So I know this is not strictly Group Policy news however I am from Australia and this news was just to good for us Aussies to not mention. Microsoft Australia has just announced on their blog that they would be expanding their Azure service to Australia. What this means for many organisation is of course they can now start to use Microsoft Azure while negating a lot of the issues with data sovereignty. In my personal experience I have certainly heard a lot of organisation (both corporate and government) have concerns about going to the cloud. Obviously Microsoft has also heard a similar story to justify the cost of setting up a local presence. Of course it also means they can also compete locally with Amazon EC2 and Rackspace which have also recently setup a datacentre Australia presence.
This is also somewhat good news for our close New Zealand neighbours, as while it might not get around some data sovereignty issues it does mean they can now host services much physically closer to home and thus with far lower latency.
So long ago I blogged/ranted about how the Group Policy setting “Do not show the Start Menu when the user logs in” was explicitly disabled in Windows 8 (see The must NOT have Windows 8 Start Menu Group Policy Setting). But I have since found a way that you can actually implement this feature (all be it not perfectly) using a simple PowerShell start up script. This script in essence just types the work “Desktop + ENTER” when the user logs on to their session thus taking them to the desktop (see video below).
Admittedly the user still load the Start Menu and the few seconds delay is a little annoying however it does technically boot to the desktop without any interaction with the user after they enter their logon credentials.
If you want to setup this option then download the PowerShell script file below:
Modify a policy that targets the users that you want to to apply. Navigate to User Configuration > Policies > Windows Settings > Scripts then double click on “Logon” and then select the “PowerShell Scripts” tab. Click the “Show Files…” button and copy the PowerShell script into the folder and then go back and click the “Add…” button and enter the name of the script e.g. GoToDesktop.ps1 .
TIP: You may want to apply a WMI filter to this GPO to only apply to Windows 8
It is certainly not the cleanest way to do a boot to desktop but it gets the job done without the need to purchase any third party utilities. But here is hoping that Microsoft enables this option natively in Windows 8.1…
Having been a Group Policy MVP for a while and a contributor to the Microsoft Group Policy forums for even longer I still see a lot of people asking “I am new to Group Policy. What settings should I configure?”. My answer to these people is now pretty much unconditionally “nothing”. That’s right… Nothing…. Of course that is not the answer you are probably expecting a Group Policy MVP to give so let me explain…
I certainly remember a time (long ago) where I sat down with a specific customer and went through all the Group Policy settings to setup a configuration for them to apply at their work. Now this was a small manufacturing shop with only hand full of staff and the guy who owned wanted to “lock down” his computer to make sure his staff could not “muck up” his computers. Mind you this was back in the day of Windows 2000 Group Policy was the fantastic new technology and the idea of being able to configure the look and feel of Windows was rather novel to say the least. However I have since seen many organisation that have upgrade from Windows XP that had many policy setting that were configured just “because” that it sounded like a good idea at the time. Another example, was a place I worked for had the option to prevent application taskbar grouping (see below) to be disabled in Windows XP. It was decided from the “powers that be” that this option should be turned off as it was better to not confuse the user with this new Windows XP UI feature.
But more on this one later…
These are just some of the examples that I have personally experienced as to how Group Policy settings used to be configured for pretty much no other reason that just arbitrarily “because it is there”.
Jump forward to today where this thinking of configuring policy settings for the sake of it is now very much out of vogue and for good reason. The Microsoft blog post Sticking with Well-Known and Proven Solutions has a really good example of why just configuring settings because it sounds good is a bad idea. As the example in it shows not only can just configuring test setting lead to a complicated environment it can downright cause massive headaches when troubleshooting issues with your computers. This post also reflects some of the sentiment that I have spoken about at my TechEd session where I say if you are moving from XP to Windows 7 (or 8) now is an ideal opportunity to reset everything that is done in your environment and start again fresh…
My analogy to this is if you are upgrading your computer now is the time to take the knife to the Rubber Band Ball and cut away all the layers of settings and customisations that have been building up in your environment. Design a clean fresh environment for your users that completely mirrors the experience that they have out of the box with almost any Windows PC they buy at a retail shop (minus the crap ware). Not only does this create an environment that is simpler and easier to manage for the IT staff it gives your users the feeling of freedom. Allowing the users to customise their desktops such as wallpaper, task bar colour as they see fit is actually makes them feel less physiologically in control of their PC, where in reality all they have is freedom in their own profile. What this means is that users can now be give full access to customise their own computer but still not enough access to for them to affect the overall configuration of the computer it self. Of course users can still stuff up their own profiles however when this happens most time all the IT admin needs to do is a simple profile reset. While this is not the most convenient thing to have happen to the users it is certainly a lot rarer in Windows 7 environment and when combined with folder redirection can be a very quick and painless process for the user..
Keeping the user interface free of group policy restrictions and default profile customisations also means that it is more likely that your users will pickup the new OS more quickly as it looks and feels the same as their computer they have probably got running at home. This is certainly true of Windows 7 deployment today as a lot of people also have Windows 7 at home now it has been over 3 years since its release. This will also become more true of Windows 8 deployment into the future as people get used to the new Windows 8 not from their work computer but by them upgrading their home computers over the next few years.
That all being said there is always an exception to the rule and in this case I would say that security baseline templates in the Security Compliance Manager tool from Microsoft should still be applied to your environment. This free tool actually contains a number of security baseline templates that are recommended to be applied to your environment. But Microsoft has already done a lot of the time consuming effort in finding a reasonable set of security configurations to apply to most environments with minimal impact. That being said you should always test carefully when applying these template to your environment. However the added advantage of this tools is that for every setting they have listed it also comes with the vulnerability, potential impact and countermeasure (see example below) , giving you at least additional information for when it comes to troubleshooting said baseline templates in your environment.
It is also interesting to note that “Windows 8 User Security Compliance” template only has a total of 6 configured user setting (4 of which are screen saver specific) as opposed to the 310 computer setting (most of which are configured) in the “Windows 8 Computer Security Compliance” template. This just shows that when it comes to implementing a security lock down for your users there is not much that needs to be done outside of not giving them administrator access of their own computer…
Oh… and getting back to that taskbar application group feature…. after a while I remember people asking me casually why their computer at work did not have the application grouping feature of their home computers. After even more time there was a change of the “powers that be” and it was decided that the task bar grouping option would be turn back on. Some people still it was a BIG MISTAKE the found it quite offensive that people wanted to undo decisions that they had made many years ago. But, the change went ahead and the policy to restrict the application grouping the task bar was removed and none of the users were any the wiser that their UI was change back to a more standard configuration even thought they all now had the feature enabled.
So… In summary if you are new to Group Policy or you are looking at getting off Windows XP to Windows 7 then take the resist the urge to just configure policy setting “because”. You user will find it easier to pick up the new OS as it will have a more familiar look and feed and you will also find that your next upgrade of your computers (to what ever the latest version of Windows is at the time) will be a whole lot easier as you won’t have to cut apart that Rubber Band Ball configuration of your environment again.
AppLocker is a great new feature that was introduced in Windows 7 that allowed IT Admins to prevent the running of certain application in their corporate environment (e.g. Chrome). However there are a number of steps and pre-requisites for this feature to work that seem to catch people up quite often. So below is a simple troubleshooting flow chart that should help you go through the common issues that happen when setting up an AppLocker rule in your environment.
Note: This workflow is a check list for ensuring that your environment is configured correctly so that the AppLocker rule will actually apply as they are configured.
Rule Tip: It’s also worth mentioning to NEVER just configure a single Deny rule without the “Default Rules” also configured as this will have the affect of blocking ALL programs and thus breaking your computer.
Continuing on with my last post about optimising VDI guest services based on the Optimizing Windows 8 for Virtual Desktop Infrastructure session at MSS I have now created a Group Policy Object that performs all the services, registry and other customisations that was mentioned in the session.
So.. What I have done is taken Carl Luberti and Jeff Stokes Windows 8 VDI optimisation script and then removed all the section that can be implemented by Group Policy i.e. registry keys, services, power settings and control panel settings. What this means is that you can now run the optimisation script on you VDI guest computers after they have been built and then have most of the settings re-apply if necessary at each group policy refresh. Meaning that users making changes to your VDI guest will not be able to configure their computer that undo’s your optimisation changes. This would be most useful for you persistent VDI guest computers where the configuration of the computers can change over time.
Below is a setting report of the setting in the GPO policy
Download the zip backup of GPO below and then import it into your VID Group Policy object.
Then run this script on you VDI image before it is sys preped and then link to GPO to the computers where they are in AD.
Warning: I have conducted limited testing on this group policy object. As always be sure to test it thoroughly before you implement it in your environment.
So I know this is not strictly Group Policy news however I am from Australia and this news was just to good for us Aussies to not mention. Microsoft Australia has just announced on their blog that they would be expanding their Azure service to Australia. What this means for many organisation is of course they can now start to use Microsoft Azure while negating a lot of the issues with data sovereignty. In my personal experience I have certainly heard a lot of organisation (both corporate and government) have concerns about going to the cloud. Obviously Microsoft has also heard a similar story to justify the cost of setting up a local presence. Of course it also means they can also compete locally with Amazon EC2 and Rackspace which have also recently setup a datacentre Australia presence.
Continuing on with my 