Group Policy Central

You may already be aware there is a pretty serious vulnerability with Java that has just been patched (see Security Alert for CVE-2013-0422 Released ) on pretty much all versions of the program. For some people however this may get them questioning if they need Java installed at all on their computers. Personally I have uninstalled Java off my friends and family computers for the past few years without anyone every complaining. Certainly other Microsoft MVP;s are also finding that having Java disabled in the browser seems to have little of no affect (see https://twitter.com/troyhunt/status/290589939782000641 ) as most web sites no longer user Java applets. However as an avid gamer IT Professional I am fully that some programs require Java to be installed to allow the full desktop apps to work (like Minecraft). So you may be please to know there is a way to Disable Java in Internet Explorer thus greatly reducing the risk of having Java installed…

While Java is not normally configured via a registry thanks to @rickd4real (Via) @stealthpuppy I have been able to extract the Group Policy Preference Registry file that you can quick import into your GPO to disable Java in IE for Users of Computers.

Disclaimer: Use at your own risk. I am trusting the registry keys provided are sufficient to disable Java.

Update: Additional info at Microsoft KB : http://support.microsoft.com/kb/2751647

Along with the recent release of Windows 8 Microsoft also released Windows RT which is pretty much Windows 8 designed to operate on ARM based processors. For consumers the most obvious difference of this OS is the lack of ability to run legacy software. In enterprises however the biggest missing feature is that this OS is not joinable to a domain and thus cannot be configured using Group Policy.

HOWEVER…. It is still possible with a very minor configuration changes to enable a Windows RT device to be configured via Local Group Policy.

To begin with, you might remember my blog post What’s changed with the Group Policy Client Service in Windows 8 where I explain that the Group Policy service will shutdown after a period of 10 minutes when not in use. Well, with Windows RT there are no Local Group Policy settings configured out of the box so by default the Group Policy Client service is as always disabled. Therefore before we configure the local group policy on a Windows RT device we first need to enable the local group policy service which you can get into via the Computer Management option from the system menu (See image below).

Once you are into the Computer Management tool navigate to the Services section and find the Group Policy Client Service.

Note: As mention before this service is disabled by default in Windows RT.

Now configure the Group Policy Service start up type to be Automatic and then manually start the service.

Now that the services is started you will be able to modify any of the Local Group Policy as per normal by setting by running “MMC” from the start menu then loading the Local Computer Policy snap in. As you can see in the image below I have used the Local Policy to configure the Default Lock Screen image as I mention in my previous blog post How to use Group Policy to change the Default Lock Screen image in Windows 8

That is pretty much it… ]While it is still disappointing that these devices cannot be managed via Group Policy at least you can still configure the policy settings on these device when you just want to make some minor tweaks.

Side Note: This blog post was completely written using on a Windows RT, for those of you who are lamenting the fact that there is no Windows Live Writer for Windows RT the blogging feature in Word 2013 is pretty much an exact replacement for this application (see image below).

Microsoft recently release the November 2012 Cumulative Update for Windows 8/2012 that enables you to configure the default lock screen image for Windows 8 (See quote below).

Enable enterprise customers to customize the default lock screen.

You may have thought that this image was customisable by the users in the control panel already however this would only configure the image of the lock screen after the user had logged on to the computer. Meaning you were always presented with the Seattle Space Needle cartoon image every time you logged off or rebooted your computer. This image is nice to look at but this is definitely something the would be changed in most corporate environment to display their own corporate logo or a perhaps some disclaimer text.

The new setting is called “Force a specific default lock screen image” it can be found under Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization.

Note: It will only appear after you November 2012 update is installed on the computer you are editing the group policy object from but you must ALSO apply it to the workstation/server that the setting is being applied.

Before

After

After you have installed it you can then configure the setting to use a different default lock image.

Below is an example that I have configured to use the default wallpaper as also the default lock screen image.

As you can see the default lock screen image is now configured to be the default wallpaper but you can specify it to be any image file you like on the local HDD or the network.

Below is an image of the GP Results report that has the setting applied successfully…

Note: If you apply this to a computer setting to computer without the November 2012 update installed it will do nothing and you will get an “Extra Registry Key” setting when you run a GP Results report on that computer (see image below).

More info see: http://support.microsoft.com/kb/2770917

The next version Adobe has just released the latest version Acrobat Reader XI. One of the new features of this version is that it now has official group policy support with the release of administrator templates.

Update: As you are about to read the Group Policy support for now is some what limited and is not a true group policy setting in all cases. BUT… If you want to be able to truly lock down and configure Adobe Reader in your environment then I would definitely check out the third party tool called Policy Pak. This tool allows you to configure and lock down the UI of a vast number of applications including Adobe Reader but also in house written custom applications. If you want to find out more about how to configure Adobe Reader with Policy Pak then go to http://www.policypak.com/products/manage-acrobat-reader-with-group-policy.html

How to install administrative templates for Adobe Reader XI

Step 1. Download and extract  the administrative templates from ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/misc/ReaderADMTemplate.zip

Step 2a (Local adm/admx). Copy the extracted files to C:\Windows\PolicyDefinitions including the “EN-US” sub folder folder on your computer you normally edit your GPO’s on.

Step 2 b(Central Store). If you have a central store configured in your environment then copy the files to \\FQDN DOMAIN\SYSVOL\FQDN DOMAIN\policies folder.

And your done..

Once installed you can see below there are both computer and users based setting in the administrator templates when you edit a new GPO.

As you can see below the computer settings are actual “policy” settings and as such do act and behave as normal group policy settings. That is they disable the UI of the program when applied and revert back to the original setting when removed.

Below is an example of the “Auto-Complete” UI that has been disabled as shown configured above.

If you have ever read my previous blog post How to make Adobe Reader more secure using Group Policy you will know that one of the quickest settings you can do to improve the security of Reader is to simply turn off the rarely used JavaScript functionality. Thankfully this is one of the users settings that is provided in the admin template.

But as this is a “Non-Managed” as shown by the black down arrow on the icon next to the setting. This also means that the users can temporarily override the setting as you can see below the UI is not disabled. It also means that when the policy is no longer applied to the computer the setting will not revert back to the original setting.

While it is nice that Adobe is finally offering group policy support for its productions the settings that it does provide are somewhat limited. However this is only the first release of the admin templates and hopefully we will see Adobe continue to add more group policy support into all of its production going forward.

Additional Information

If you want more information about how to deploy Adobe Reader XI in your environment including how to lock down some of UI then check out Aaron Parkers blog post at http://blog.stealthpuppy.com/deployment/adobe-reader-xi-deployment/

Adobe Reader XI Download Links

Program ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/en_US/

Tools ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/misc/

Windows 8 is coming REALLY SOON and of course one of the big new things to computer with that is the new Metro Packaged Apps that run in the start screen. However these apps are very different and do not install like traditional apps to a path or have a true “executable” file to launch the program. Of course enterprises need a way to control these packaged apps and therefore Microsoft has added a new feature Packaged Apps option to the AppLocker feature.

An administrator can use this feature to only allow certain apps to download from the Windows App Store and/or use it to control what inbuilt Packaged Apps are allowed to run. What I expect to see in most organisation is that the default Metro… err… Packaged Apps are manually removed from the base WIM Image before and then have these then re-enforced by AppLocker to ensure that they are not re-installed from the  store.

Configuring Packaged App AppLocker Rules

Warning: Whenever you try any thing in AppLocker the golden rule is to test everything first separate from production as there are many gotcha’s when doing this…

In this first example we are going to explicitly “Blacklist” the weather application.

Step 1. As with Executable rules with AppLocker in Windows 7 the best thing to do first is to create the “Default Rules” so that you don’t kill all access to your Packaged Apps.

This will create one rule that allows all packaged apps to run for all users.

Note: Even though this rules says everyone can run all apps this does not override the restriction for the Built-In\Administrator to run Packaged Apps.

Now that we have essentially whitelisted all apps we are now going to go back and explicitly deny a particular application.

Step 2. Before we black list an application we either need to either have access to a signed .APPX packaged app file or have the program installed on the computer we are making the group policy change. Now we simply right click on the “Packaged app Rule” and then select the “Create New Rule…” option.

We now select the “Deny” option because we of course want to block the application from running.

We then have to option to select a pre-install app or a packaged app (.appx) file to use as reference for the rule.

I have now clicked on the “Select” button and am show a list of install Packaged Apps. Here I have chosen the “Weather” app as our example.

Here we can see the signed information about the Weather App we just selected.

Note: This is very similar to the Executable Rule with the absence of the File name option.

I am now going to move the slider up one level so that this setting will apply to all versions of the “Weather” app in case it gets an update in the future.

Then I click on the “Create” button and we now have a rule in place that will prevent the running of the “Weather” app.

TADA…

Now if the program is already installed the app is blocker from running…

and… if the app has not yet been install it will be prohibited from installing…

How to White List Packaged apps…

If you wanted to create more of a “White List” so that you ONLY explicitly allow Packaged Apps to run that you approve you can use the “Automatically Generate Rules…” option.

This will launch a wizard that will scan all the Packaged apps install on your computer and then generate a white list for each application.

Confirm that you want to reduce the number of rules…

Once the scan is done you can see how many have been created and review the rules…

Once you click “Create” it will generate an allow rule for each Packaged App that is install on your computer… You can then manually edit this list to your desired configuration.

Now any additional Packaged that are not on this “White list” will be explicitly blocked from installing and / or running.

Tip: You can block the “windows.immersivecontrolpanel” (a.k.a Metro Control Panel) and the “WinStore” (a.k.a. Windows App Store) if you want to prevent users from configuring windows using the Metro Control Panel or downloading any new apps from the store.

Troubleshooting AppLocker

As with Windows 7 there are a number of pre-requisites you need for AppLocker to work on your system…

1. You need to enable the Application Identification services on the computer. You can of course do this via group policy preferences services option.

2. You need to configure the AppLocker in to “Enforced” mode for the “Packaged Apps” option. You do this by going to the properties of the “AppLocker” option under Computer Configuration > Policies > Windows Settings > Security Settings >  Application Control Policies.

3. As with Windows 7 you need to be running the Enterprise edition of Windows 8 for this feature to work… (NOT Windows 8 Pro) for this to work. You can tell definitively if you have the wrong OS version install if you start getting this event log message…

4. And with all things AppLocker nothing happens instantly… there is normally a few minutes lag between a Group Policy being applied to a computer and the policy taking affect. So if it does not happen straight away wait and/or reboot to get things going.

Additional Packaged App Group Policy Settings

When a user clicks on a file with an un-known extension Windows will prompt the user to see if they can open it using an app in the AppStore this can be controlled using the e the new setting “Turn off access to the Store”.

Before	After

The other two new App Store settings can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > App Package Deployment

As you can read form the Help below “Allow deployment operation in special profiles” basically allows users with “Special” profiles to manage the Packaged apps installed, otherwise they will be by default not able to change what is already installed.

The other option allows organisation to run application that have NOT been signed by Microsoft but does have a valid trusted certificate installed. This is kinda like the option in Android that allows you to run “untrusted” apps so long as they have a valid digital certificate, so I expect that it will be an option that a lot of expert users will be enabling…

Conclusion

Hopefully these new features will help you manage you Packaged Windows 8 Apps in your environment. While I am still not sure how you actually install and remove apps for users automatically for users at least you now know you do have the option to open it up, lock it down or just granularly control certain apps in your Windows 8 environment.