is disappeared mostly.
  • With current techniques like VDI additional Microsoft licenses are required when using a Thin Client OS, where traditional Microsoft Windows XP/Vista/7 PCs don't have that requirement.
  • Still the newest techniques/features (especially within Citrix products) are available at first in the Windows client of the product.

Summarized the reason that Thin Clients are often used (lower costs) is currently not the case anymore in many cases. Using a traditional workstation for connecting to a SBC/VDI infrastructure is getting more and more logical, although the users is working on Full Desktop where all applications are running in the data center. 




 

However if the user is connecting to a Full Desktop, you don't want to bother the user with a full client, but directly showing the (probably) portal to connect to the SBC/VDI infrastructure. Also you would like to lock-down the OS as much as possible, so it needs at less as possible maintenance and the user can change only required settings (and nothing more).

Andrew Morgan did a tremendous job with releasing the freely available ThinKiosk utility, that transforms the PC into a ThinBasedPC with a single executable and central management using Micrsoft GPO. However the biggest advantage of freeware is that it's freeware. What I mean with that, that freeware never will have official support and you never know if and when updates will become available. Because of that companies don't allow to use freeware utilities in their infrastructure.

If this is the case at your organization than you don't need to go for third party products, but you create a ThinBased PC pretty easily with Microsoft GPOs and some basis scripts.

In this article I will describe the basic configuration and best practices to build a ThinBased PC using standard available tools within a Microsoft Active Directory Domain. The first step is to show the portal to the end-user without any manual interaction.  Because centralized management is one of the starting points the PC should be member of Active Directory.

Autologon

A autologon is most usable method and also to manage the configuration of the user settings (for that autlogon user) it's preferable to use a standard domain user account. Within the registry you can define a user and corresponding settings which will autologon on a Windows system. To centrally manage this, I created a simple but effective ADM template.

When using an XP or lower based system, you can use a value of 2 at the AutoAdminLogon. This is also disable CTRL+ALT+DEL on the local workstation, so users can lock the local workstation via those keys. This does not work anymore in Windows 7 (not tested on Vista), so you should use 1 at this point.

;  Group Policy template for Autologon
;
;  Copyright 2009 VanBragt.Net
;                              (http://sbc.vanbragt.net)
CLASS MACHINE

CATEGORY "System"
                CATEGORY "Logon"
                               POLICY "AutoLogon"
                                               EXPLAIN "These settings can be used to allow the system to logon automatically. To enable autologon, set the first two settings (AutoAdminLogon and ForceAutologon) to 1, and then fill in the appropriate account information. Keep in mind that this information will be stored in cleartext in the systems registry."

                                               KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
                                                                PART "AutoAdminLogon"                           NUMERIC REQUIRED TXTCONVERT
                                                               VALUENAME "AutoAdminLogon"
                                                               MIN 0 MAX 2 DEFAULT "0" SPIN 1
                                               END PART 

                                               PART "ForceAutoLogon"                             NUMERIC REQUIRED TXTCONVERT
                                                               VALUENAME "ForceAutoLogon"
                                                               MIN 0 MAX 1 DEFAULT "0" SPIN 1
                                               END PART 

                                               PART "DefaultUserName"                          EDITTEXT REQUIRED
                                                               VALUENAME "DefaultUserName"
                                                               DEFAULT "Username" MAXLEN 128
                                               END PART

                                                PART "DefaultPassword"                            EDITTEXT REQUIRED
                                                               VALUENAME "DefaultPassword"
                                                               DEFAULT "Password" MAXLEN 128
                                               END PART

                                               PART "DefaultDomainName"   EDITTEXT REQUIRED
                                                               VALUENAME "DefaultDomainName"
                                                               DEFAULT "Domain" MAXLEN 128
                                               END PART

                                                PART "AltDefaultUserName"    EDITTEXT REQUIRED
                                                               VALUENAME "AltDefaultUserName"
                                                               DEFAULT "Should match username above" MAXLEN 128
                                               END PART

                                               PART "AltDefaultDomainName"             EDITTEXT REQUIRED
                                                               VALUENAME "AltDefaultDomainName"
                                                               DEFAULT "Should match domain above" MAXLEN 128
                                              END PART
                                END POLICY
                END CATEGORY
END CATEGORY

Auto Start Portal

The second step is to autostart the portal for the end-users. By default this will be opening an Internet Explorer with as start page the Citrix Web Interface  or RD Web Access. This can be accomplished via several methods, some examples are:

  • Arranging a shortcut file to IE in the startup folder of the autologon user

The simplest solution, by creating a default user profile and adding the shortcut file in the start-up folder. Also simple copy scripts (as a logon script can be used), but there can be some timing issues there if the file is copied after the OS is checking the startup folder. Also GPO Preferences could be used to set-up this scenario.

  • Adding a Run key in the User Registry starting Internet Explorer

Executables defined in the Run key will be started during the logon of the user. Big advantage is the time this is called, so there are now timing issues. The Run key can be added via importing a registry file (with the configured keys) via a script during logon (AD) or added in the default user profile. Also GPO Preferences could be used to set-up this scenario.

  • Use the GPO option called Custom User Interface

Within Microsoft GPOs you can use the Custom User Interface to specify an alternate user interface. This is probably the most easy to configure however logically also has a down size. Because it taking over the complete user interface this is the only part that is shown to the user. In situations where you would offer the user some settings  to configure (like the screen resolution or keyboard/mouse settings), this option could not satisfy your needs.

Image

Lockdown

The third and most important step is to lock-down the workstation. It depends on requirements and wishes of the organization/customer how many settings should be removed out of the user interface. There are scenarios where you would like to remove as much as possible, but also offering some applications or configuration settings are pretty logical. Think again of adjust screen resolution, keyboard/mouse settings and regional settings. 

What should be carefully considered is Internet Access. Many organizations are using a proxy server and when using for example Citrix XenApp HDX Flash Redirection you can offload the Flash load to the client, but by default the client needs to have (logically) access to the internet (there is  policy to download the content via the Citrix server, but in some situations this is not the way to go). In the case the proxy server is used to track down which user has accessed which websites, you should lockdown both the OS as the browser users cannot type in any other URL If the user can do that they will Internet on the autologon account and tracking the websites are not possible anymore. In Windows 7 this is real hard job, because you can type almost anywhere a URL (just use the navigation bar in Configuration Panel for example; I don't have a solution for that till now). 

 Enclosed at the end of the article I have added the output of a GPO I used to build a ThinBasedPC based on Windows 7. Which will lead to the following user environment on the PC as displayed in the next figure.

Image 

Final Configuration

Besides arranging the auteo logon, the auto start of the portal and locking down the client the last step is to preconfigure the user environment and do a final lockdown of settings that are not available in standard GPOs. This can be accomplished using several methods. Many settings are retained in the profile of the, so you can preconfigure the profile of the autologon user with the desired configuration. Using this method also implies that you need to find a way to change the configuration when needed using a central way, for example copy-ing the profile at startup.

A second method is creating custom ADM(X) templates and imports those in your GPO.  From a system administration point this is a preferred format, but will take the most time to create those ADM templates.

The third options I use are creating REG files with the desired setting and import those using the startup or logon script option of the GPO. In this way it is still centrally managed and can be adjusted easily. However you should document thoroughly which REG file is being used for which purpose.

Some  example of settings I define using aboven methods are the Citrix Client Access Resources, Citrix Full Screen Message, Disable Windows+L and Remove specific folders out of the start menu.

Conclusion

While there are both very good third parties as freeware products available to use a standard workstation as a Thin Client you can do it also using default Microsoft technologies, when there is no budget or freeware is not allowed in the company. With the article I would like to show you the basic steps and an example configuration to change your workstation to ThinBasedPC.

Add-on GPO Example of LockDown ThinBasedPC

Lockdown Win 7 to ThinBasedPC

Data collected on: 3/6/2012 10:37:05 AM

 

General

Details

Domain

vanbragt.local

Owner

VANBRAGT\Domain Admins

Created

3/6/2012 10:35:04 AM

Modified

3/6/2012 10:36:36 AM

User Revisions

1 (AD), 1 (sysvol)

Computer Revisions

1 (AD), 1 (sysvol)

Unique ID

{B9D3D44E-F090-44B9-ADF0-97C5733AD0BB}

GPO Status

Enabled

Links

Location

Enforced

Link Status

Path

None


This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:

Name

NT AUTHORITY\Authenticated Users

Delegation

These groups and users have the specified permission for this GPO

Name

Allowed Permissions

Inherited

NT AUTHORITY\Authenticated Users

Read (from Security Filtering)

No

NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

Read

No

NT AUTHORITY\SYSTEM

Edit settings, delete, modify security

No

VANBRAGT\Domain Admins

Edit settings, delete, modify security

No

VANBRAGT\Enterprise Admins

Edit settings, delete, modify security

No

Computer Configuration (Enabled)

Policies

Windows Settings

Scripts

Startup

For this GPO, Script order: Not configured

Name

Parameters

ConfigureThinPCMachinesettings.cmd

 

Security Settings

Local Policies/User Rights Assignment

Policy

Setting

Log on as a batch job

------------------------------

Local Policies/Security Options

Accounts

Policy

Setting

Accounts: Rename administrator account

------------------------------

Interactive Logon

Policy

Setting

Interactive logon: Do not display last user name

Enabled

User Account Control

Policy

Setting

User Account Control: Admin Approval Mode for the Built-in Administrator account

Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Elevate without prompting

User Account Control: Detect application installations and prompt for elevation

Disabled

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Disabled

User Account Control: Run all administrators in Admin Approval Mode

Disabled

Restricted Groups

Group

Members

Member of

BUILTIN\Administrators

------------------------------

 

BUILTIN\Users

------------------------------

 

Public Key Policies/Trusted Root Certification Authorities

Properties

Policy

Setting

Allow users to select new root certification authorities (CAs) to trust

Enabled

Client computers can trust the following certificate stores

Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

To perform certificate-based authentication of users and computers, CAs must meet the following criteria

Registered in Active Directory only

Windows Firewall with Advanced Security

Global Settings

Policy

Setting

Policy version

Not Configured

Disable stateful FTP

Not Configured

Disable stateful PPTP

Not Configured

IPsec exempt

Not Configured

IPsec through NAT

Not Configured

Preshared key encoding

Not Configured

SA idle time

Not Configured

Strong CRL check

Not Configured

Domain Profile Settings

Policy

Setting

Firewall state

Off

Inbound connections

Not Configured

Outbound connections

Not Configured

Apply local firewall rules

Not Configured

Apply local connection security rules

Not Configured

Display notifications

Not Configured

Allow unicast responses

Not Configured

Log dropped packets

Not Configured

Log successful connections

Not Configured

Log file path

Not Configured

Log file maximum size (KB)

Not Configured

Connection Security Settings

Administrative Templates

Policy definitions (ADMX files) retrieved from the local machine.

Control Panel/Regional and Language Options

Policy

Setting

Comment

Force selected system UI language to overwrite the user UI language

Enabled

 

Restricts the UI language Windows uses for all logged users

Enabled

 

Restrict users to the following language:

Dutch

Control Panel/User Accounts

Policy

Setting

Comment

Apply the default user logon picture to all users

Enabled

 

Ervik.as - Citrix XenApp and Microsoft Remote Desktop Services/TS Tuning Policy

Policy

Setting

Comment

Sets Default Logon Domain

Enabled

 
 
 
 

 

Please Insert Your Default Domain Name

VANBRAGT

Network/Background Intelligent Transfer Service (BITS)

Policy

Setting

Comment

Allow BITS Peercaching

Disabled

 

Do not allow the computer to act as a BITS Peercaching client

Enabled

 

Do not allow the computer to act as a BITS Peercaching server

Enabled

 

Network/Network Connections

Policy

Setting

Comment

Prohibit use of Internet Connection Firewall on your DNS domain network

Enabled

 

Prohibit use of Internet Connection Sharing on your DNS domain network

Enabled

 

Network/Network Connections/Windows Firewall/Domain Profile

Policy

Setting

Comment

Windows Firewall: Protect all network connections

Disabled

 

Network/Network Connections/Windows Firewall/Standard Profile

Policy

Setting

Comment

Windows Firewall: Protect all network connections

Disabled

 

Network/Offline Files

Policy

Setting

Comment

Prevent use of Offline Files folder

Enabled

 

Prohibit user configuration of Offline Files

Enabled

 

Prevents users from changing any cache configuration settings.

Policy

Setting

Comment

Remove 'Make Available Offline'

Enabled

 

Turn off reminder balloons

Enabled

 

Network/Windows Connect Now

Policy

Setting

Comment

Prohibit Access of the Windows Connect Now wizards

Enabled

 

Printers

Policy

Setting

Comment

Always render print jobs on the server

Enabled

 

Disallow installation of printers using kernel-mode drivers

Enabled

 

Execute print drivers in isolated processes

Enabled

 

Point and Print Restrictions

Enabled

 

Users can only point and print to these servers:

Disabled

Enter fully qualified server names separated by semicolons

localhost

Users can only point and print to machines in their forest

Disabled

 

Security Prompts:

When installing drivers for a new connection:

Do not show warning or elevation prompt

When updating drivers for an existing connection:

Do not show warning or elevation prompt

This setting only applies to:

Windows Vista and later

System/Device Installation

Policy

Setting

Comment

Do not send a Windows error report when a generic driver is installed on a device

Enabled

 

Prevent Windows from sending an error report when a device driver requests additional software during installation

Enabled

 

Turn off "Found New Hardware" balloons during device installation

Enabled

 

System/Filesystem/NTFS

Policy

Setting

Comment

Do not allow compression on all NTFS volumes

Enabled

 

Do not allow encryption on all NTFS volumes

Enabled

 

System/Group Policy

Policy

Setting

Comment

User Group Policy loopback processing mode

Enabled

 

Mode:

Replace

System/Internet Communication Management

Policy

Setting

Comment

Restrict Internet communication

Enabled

 

System/Internet Communication Management/Internet Communication settings

Policy

Setting

Comment

Turn off access to all Windows Update features

Enabled

 

Turn off Automatic Root Certificates Update

Enabled

 

Turn off downloading of print drivers over HTTP

Enabled

 

Turn off Event Viewer "Events.asp" links

Enabled

 

Turn off handwriting recognition error reporting

Enabled

 

Turn off Help and Support Center "Did you know?" content

Enabled

 

Turn off Help and Support Center Microsoft Knowledge Base search

Enabled

 

Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com

Enabled

 

Turn off Internet download for Web publishing and online ordering wizards

Enabled

 

Turn off Internet File Association service

Enabled

 

Turn off printing over HTTP

Enabled

 

Turn off Registration if URL connection is referring to Microsoft.com

Enabled

 

Turn off Search Companion content file updates

Enabled

 

Turn off the "Order Prints" picture task

Enabled

 

Turn off the "Publish to Web" task for files and folders

Enabled

 

Turn off the Windows Messenger Customer Experience Improvement Program

Enabled

 

Turn off Windows Customer Experience Improvement Program

Enabled

 

Turn off Windows Error Reporting

Enabled

 

Turn off Windows Network Connectivity Status Indicator active tests

Enabled

 

Turn off Windows Update device driver searching

Enabled

 

System/Locale Services

Policy

Setting

Comment

Disallow changing of geographic location

Enabled

 

System/Logon

Policy

Setting

Comment

Always wait for the network at computer startup and logon

Enabled

 

Assign a default domain for logon

Enabled

 

Default Logon domain:

VANBRAGT

Enter the name of the domain

Policy

Setting

Comment

AutoLogon

Enabled

 

AutoAdminLogon

1

ForceAutoLogon

1

DefaultUserName

logonthinbasedpc

DefaultPassword

------------------------------

DefaultDomainName

 

AltDefaultUserName

logonthinbasedpc

AltDefaultDomainName

------------------------------

Policy

Setting

Comment

Don't display the Getting Started welcome screen at logon

Enabled

 

Hide entry points for Fast User Switching

Enabled

 

Turn off Windows Startup Sound

Enabled

 

System/Performance Control Panel

Policy

Setting

Comment

Turn off access to the performance center core section

Enabled

 

Turn off access to the solutions to performance problems section

Enabled

 

System/Power Management/Hard Disk Settings

Policy

Setting

Comment

Turn Off the Hard Disk (Plugged In)

Enabled

 

Turn Off the Hard Disk (seconds):

7200

System/Power Management/Sleep Settings

Policy

Setting

Comment

Require a Password When a Computer Wakes (Plugged In)

Enabled

 

Specify the System Sleep Timeout (On Battery)

Enabled

 

System Sleep Timeout (seconds):

10800

System/Power Management/Video and Display Settings

Policy

Setting

Comment

Turn Off the Display (Plugged In)

Enabled

 

Turn Off the Display (seconds):

3600

System/Remote Assistance

Policy

Setting

Comment

Offer Remote Assistance

Disabled

 

Solicited Remote Assistance

Disabled

 

System/User Profiles

Policy

Setting

Comment

Add the Administrators security group to roaming user profiles

Enabled

 

Delete cached copies of roaming profiles

Enabled

 

Delete user profiles older than a specified number of days on system restart

Enabled

 

Delete user profiles older than (days)

1

Policy

Setting

Comment

Do not check for user ownership of Roaming Profile Folders

Enabled

 

Do not log users on with temporary profiles

Enabled

 

Only allow local user profiles

Enabled

 

Wait for remote user profile

Enabled

 

Windows Components/Application Compatibility

Policy

Setting

Comment

Prevent access to 16-bit applications

Enabled

 

Windows Components/AutoPlay Policies

Policy

Setting

Comment

Turn off Autoplay

Enabled

 

Turn off Autoplay on:

All drives

Windows Components/Desktop Gadgets

Policy

Setting

Comment

Turn off desktop gadgets

Enabled

 

Windows Components/Desktop Window Manager

Policy

Setting

Comment

Do not allow desktop composition

Enabled

 

Do not allow Flip3D invocation

Enabled

 

Windows Components/Game Explorer

Policy

Setting

Comment

Turn off downloading of game information

Enabled

 

Turn off game updates

Enabled

 

Turn off tracking of last play time of games in the Games folder

Enabled

 

Windows Components/HomeGroup

Policy

Setting

Comment

Prevent the computer from joining a homegroup

Enabled

 

Windows Components/Internet Explorer

Policy

Setting

Comment

Disable Automatic Install of Internet Explorer components

Enabled

 

Disable changing Automatic Configuration settings

Enabled

 

Disable changing connection settings

Enabled

 

Disable changing proxy settings

Enabled

 

Disable Periodic Check for Internet Explorer software updates

Enabled

 

Do not allow users to enable or disable add-ons

Enabled

 

Enforce Full Screen Mode

Enabled

 

Prevent Internet Explorer Search box from displaying

Enabled

 

Prevent participation in the Customer Experience Improvement Program

Enabled

 

Prevent performance of First Run Customize settings

Enabled

 

Select your choice

Go directly to home page

Policy

Setting

Comment

Security Zones: Do not allow users to add/delete sites

Enabled

 

Security Zones: Do not allow users to change policies

Enabled

 

Turn off configuration of window reuse

Enabled

 

Select where to open links

Open in existing Internet Explorer window

Policy

Setting

Comment

Turn off Crash Detection

Enabled

 

Turn off displaying the Internet Explorer Help Menu

Enabled

 

Turn off Favorites bar

Enabled

 

Turn off Managing Phishing filter

Enabled

 

Select phishing filter mode

Automatic

Policy

Setting

Comment

Turn off Managing Pop-up Allow list

Enabled

 

Turn off managing Pop-up filter level

Enabled

 

Turn off Managing SmartScreen Filter

Enabled

 

Select SmartScreen Filter mode

Off

Policy

Setting

Comment

Turn off page zooming functionality

Enabled

 

Turn off Quick Tabs functionality

Enabled

 

Turn off Reopen Last Browsing Session

Enabled

 

Turn off tabbed browsing

Enabled

 

Turn off the Security Settings Check feature

Enabled

 

Windows Components/Internet Explorer/Accelerators

Policy

Setting

Comment

Turn off Accelerators

Enabled

 

Windows Components/Internet Explorer/Internet Control Panel

Policy

Setting

Comment

Disable the Advanced page

Enabled

 

Disable the Connections page

Enabled

 

Disable the Content page

Enabled

 

Disable the General page

Enabled

 

Disable the Privacy page

Enabled

 

Disable the Programs page

Enabled

 

Disable the Security page

Enabled

 

Windows Components/Internet Explorer/Internet Control Panel/Security Page

Policy

Setting

Comment

Intranet Sites: Include all network paths (UNCs)

Enabled

 

Intranet Sites: Include all sites that bypass the proxy server

Enabled

 

Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone

Policy

Setting

Comment

Launching programs and unsafe files

Enabled

 

Launching programs and unsafe files

Enable

Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone

Policy

Setting

Comment

Allow active scripting

Enabled

 

Allow active scripting

Enable

Policy

Setting

Comment

Launching programs and unsafe files

Enabled

 

Launching programs and unsafe files

Enable

Windows Components/Internet Explorer/Internet Settings/Component Updates/Help Menu > About Internet Explorer

Policy

Setting

Comment

Prevent the configuration of cipher strength update information URLs

Enabled

 

Cipher Strength Update Information URL:

 

Windows Components/Internet Explorer/Internet Settings/Component Updates/Periodic check for updates to Internet Explorer and Internet Tools

Policy

Setting

Comment

Turn off configuring the update check interval (in days)

Enabled

 

Update check interval (in days):

30

Windows Components/Internet Explorer/Security Features

Policy

Setting

Comment

Turn off Data Execution Prevention

Enabled

 

Windows Components/Internet Explorer/Toolbars

Policy

Setting

Comment

Hide the Command Bar

Enabled

 

Lock all Toolbars

Enabled

 

Turn off toolbar upgrade tool

Enabled

 

Windows Components/Internet Information Services

Policy

Setting

Comment

Prevent IIS installation

Disabled

 

Windows Components/NetMeeting

Policy

Setting

Comment

Disable remote Desktop Sharing

Enabled

 

Windows Components/Network Projector

Policy

Setting

Comment

Turn off Connect to a Network Projector

Enabled

 

Windows Components/Online Assistance

Policy

Setting

Comment

Turn off Active Help

Enabled

 

Windows Components/Remote Desktop Services/Remote Desktop Connection Client

Policy

Setting

Comment

Do not allow passwords to be saved

Enabled

 

Windows Components/RSS Feeds

Policy

Setting

Comment

Turn off addition and removal of feeds and Web Slices

Enabled

 

Turn off background sync for feeds and Web Slices

Enabled

 

Turn off downloading of enclosures

Enabled

 

Turn off feed and Web Slices discovery

Enabled

 

Turn off the feed list

Enabled

 

Turn on Basic feed authentication over HTTP

Enabled

 

Windows Components/Security Center

Policy

Setting

Comment

Turn on Security Center (Domain PCs only)

Disabled

 

Windows Components/Sound Recorder

Policy

Setting

Comment

Do not allow Sound Recorder to run

Enabled

 

Windows Components/Windows Anytime Upgrade

Policy

Setting

Comment

Prevent Windows Anytime Upgrade from running.

Enabled

 

Windows Components/Windows Calendar

Policy

Setting

Comment

Turn off Windows Calendar

Enabled

 

Windows Components/Windows Customer Experience Improvement Program

Policy

Setting

Comment

Allow Corporate redirection of Customer Experience Improvement uploads

Disabled

 

Windows Components/Windows Defender

Policy

Setting

Comment

Turn off Windows Defender

Enabled

 

Windows Components/Windows Error Reporting

Policy

Setting

Comment

Disable Logging

Enabled

 

Disable Windows Error Reporting

Enabled

 

Windows Components/Windows Installer

Policy

Setting

Comment

Allow admin to install from Remote Desktop Services session

Enabled

 

Disable IE security prompt for Windows Installer scripts

Enabled

 

Disable Windows Installer

Enabled

 

Disable Windows Installer

Never

Windows Components/Windows Mail

Policy

Setting

Comment

Turn off Windows Mail application

Enabled

 

Windows Components/Windows Media Center

Policy

Setting

Comment

Do not allow Windows Media Center to run

Enabled

 

Windows Components/Windows Media Digital Rights Management

Policy

Setting

Comment

Prevent Windows Media DRM Internet Access

Enabled

 

Windows Components/Windows Media Player

Policy

Setting

Comment

Do Not Show First Use Dialog Boxes

Enabled

 

Prevent Automatic Updates

Enabled

 

Prevent Desktop Shortcut Creation

Enabled

 

Prevent Media Sharing

Enabled

 

Prevent Quick Launch Toolbar Shortcut Creation

Enabled

 

Windows Components/Windows Messenger

Policy

Setting

Comment

Do not allow Windows Messenger to be run

Enabled

 

Do not automatically start Windows Messenger initially

Enabled

 

Windows Components/Windows Mobility Center

Policy

Setting

Comment

Turn off Windows Mobility Center

Enabled

 

Windows Components/Windows PowerShell

Policy

Setting

Comment

Turn on Script Execution

Enabled

 

Execution Policy

Allow all scripts

Windows Components/Windows Remote Management (WinRM)/WinRM Service

Policy

Setting

Comment

Allow automatic configuration of listeners

Enabled

 

IPv4 filter:

*

IPv6 filter:

 

Syntax:

Type "*" to allow messages from any IP address, or leave the

field empty to listen on no IP address. You can specify one

or more ranges of IP addresses.

 

Example IPv4 filters:

2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22

*

 

Example IPv6 filters:

3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562

*

Windows Components/Windows SideShow

Policy

Setting

Comment

Turn off Windows SideShow

Enabled

 

Extra Registry Settings

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

Setting

State

Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow

2

User Configuration (Enabled)

Policies

Windows Settings

Scripts

Logon

For this GPO, Script order: Not configured

Name

Parameters

ConfigureUserEnvironment.cmd

 

Administrative Templates

Policy definitions (ADMX files) retrieved from the local machine.

Control Panel

Policy

Setting

Comment

Always open All Control Panel Items when opening Control Panel

Enabled

 

Show only specified Control Panel items

Enabled

 

List of allowed Control Panel items

desk.cpl

Microsoft.Display

Control Panel/Add or Remove Programs

Policy

Setting

Comment

Hide Add/Remove Windows Components page

Enabled

 

Control Panel/Personalization

Policy

Setting

Comment

Enable screen saver

Disabled

 

Load a specific theme

Enabled

 

Path to theme file:

c:\Windows\Resources\Ease of Access Themes\basic.theme

Policy

Setting

Comment

Prevent changing color scheme

Enabled

 

Prevent changing desktop background

Enabled

 

Prevent changing desktop icons

Enabled

 

Prevent changing mouse pointers

Enabled

 

Prevent changing screen saver

Enabled

 

Prevent changing sounds

Enabled

 

Prevent changing theme

Enabled

 

Prevent changing visual style for windows and buttons

Enabled

 

Prohibit selection of visual style font size

Enabled

 

Control Panel/Printers

Policy

Setting

Comment

Prevent addition of printers

Enabled

 

Prevent deletion of printers

Enabled

 

Control Panel/Programs

Policy

Setting

Comment

Hide "Get Programs" page

Enabled

 

Hide "Installed Updates" page

Enabled

 

Hide "Programs and Features" page

Enabled

 

Hide "Set Program Access and Computer Defaults" page

Enabled

 

Hide "Windows Features"

Enabled

 

Hide "Windows Marketplace"

Enabled

 

Hide the Programs Control Panel

Enabled

 

Desktop

Policy

Setting

Comment

Hide Network Locations icon on desktop

Enabled

 

Prevent adding, dragging, dropping and closing the Taskbar's toolbars

Enabled

 

Prohibit adjusting desktop toolbars

Enabled

 

Remove Computer icon on the desktop

Enabled

 

Remove My Documents icon on the desktop

Enabled

 

Remove Properties from the Computer icon context menu

Enabled

 

Remove Properties from the Documents icon context menu

Enabled

 

Remove Properties from the Recycle Bin context menu

Enabled

 

Remove Recycle Bin icon from desktop

Enabled

 

Remove the Desktop Cleanup Wizard

Enabled

 

Network/Windows Connect Now

Policy

Setting

Comment

Prohibit Access of the Windows Connect Now wizards

Enabled

 

Start Menu and Taskbar

Policy

Setting

Comment

Clear history of recently opened documents on exit

Enabled

 

Clear the recent programs list for new users

Enabled

 

Do not allow pinning items in Jump Lists

Enabled

 

Do not allow pinning programs to the Taskbar

Enabled

 

Do not display any custom toolbars in the taskbar

Enabled

 

Do not display or track items in Jump Lists from remote locations

Enabled

 

Do not keep history of recently opened documents

Enabled

 

Do not search communications

Enabled

 

Do not search for files

Enabled

 

Do not search Internet

Enabled

 

Do not search programs and Control Panel items

Enabled

 

Do not use the search-based method when resolving shell shortcuts

Enabled

 

Do not use the tracking-based method when resolving shell shortcuts

Enabled

 

Hide the notification area

Enabled

 

Lock all taskbar settings

Enabled

 

Lock the Taskbar

Enabled

 

Prevent changes to Taskbar and Start Menu Settings

Enabled

 

Prevent users from adding or removing toolbars

Enabled

 

Prevent users from moving taskbar to another screen dock location

Enabled

 

Prevent users from rearranging toolbars

Enabled

 

Prevent users from resizing the taskbar

Enabled

 

Remove access to the context menus for the taskbar

Enabled

 

Remove All Programs list from the Start menu

Enabled

 

Remove Balloon Tips on Start Menu items

Enabled

 

Remove common program groups from Start Menu

Enabled

 

Remove Default Programs link from the Start menu.

Enabled

 

Remove Documents icon from Start Menu

Enabled

 

Remove Downloads link from Start Menu

Enabled

 

Remove drag-and-drop and context menus on the Start Menu

Enabled

 

Remove Favorites menu from Start Menu

Enabled

 

Remove frequent programs list from the Start Menu

Enabled

 

Remove Games link from Start Menu

Enabled

 

Remove Help menu from Start Menu

Enabled

 

Remove Homegroup link from Start Menu

Enabled

 

Remove links and access to Windows Update

Enabled

 

Remove Music icon from Start Menu

Enabled

 

Remove Network Connections from Start Menu

Enabled

 

Remove Network icon from Start Menu

Enabled

 

Remove Pictures icon from Start Menu

Enabled

 

Remove pinned programs from the Taskbar

Enabled

 

Remove pinned programs list from the Start Menu

Enabled

 

Remove Recent Items menu from Start Menu

Enabled

 

Remove Recorded TV link from Start Menu

Enabled

 

Remove Run menu from Start Menu

Enabled

 

Remove Search Computer link

Enabled

 

Remove Search link from Start Menu

Enabled

 

Remove See More Results / Search Everywhere link

Enabled

 

Remove the Action Center icon

Enabled

 

Remove the networking icon

Enabled

 

Remove user folder link from Start Menu

Enabled

 

Remove user name from Start Menu

Enabled

 

Remove user's folders from the Start Menu

Enabled

 

Remove Videos link from Start Menu

Enabled

 

Show QuickLaunch on Taskbar

Disabled

 

Turn off all balloon notifications

Enabled

 

Turn off feature advertisement balloon notifications

Enabled

 

Turn off notification area cleanup

Enabled

 

Turn off personalized menus

Enabled

 

Turn off user tracking

Enabled

 

System/Ctrl+Alt+Del Options

Policy

Setting

Comment

Remove Change Password

Enabled

 

Remove Lock Computer

Enabled

 

Remove Task Manager

Enabled

 

Windows Components/AutoPlay Policies

Policy

Setting

Comment

Default behavior for AutoRun

Enabled

 

Default AutoRun Behavior

Do not execute any autorun commands

Policy

Setting

Comment

Turn off Autoplay

Enabled

 

Turn off Autoplay on:

All drives

Windows Components/Desktop Gadgets

Policy

Setting

Comment

Turn off desktop gadgets

Enabled

 

Windows Components/Internet Explorer/InPrivate

Policy

Setting

Comment

Disable toolbars and extensions when InPrivate Browsing starts

Enabled

 

Turn off InPrivate Browsing

Enabled

 

Windows Components/Microsoft Management Console

Policy

Setting

Comment

Restrict the user from entering author mode

Enabled

 

Windows Components/Windows Anytime Upgrade

Policy

Setting

Comment

Prevent Windows Anytime Upgrade from running.

Enabled

 

Windows Components/Windows Calendar

Policy

Setting

Comment

Turn off Windows Calendar

Enabled

 

Windows Components/Windows Explorer

Policy

Setting

Comment

Hide these specified drives in My Computer

Enabled

 

Pick one of the following combinations

Restrict A, B, C and D drives only

Policy

Setting

Comment

Prevent access to drives from My Computer

Enabled

 

Pick one of the following combinations

Restrict A, B, C and D drives only