Group Policy Central

You may already be aware there is a pretty serious vulnerability with Java that has just been patched (see Security Alert for CVE-2013-0422 Released ) on pretty much all versions of the program. For some people however this may get them questioning if they need Java installed at all on their computers. Personally I have uninstalled Java off my friends and family computers for the past few years without anyone every complaining. Certainly other Microsoft MVP;s are also finding that having Java disabled in the browser seems to have little of no affect (see https://twitter.com/troyhunt/status/290589939782000641 ) as most web sites no longer user Java applets. However as an avid gamer IT Professional I am fully that some programs require Java to be installed to allow the full desktop apps to work (like Minecraft). So you may be please to know there is a way to Disable Java in Internet Explorer thus greatly reducing the risk of having Java installed…

While Java is not normally configured via a registry thanks to @rickd4real (Via) @stealthpuppy I have been able to extract the Group Policy Preference Registry file that you can quick import into your GPO to disable Java in IE for Users of Computers.

Disclaimer: Use at your own risk. I am trusting the registry keys provided are sufficient to disable Java.

Update: Additional info at Microsoft KB : http://support.microsoft.com/kb/2751647

Microsoft recently release the November 2012 Cumulative Update for Windows 8/2012 that enables you to configure the default lock screen image for Windows 8 (See quote below).

Enable enterprise customers to customize the default lock screen.

You may have thought that this image was customisable by the users in the control panel already however this would only configure the image of the lock screen after the user had logged on to the computer. Meaning you were always presented with the Seattle Space Needle cartoon image every time you logged off or rebooted your computer. This image is nice to look at but this is definitely something the would be changed in most corporate environment to display their own corporate logo or a perhaps some disclaimer text.

The new setting is called “Force a specific default lock screen image” it can be found under Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization.

Note: It will only appear after you November 2012 update is installed on the computer you are editing the group policy object from but you must ALSO apply it to the workstation/server that the setting is being applied.

Before

After

After you have installed it you can then configure the setting to use a different default lock image.

Below is an example that I have configured to use the default wallpaper as also the default lock screen image.

As you can see the default lock screen image is now configured to be the default wallpaper but you can specify it to be any image file you like on the local HDD or the network.

Below is an image of the GP Results report that has the setting applied successfully…

Note: If you apply this to a computer setting to computer without the November 2012 update installed it will do nothing and you will get an “Extra Registry Key” setting when you run a GP Results report on that computer (see image below).

More info see: http://support.microsoft.com/kb/2770917

Windows 8 is coming REALLY SOON and of course one of the big new things to computer with that is the new Metro Packaged Apps that run in the start screen. However these apps are very different and do not install like traditional apps to a path or have a true “executable” file to launch the program. Of course enterprises need a way to control these packaged apps and therefore Microsoft has added a new feature Packaged Apps option to the AppLocker feature.

An administrator can use this feature to only allow certain apps to download from the Windows App Store and/or use it to control what inbuilt Packaged Apps are allowed to run. What I expect to see in most organisation is that the default Metro… err… Packaged Apps are manually removed from the base WIM Image before and then have these then re-enforced by AppLocker to ensure that they are not re-installed from the  store.

Configuring Packaged App AppLocker Rules

Warning: Whenever you try any thing in AppLocker the golden rule is to test everything first separate from production as there are many gotcha’s when doing this…

In this first example we are going to explicitly “Blacklist” the weather application.

Step 1. As with Executable rules with AppLocker in Windows 7 the best thing to do first is to create the “Default Rules” so that you don’t kill all access to your Packaged Apps.

This will create one rule that allows all packaged apps to run for all users.

Note: Even though this rules says everyone can run all apps this does not override the restriction for the Built-In\Administrator to run Packaged Apps.

Now that we have essentially whitelisted all apps we are now going to go back and explicitly deny a particular application.

Step 2. Before we black list an application we either need to either have access to a signed .APPX packaged app file or have the program installed on the computer we are making the group policy change. Now we simply right click on the “Packaged app Rule” and then select the “Create New Rule…” option.

We now select the “Deny” option because we of course want to block the application from running.

We then have to option to select a pre-install app or a packaged app (.appx) file to use as reference for the rule.

I have now clicked on the “Select” button and am show a list of install Packaged Apps. Here I have chosen the “Weather” app as our example.

Here we can see the signed information about the Weather App we just selected.

Note: This is very similar to the Executable Rule with the absence of the File name option.

I am now going to move the slider up one level so that this setting will apply to all versions of the “Weather” app in case it gets an update in the future.

Then I click on the “Create” button and we now have a rule in place that will prevent the running of the “Weather” app.

TADA…

Now if the program is already installed the app is blocker from running…

and… if the app has not yet been install it will be prohibited from installing…

How to White List Packaged apps…

If you wanted to create more of a “White List” so that you ONLY explicitly allow Packaged Apps to run that you approve you can use the “Automatically Generate Rules…” option.

This will launch a wizard that will scan all the Packaged apps install on your computer and then generate a white list for each application.

Confirm that you want to reduce the number of rules…

Once the scan is done you can see how many have been created and review the rules…

Once you click “Create” it will generate an allow rule for each Packaged App that is install on your computer… You can then manually edit this list to your desired configuration.

Now any additional Packaged that are not on this “White list” will be explicitly blocked from installing and / or running.

Tip: You can block the “windows.immersivecontrolpanel” (a.k.a Metro Control Panel) and the “WinStore” (a.k.a. Windows App Store) if you want to prevent users from configuring windows using the Metro Control Panel or downloading any new apps from the store.

Troubleshooting AppLocker

As with Windows 7 there are a number of pre-requisites you need for AppLocker to work on your system…

1. You need to enable the Application Identification services on the computer. You can of course do this via group policy preferences services option.

2. You need to configure the AppLocker in to “Enforced” mode for the “Packaged Apps” option. You do this by going to the properties of the “AppLocker” option under Computer Configuration > Policies > Windows Settings > Security Settings >  Application Control Policies.

3. As with Windows 7 you need to be running the Enterprise edition of Windows 8 for this feature to work… (NOT Windows 8 Pro) for this to work. You can tell definitively if you have the wrong OS version install if you start getting this event log message…

4. And with all things AppLocker nothing happens instantly… there is normally a few minutes lag between a Group Policy being applied to a computer and the policy taking affect. So if it does not happen straight away wait and/or reboot to get things going.

Additional Packaged App Group Policy Settings

When a user clicks on a file with an un-known extension Windows will prompt the user to see if they can open it using an app in the AppStore this can be controlled using the e the new setting “Turn off access to the Store”.

Before	After

The other two new App Store settings can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > App Package Deployment

As you can read form the Help below “Allow deployment operation in special profiles” basically allows users with “Special” profiles to manage the Packaged apps installed, otherwise they will be by default not able to change what is already installed.

The other option allows organisation to run application that have NOT been signed by Microsoft but does have a valid trusted certificate installed. This is kinda like the option in Android that allows you to run “untrusted” apps so long as they have a valid digital certificate, so I expect that it will be an option that a lot of expert users will be enabling…

Conclusion

Hopefully these new features will help you manage you Packaged Windows 8 Apps in your environment. While I am still not sure how you actually install and remove apps for users automatically for users at least you now know you do have the option to open it up, lock it down or just granularly control certain apps in your Windows 8 environment.

If you saw my tweet or Darren Mar-Elia blog post you may be glad to know that the legacy Internet Explorer Maintenance section of group policy has now been removed in Windows 8. Unfortunately this means that you can now longer natively configured the IE Site to Zone mapping using native group policy setting without still allowing the user to customise the URL list. So below I will show you how you can still use Group Policy to configure the IE Zone via group policy while still allowing the user the ability to add additional sites.

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However this is a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list (www.bing.com). As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key "Bing.com" then "www". Within the "www" key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1. Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the "HKEY_CURRENT_USERS" Hive and then type "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www" in the Key path. Then enter the Value name of "HTTP" and selected the Value Type as "REG_DWORD" and set the value data as "00000002".

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the "Site to Zone Assignment List" setting configured as well this will override (not merge) the above settings (See image below).

If your company is like most organisation i have come across you all users to have a home drive (typically H: ) that is give to the users that allows them to store private information that only they have access. Ever since the days of at least NT4 (or possibly earlier) administrators have had the option to configure their users home drives via a setting in their AD account (see image below below).

Even today with Windows Server 2012 this is this is still an option for administrators to configured users home drives via their users accounts (see image below).

When the home drive is set on a user account via Active Directory Users and Computers the tool actually goes out and creates the home drive in ready for the user to map the next time the log onto a computer.

The main problem with configuring users home drive this way is that it is configured on a one by one basis which means that it is difficult to configure these setting and it is another step in the user creation process that can be forgotten to be done. Certainly this is a lot easier with the advent of Windows Server 2003 admin tools that allowed you to select multiple users and configured the home drive on mass.

However the idea of setting the home drive as an individual attribute in todays policy driven, economy of scale management style is just not ideal. Such as a user account is moved from one location to another in AD the users home drive setting is not automatically updated as its a static configuration on the users account.

If you have read my blog post Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) you might have realised that you can already create the users home drive automatically using folder redirection (specifically Documents) and then you can simply use the Group Policy Preferences Drive Mapping Extension to map the user home drive to the same location as the folder is redirected. This method does allow for the users account to moved around and have policy automatically update their home drive. But in reality it is just a workaround to the lack of any other way of setting the users home drive automatically via policy… until now.. 

With the introduction of Windows 8 and Windows Server 2012 there is now a new group policy setting called “Set user home folder” and is found under Computer Configuration > Policies > Administrative Templates > System > User Profiles.

One the policy is applied to a computer anyone logos onto this computer will get a home drive mapped to the path above…

Warning: As this policy can only be applied to the computer object this will apply to everyone who logs on the computer that have this setting applied… including Domain admins and alike so be carefully how you apply it…

TIP: If you have your workstations segmented in your OU structure by site you may want to apply this policy setting at each site to the nearest file server you want to use for storing your home drives. This means that users will not have home drive re-map if they travel for a short time to other locations… Alternately you MIGHT want to apply this setting to your AD site however if you do this make sure you put a WMI filter on the policy so it does not apply to Windows Servers in the same site.. .