Group Policy Central

In case you had not already heard Microsoft have had to release an update for all European users to prompt display a ballot screen about what version of browser they want to use (see below). This is one of the actions Microsoft had to do to comply with the EU anti-trust case.

Microsoft have released article KB2019411 explaining how IT administrators can disable a Browser Choice screen for their users using a simple registry key.

Key: HKLM\Software\BrowserChoice 
Value: Enable
Data: 1 (REG_DWORD) = Enabled
Data: 0 = Disabled

Now of course you can deploy registry key using Group Policy Preferences which will make it much easier for IT administrators disable this screen.

Step 1. Edit a Group Policy Object that is applied to all the workstation you want this Browser Ballot disabled.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and create a “New Registry Item”

Step 3. Type “Software\BrowserChoice” in the Key Path then type “Enable” in the Value name, then select REG_DWORD as the value type “0” in the value data and then click “OK”.

If all that is to much hassle to do all that below is a link to the Group Policy Preference XML file you can just copy into the policy.

Links:

• More information on the Brower Choice http://support.microsoft.com/kb/976002
• More information on the Disable registry key http://support.microsoft.com/kb/2019411
• Also check out Aaron Parkers blog here for more information http://blog.stealthpuppy.com/windows/disable-the-browser-choice-screen

One of the most common setting that Group Policy is used for it so configure browser home pages settings. There are a number of ways that this can be done in Part 1 i am going to go thought the changing the Home Page setting using a native Group Policy.

In Part 2 I will explain how to configure home page setting using Group Policy Preferences and in Part 3 will explain how to configure home pages setting using the Windows Setting > Internet Explorer Maintenance option.

The advantage of using a native group policy setting is that they do not require the deployment of the Group Policy Preference client side extensions and the setting are enforced so the user cannot change the setting even temporarily.

Primary Home Page

This option allows the admin to configured a single home page for the user without the ability for the user to add any other secondary home pages if they are using IE7 or IE8. This setting will also work however if the users has IE5 and above installed.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Policies > Administrative Templates >Windows Components > Internet Explorer

Step 3. If you want to configure a single home for your users and/or you are using IE5 or IE6 edit the “Disable changing home page setting”

Step 4. Select “Enabled” and then type the URL you want as the home page in the “Home Page” text field.

Now the user browsers will be hardcoded to use only http://www.bing.com as the home page and the UI to make this change will be disabled.

Multiple Tabs

This option allows the admin to specify the users secondary home pages while still allowing them to configured the default home page.

Note 1: This policy setting will not work with IE7 that does support secondary home pages.

Note 2: This policy setting will not work if you have the “Disable changing home page settings” also enabled.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Policies > Administrative Templates >Windows Components > Internet Explorer

Step 3. If you want to configure a single home for your users and/or you are using IE5 or IE6 edit the “Disable changing secondary home page setting”

Step 4. Select “Enabled” and Click on “Show…”

Step 5. Click in the text field next the the * and type the URL that you want to add as a secondary home page. You can repeat this for as many secondary home pages that you want.

The user will now have http://www.yahoo.com and http://www.microsoft.com load as their secondary home pages and they will be able to change their default primary home page by using the”Add or Change Home Page…” option (see image below).

However They will not be able to add or change the secondary home pages which means that the “Add this webpage to your home page tabs” (see image below) option will NOT work.

This also means the UI under “Internet Option” for changing the “Home Page” will also be disabled.

I really like the secondary home page option as it allows users to customise their home pages setting why still ensuring they load the corporate home page each time they open their browser.

In my previous article “How to use Group Policy to make USB drives read only on Windows XP” I showed you you could configure Windows XP to prevent users from writing to USB block level devices. However for some organisations just making drives read only is not enough I have heard stories of them having to resort to using hot glue guns to prevent people using USB storage devices.

Update: I just found this article explains how use native Group Policy to disable you USB drives. Microsoft Support: HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

Thankfully there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.

How to block existing USB Storage Devices

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.

If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.

Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

How to block new USB Storage Devices

This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\Inf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.

Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.

Click “Yes” to the security warning.

Then click OK.

Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.

Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf”

You should see something like the images below in your group policy.

Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.

See the Microsoft article about this option at http://support.microsoft.com/kb/823732

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

One of the great new features with Windows 7 was Bitlocker to Go that enabled IT Administrators to ensure that all data written to USB drives is encrypted. In conjunction with this new feature Microsoft also added another option called “Deny write access to removable drives not protected by BitLocker” which allowed user to still read the files off USB drives that were not encrypted.

The problem with this policy setting is that it is only supported on Windows 7 family computers so unless you are running a SOE that is 100% Windows 7 users could simply logon to XP or Windows Vista to get around this restriction.

Luckily Microsoft added a new feature to Windows XP Service Pack 2 that allowed administrator to prevent writing to USB block storage devices (a.k.a memory sticks ) which can be implemented via a Group Policy Preferences registry key.

Key: HKLM\System\CurrentControlSet\Control\StorageDevicePolicies

Value: WriteProtect (REG_DWORD)

Data: 0 = Disabled

Data: 1 = Enabled

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type System\CurrentControlSet\Control\StorageDevicePolicies into the Key Path field then type WriteProtect into the Value Name field and 1 in the Value Data field and click OK.

Once the key is enabled this is the message the user will see when the try to write to a USB storage device.

Note: This registry key will also work on Windows Vista

Update: Seem that the MS articles had the wrong registry keys

I got the correct key from http://www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/

For additional WRONG information on this feature see the links below:
http://support.microsoft.com/kb/555441
http://support.microsoft.com/kb/823732

Leo Davidson recently posted a fix for Adobe Reader integration on 64bit Windows. His fix resolves the thumbnail and file preview feature when you install Adobe Reader (which is still only available in 32bit) in 64bit Windows which Adobe have not seemed to work out for over 3 years now. On his site he has tool that you can download to manually apply the PDF fix. The file preview is just a simple registry key change so I have added some more instruction showing how to makes these changes using Group Policy Preferences.

Update: Thanks to the feedback from Leo Davidson I have updated the instructions to only “Update” the value if it already exists.

Update2: Reduced the complexity to check for a 64bit OS.

Preview View

Method 1: File Preview Fix – Step by Step – Hard

Note: Before you do method 1 be sure to check out the much easier method 2

Step 1. Open Group Policy Management Console

Step 2. Edit a machine based Group Policy Object (GPO)

Step 3. Go to Computer Configuration > Preferences > Windows Settings > Registry

Step 4. Click on the “Actions Menu” > “New” > “Registry Item” then select the HKEY_LOCAL_MACHINE Hive type SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193} in the “Key Path” then type AppID in the Value Name field and {534A1E02-D58F-44f0-B58B-36CBED287C7C} in the “Value Data” field.

Now we are going to filter the Group Policy Preference setting so that we only apply the registry key fix to 64bit Operating Systems.

Step 5.  Click on the “Common” Tab then tick “Item-level targeting” and click the “Targeting” button.

Step 6. Click the “New Item” then click “Registry Match” chose the “Key exists” match Type and then change the Hive to “HKEY_LOCAL_MACHINE” then type “Software\Wow6432Node” in the “Key path”

Step 7. Click the “New Item” then click “Registry Match” again change the “Match Type” is “Value Exists” change the “Hive” to “HKEY_LOCAL_MACHINE” and the “Key Path” to “SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}” set the “Values Name” to “AppID” change the Value Type to “REG_SZ” and then click “OK” then “OK”

Step 8. Right click the registry entry you just made and click on “Copy”

Step 9. Then right click in the blank area and click “Paste”

Step 10. Click “Yes” to the Confirm Import

Step 11. Double click on the new registry entry and insert the text “Wow6432Node\” between “Software\” and “CLSID” then click “OK”

Step 12. Click on the “the registry key HKLM\SOFTWARE\Wow6432Node exist” and then press delete

Step 13. Click on the Registry Match item and again insert the text “Wow6432Node\” between “Software\” and “CLSID” in the “Key Path” then click “OK” then “OK”

Note: You don’t need all the OS matches as the “Wow6432Node” key will only exist on 64bit versions of Windows.

It should now look like this…

You should now have fixed the Adobe File Preview issues to all the computer which you have applied this GPO.

Method 2: File Preview Fix – Import Settings – Easy

Step 1. Download this preconfigured XML Group Policy configuration that I have already made for you (HERE)

Step 2. Open Group Policy Management Console

Step 3. Edit a machine based Group Policy Object (GPO)

Step 4. Go to Computer Configuration > Preferences > Windows Settings > Registry and copy the file you downloaded in step 1. into and paste it into the blank area

Step 5. Click Yes to confirm the import and you are done.

The registry settings are now setup the same as method 1… except this way was SO much easier.

Thumbnail Preview

The second fix that Leo’s tool does it fix the thumbnail live preview option by implementing a custom written thumbnail bridge. Still working on a group policy preference to fix this so I will post again when I get this working.

A big thanks to Leo Davidson so be sure to visit his web site and make a donation if you find this fix useful…